On Tuesday, Randy Westergren, a cybersecurity expert, published his study on the Motorola Halo+, a popular baby monitor. He revealed two severe flaws in the protocol and remote code execution (RCE) of the Motorola Halo+ that would allow threat actors to hijack the device.
The Motorola Halo+ comprises an over-the-crib monitor, a handheld unit for parents, and a Wi-Fi-connected mobile application to monitor children that works in Full HD.
Westergren, engineering director of US financial services company Marlette Funding discovered the flaws when he and his wife were hunting for a suitable monitor for their first child and selected the Motorola Halo+ as their preferred option.
After securing the device, Westergren started examining its listening services and discovered a pre-authentication RCE security flaw (CVE-2021-3577) and the tools to obtain a full root shell.
Examining system logs made it possible to identify the app’s API requests that gather information regarding its usage.
The researcher also analyzed HTTP-based communication and how the app’s local API operated. Westergren was able to use local API commands to identify GET and SET lists, as well as “value” parameters that would accept user input, “potentially leading to RCE if not properly sanitized”.
Westergren then injected a reboot payload and used the device to perform the ‘set_city_timezone’ process. His action initiated a reboot, which granted the device shell access.
He also discovered a flaw in the execution of MQTT (CVE-2021-3787) – an IoT messaging standard.
Westergren identified that the client was set up to subscribe to #and $SYS/# by default, lowering Hubble device access control security.
“A number of commands result from various devices. Though I did not attempt this, I think it was very likely that a client could easily control the entire device fleet by publishing arbitrary commands,” the researcher noted.
While the product belongs to Motorola Mobility, its manufacturing unit was acquired by Lenovo in 2014. According to Westergren, after receiving the initial report, Lenovo’s security team has immediately started working on resolving the issues in Motorola Halo.
According to the latest updates from the tech giant, the first set of patches is incomplete, and as a result, the product would be delayed further. Both the RCE and MQTT problems have been fixed in firmware versions 3.50.06 and 3.50.14.