From de0c4349422b0517698452c642db07058b7f7a35 Mon Sep 17 00:00:00 2001 From: Kayos Date: Sat, 14 Mar 2026 10:54:42 -0700 Subject: [PATCH] =?UTF-8?q?docs:=20CVE-16=20=E2=80=94=20unsigned=20USB=20f?= =?UTF-8?q?irmware=20flash=20(physical=20RCE)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - usb-updater installs .mender bundles with no signature verification - /etc/mender has no artifact_verify_key (confirmed from firmware extraction) - Also: movisoc-fwu updates bootloader from USB, also unsigned - Camera pipeline is GStreamer+kmbcamsrc (not DepthAI) — key adacam insight - 4K H.265 video recorded continuously (undisclosed — reinforces CVE-5) --- CVE-LOG.md | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/CVE-LOG.md b/CVE-LOG.md index 4a7745b..8cc89ce 100644 --- a/CVE-LOG.md +++ b/CVE-LOG.md @@ -130,3 +130,57 @@ Device owners are not notified that their driving behavior triggers automatic vi | 2026-03-14 | Second Bee (factory fresh) received, CVE-3/4/5 discovered | | 2026-03-14 | Hivemapper response: privacy policy link, questions ignored | | **2026-06-07** | **90-day window expires — full public release** | + +--- + +## CVE-16 — Unsigned USB Firmware Flash (Physical Access RCE) + +**MITRE ID:** TBD +**CVSS v3:** 9.8 Critical +**Status:** Undisclosed +**Requires:** Physical USB access to device + +**Description:** +The `usb-updater` script installs Mender firmware bundles from a USB drive with no cryptographic signature verification. The only check performed is comparing `syshash.img` from the bundle against the currently installed partition — if they differ, the bundle is installed unconditionally via `mender --install`. + +`/etc/mender` contains no `artifact_verify_key` file, confirming Mender is not configured to verify artifact signatures on any update path (USB or OTA). + +**Evidence:** +```bash +# usb-updater (from firmware rootfs): +UPDATE_FILE=$(find $UPDATE_DIR -name *.mender | head -n 1) +# ... syshash comparison only ... +mender --install $UPDATE_FILE # NO SIGNATURE CHECK +mender --commit +reboot +``` +`/etc/mender/` — no `artifact_verify_key` present (confirmed from firmware extraction) + +**PoC:** +1. Create a malicious `.mender` bundle with arbitrary rootfs +2. Place on FAT32 USB drive at `/hivemapper_update/evil.mender` +3. Plug into device USB port +4. Device flashes on next boot, commits, reboots into attacker firmware + +**Impact:** Complete, persistent, unrecoverable firmware compromise via physical access. No WiFi, no network, no credentials required. + +**Remediation:** +1. Generate signing keypair, embed public key as `/etc/mender/artifact_verify_key` +2. Sign all firmware artifacts with private key before distribution +3. Verify signatures in `usb-updater` before calling `mender --install` + +--- + +## Additional Firmware Findings (Non-CVE) + +### Camera Pipeline Architecture +The camera uses GStreamer with Intel Keem Bay native ISP drivers (`kmbcamsrc`), NOT DepthAI for frame capture. Pipeline: +- `kmbcamsrc` → VAAPI JPEG encoder → `/tmp/recording/pics/cam0pipe.jpg` (2028×1024) +- `kmbcamsrc` → VAAPI H.265 encoder → 4K 30fps video chunks in `/tmp/recording/` +- Device records 4K H.265 video continuously (undisclosed to users — related to CVE-5) + +### VPU Firmware Loading +`StartVpu luxonis_vpu.bin` called from `start-camera.sh` before GStreamer pipeline launch. VPU handles AI inference (depthai_gate) separately from camera capture. + +### Bootloader Update Without Verification +`usb-updater` also calls `movisoc-fwu -a fip.bin` to update the ARM Trusted Firmware (bootloader) from USB with no signature verification.