CVE-2020-11539

Published: Apr 22, 2020Modified: Nov 21, 2024

8.1

Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Exploitability: 2.8 / Impact: 5.2

Source: NVD

Description

An issue was discovered on Tata Sonata Smart SF Rush 1.12 devices. It has been identified that the smart band has no pairing (mode 0 Bluetooth LE security level) The data being transmitted over the air is not encrypted. Adding to this, the data being sent to the smart band doesn't have any authentication or signature verification. Thus, any attacker can control a parameter of the device.

Affected (1)

Products: Titan: Sf Rush Smart Band Firmware

1 product

Sf Rush Smart Band Firmware

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Titan Sf Rush Smart Band Firmware	Version 1.12

Running on/with	Platform Versions
Titan Sf Rush Smart Band	All versions

Related CWEs

Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

Cleartext Transmission of Sensitive Information

The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.

Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

References (4)

https://github.com/the-girl-who-lived/CVE-2020-11539/

Source: cve@mitre.org

ExploitThird Party Advisory

https://medium.com/%40sayliambure/hacking-a-5-smartband-824763ab6e8f

Source: cve@mitre.org

https://github.com/the-girl-who-lived/CVE-2020-11539/

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://medium.com/%40sayliambure/hacking-a-5-smartband-824763ab6e8f

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.