Motorola Halo+ Baby Monitors Hacked via Remote Code Execution Vulnerability

Motorola Halo+ Baby Monitors Can Be Hacked via Remote Code Execution Vulnerability

On Tuesday, Randy Westergren, a cybersecurity expert, released his findings on the Motorola Halo+, a popular baby monitor. He revealed two critical issues in the protocol and remote code execution (RCE) of the Motorola Halo+ that prevented it from being hijacked had been found and fixed.

The Motorola Halo+ is a child-oriented monitor which features an over-the-crib monitor, a handheld unit that works in Full HD, and a Wi-Fi connection.

Hubble Connected, the monitor’s Android app, displays other information besides the monitor’s camera feed, including the room’s temperature and the status of the monitor’s light show projector and night lights.

After securing the device, Westergren started investigating its listening services and found a pre-authentication RCE security flaw (CVE-2021-3577) and the tools to obtain a full root shell.

Analyzing system logs made it possible to identify the app’s API requests that gather information about its usage. Researcher Westergren discovered that the app’s local API could handle HTTP-based communication. He was also able to find HTTP-based lists and values that could allow for RCE.

Westergren then injected a reboot payload and used the device to perform the ‘set_city_timezone’ process. His action initiated a reboot, which granted the device shell access.

He also noticed a bug in the implementation of MQTT (CVE-2021-3787) – an IoT messaging standard. Westergren found that the client was set up to subscribe to #and $SYS/# by default, lowering Hubble device access control security.

The researcher further explained that a client could control all devices in the fleet by creating arbitrary commands.

While the product belongs to Motorola Mobility, the manufacturing process was acquired by Lenovo in 2014.

According to Westergren, after receiving the initial report, the Lenovo’s security team has immediately started working on the fixes.

According to the latest updates from the tech giant, the first set of patches is incomplete, and as a result, the product would be delayed further. Both the RCE and MQTT problems have been fixed in firmware versions 3.50.06 and 3.50.14.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.