Sulkta-Coop/adacam
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

docs: CVE-16 — unsigned USB firmware flash (physical RCE)

Browse source 
- usb-updater installs .mender bundles with no signature verification
- /etc/mender has no artifact_verify_key (confirmed from firmware extraction)
- Also: movisoc-fwu updates bootloader from USB, also unsigned
- Camera pipeline is GStreamer+kmbcamsrc (not DepthAI) — key adacam insight
- 4K H.265 video recorded continuously (undisclosed — reinforces CVE-5)
This commit is contained in:
Kayos 2026-03-14 10:54:42 -07:00
parent 8e2596d6cf
commit de0c434942
1 changed files with 54 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

54
CVE-LOG.md
View file

@ -130,3 +130,57 @@ Device owners are not notified that their driving behavior triggers automatic vi
| 2026-03-14 | Second Bee (factory fresh) received, CVE-3/4/5 discovered |
| 2026-03-14 | Hivemapper response: privacy policy link, questions ignored |
| **2026-06-07** | **90-day window expires — full public release** |
---
## CVE-16 — Unsigned USB Firmware Flash (Physical Access RCE)
**MITRE ID:** TBD
**CVSS v3:** 9.8 Critical
**Status:** Undisclosed
**Requires:** Physical USB access to device
**Description:**
The `usb-updater` script installs Mender firmware bundles from a USB drive with no cryptographic signature verification. The only check performed is comparing `syshash.img` from the bundle against the currently installed partition — if they differ, the bundle is installed unconditionally via `mender --install`.
`/etc/mender` contains no `artifact_verify_key` file, confirming Mender is not configured to verify artifact signatures on any update path (USB or OTA).
**Evidence:**
```bash
# usb-updater (from firmware rootfs):
UPDATE_FILE=$(find $UPDATE_DIR -name *.mender | head -n 1)
# ... syshash comparison only ...
mender --install $UPDATE_FILE # NO SIGNATURE CHECK
mender --commit
reboot
```
`/etc/mender/` — no `artifact_verify_key` present (confirmed from firmware extraction)
**PoC:**
1. Create a malicious `.mender` bundle with arbitrary rootfs
2. Place on FAT32 USB drive at `/hivemapper_update/evil.mender`
3. Plug into device USB port
4. Device flashes on next boot, commits, reboots into attacker firmware
**Impact:** Complete, persistent, unrecoverable firmware compromise via physical access. No WiFi, no network, no credentials required.
**Remediation:**
1. Generate signing keypair, embed public key as `/etc/mender/artifact_verify_key`
2. Sign all firmware artifacts with private key before distribution
3. Verify signatures in `usb-updater` before calling `mender --install`
---
## Additional Firmware Findings (Non-CVE)
### Camera Pipeline Architecture
The camera uses GStreamer with Intel Keem Bay native ISP drivers (`kmbcamsrc`), NOT DepthAI for frame capture. Pipeline:
- `kmbcamsrc` → VAAPI JPEG encoder → `/tmp/recording/pics/cam0pipe.jpg` (2028×1024)
- `kmbcamsrc` → VAAPI H.265 encoder → 4K 30fps video chunks in `/tmp/recording/`
- Device records 4K H.265 video continuously (undisclosed to users — related to CVE-5)
### VPU Firmware Loading
`StartVpu luxonis_vpu.bin` called from `start-camera.sh` before GStreamer pipeline launch. VPU handles AI inference (depthai_gate) separately from camera capture.
### Bootloader Update Without Verification
`usb-updater` also calls `movisoc-fwu -a fip.bin` to update the ARM Trusted Firmware (bootloader) from USB with no signature verification.