On Tuesday, Randy Westergren, a cybersecurity expert, released his findings on the Motorola Halo+, a popular baby monitor. He revealed two critical issues in the protocol and remote code execution (RCE) of the Motorola Halo+ that prevented it from being hijacked had been found and fixed.
The Motorola Halo+ is a child-oriented monitor which features an over-the-crib monitor, a handheld unit that works in Full HD, and a Wi-Fi connection.
Hubble Connected, the monitor’s Android app, displays other information besides the monitor’s camera feed, including the room’s temperature and the status of the monitor’s light show projector and night lights.
After securing the device, Westergren started investigating its listening services and found a pre-authentication RCE security flaw (CVE-2021-3577) and the tools to obtain a full root shell.
Analyzing system logs made it possible to identify the app’s API requests that gather information about its usage. Researcher Westergren discovered that the app’s local API could handle HTTP-based communication. He was also able to find HTTP-based lists and values that could allow for RCE.
Westergren then injected a reboot payload and used the device to perform the ‘set_city_timezone’ process. His action initiated a reboot, which granted the device shell access.
He also noticed a bug in the implementation of MQTT (CVE-2021-3787) – an IoT messaging standard. Westergren found that the client was set up to subscribe to #and $SYS/# by default, lowering Hubble device access control security.
The researcher further explained that a client could control all devices in the fleet by creating arbitrary commands.
While the product belongs to Motorola Mobility, the manufacturing process was acquired by Lenovo in 2014.
According to Westergren, after receiving the initial report, the Lenovo’s security team has immediately started working on the fixes.
According to the latest updates from the tech giant, the first set of patches is incomplete, and as a result, the product would be delayed further. Both the RCE and MQTT problems have been fixed in firmware versions 3.50.06 and 3.50.14.
