Hiseeu C90 Insecure Permissions Vulnerability Allowing Full Device Compromise

A vulnerability exists in the Hiseeu C90 firmware version 5.7.15, related to insecure permissions that expose the UART bootloader. This bootloader becomes accessible when the battery is disconnected, putting the device in a hidden debug mode. An attacker with physical access can connect to the UART interface, interrupt the boot process, and gain unrestricted access to low-level bootloader functions. Such access could lead to firmware extraction, arbitrary code execution, recovery of credentials, and complete compromise of the device.

Impact

Exploitation of this vulnerability allows for arbitrary code execution and full compromise of the device.

Reproduction

To reproduce this vulnerability, physically access the Hiseeu C90 device and open its enclosure. Disconnect the battery and power the device externally. Once the device is powered, the UART pins on the internal PCB can be accessed. Connect a UART adapter set to 115200 baud to the exposed pins. This connection will allow interruption of the boot process and access to the unauthenticated bootloader console over UART.

Remediation

The vendor should disable UART debug functionality in production devices, require authentication for bootloader access, remove hidden debug modes from release firmware, restrict low-level memory operations, implement secure boot protections, lock bootloader functionality in production hardware, and add tamper-resistant hardware protections.