CVE-2020-10263 - Smart Speaker Root Shell via internal UART

An issue was discovered on XIAOMI XIAOAI speaker Pro LX06 1.52.4. Attackers can get root shell by accessing the UART interface and then they can (i) read Wi-Fi SSID or password, (ii) read the dialogue text files between users and XIAOMI XIAOAI speaker Pro LX06, (iii) use Text-To-Speech tools pretend XIAOMI speakers’ voice achieve social engineering attacks, (iv) eavesdrop on users and record what XIAOMI XIAOAI speaker Pro LX06 hears, (v) modify system files, (vi) use commands to send any IR code through IR emitter on XIAOMI XIAOAI Speaker Pro LX06, (vii) stop voice assistant service, (viii) enable the XIAOMI XIAOAI Speaker Pro’ SSH or TELNET service as a backdoor, (IX) tamper with the router configuration of the router in the local area networks.

Recent assessments:

busterb at April 18, 2020 8:22am UTC reported:

I came across this in a twitter thread here which highlights that, while it is true that many devices can be reverse engineered / cracked / taken apart / reprogrammed, etc. that in itself is not a vulnerability, it’s a feature! Simply having a debug port available inside of a consumer device is not any different than having an OBD-II port in a car. That’s what it’s there for. Having such a connection does make it easier to find more impactful attack vectors, lowering the barrier for security researchers to find other issues. You want folks to find bugs in your backend, certificate pinning, update protocol, etc.

In a related example, the smart toy mentioned in these advisories also had a root-shell enabled if you cut the stuffed animal apart and plug into the USB port on the circuit board. But the real interesting stuff was in the API gateway being remotely hijackable due to poor validation.

Assessed Attacker Value: 1
Assessed Attacker Value: 1Assessed Attacker Value: 3