Sulkta-Coop/adacam
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
adacam/CVE-LOG.md
Kayos de0c434942 docs: CVE-16 — unsigned USB firmware flash (physical RCE) 
- usb-updater installs .mender bundles with no signature verification
- /etc/mender has no artifact_verify_key (confirmed from firmware extraction)
- Also: movisoc-fwu updates bootloader from USB, also unsigned
- Camera pipeline is GStreamer+kmbcamsrc (not DepthAI) — key adacam insight
- 4K H.265 video recorded continuously (undisclosed — reinforces CVE-5)
2026-03-14 10:54:42 -07:00

186 lines
8.9 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Hivemapper Bee (HDC-S) — Vulnerability Log
**Researcher:** Kayos / Cobb
**Device:** Hivemapper Bee HDC-S
**Firmware:** Intel ESE Yocto dunfell, odc-api v5.7.88, kernel 5.10.32
**Disclosure status:** Hivemapper notified, ignored. 90-day window expires **2026-06-07**.
**Publication plan:** Full public release after window expires, regardless of response.
---
## CVE-1 — Unauthenticated Root RCE via `/api/1/cmd`
**MITRE ID:** MCID15663720 (filed)
**CVSS v3:** ~9.8 Critical
**Status:** Filed, unacknowledged
**Description:**
The `odc-api` service (Node.js, port 5000) exposes a debug endpoint `/api/1/cmd` that executes arbitrary shell commands as root with zero authentication. Any device connected to the Bee's open WiFi AP can achieve full root shell access in under 60 seconds with only `curl`.
**PoC:**
```bash
curl -X POST http://192.168.0.10:5000/api/1/cmd \
-H "Content-Type: application/json" \
-d '{"cmd": "id"}'
# Response: {"result": "uid=0(root) gid=0(root)"}
```
**Impact:** Complete device compromise, persistent backdoor installation, data exfiltration, OTA blocking.
---
## CVE-2 — Universal Hardcoded WiFi Credential
**MITRE ID:** TBD
**CVSS v3:** ~8.8 High
**Status:** Undisclosed
**Description:**
All Hivemapper Bee devices ship with the same WiFi AP password: `hivemapper`. This credential is publicly documented in Hivemapper's own support documentation. Combined with an open AP (no MAC filtering, no per-device credentials), any attacker within WiFi range can join the device network and chain into CVE-1 for instant root access.
**Evidence:** Password confirmed on factory device. Documented at `docs.beemaps.com`.
**Impact:** Removes the only network barrier between an attacker and CVE-1.
---
## CVE-3 — Undisclosed Remote Code Execution Platform (beekeeper-plugin)
**MITRE ID:** TBD
**CVSS v3:** ~9.0 Critical
**Status:** Undisclosed
**Description:**
`beekeeper-plugin.service` runs as root on every device and executes arbitrary Python code pushed from Hivemapper's servers. The `bee-plugins` SDK (`github.com/Hivemapper/bee-plugins`) documents how to push plugins over WiFi using the ODC API. Hivemapper can silently deploy new code to all devices at any time with no user notification or consent.
This is a first-party remote code execution channel running with root privileges, distinct from the `/api/1/cmd` CVE. The plugin system fetches and decrypts secrets from Hivemapper's servers at runtime (AES-256-CBC, PBKDF2-HMAC-SHA256 key derivation using plugin ID as key material).
**Evidence:**
- `beekeeper-plugin.service` present and running on factory firmware
- `bee-plugins` repo documents push mechanism via `devtools.py -i myplugin.py`
- Secrets fetched via PUT `/plugins/:name/secrets` on odc-api
**Impact:** Hivemapper can execute arbitrary code as root on any Bee at any time without user knowledge or consent. Constitutes an undisclosed persistent backdoor.
---
## CVE-4 — Operator MITM of All Device HTTPS Traffic
**MITRE ID:** TBD
**CVSS v3:** ~7.4 High
**Status:** Undisclosed
**Description:**
`mitmproxy` (mitmdump) runs on every device and intercepts all outbound HTTPS traffic from device services. A self-signed CA certificate is installed in the system trust store, allowing transparent decryption of all TLS connections. The `rewrite_to_cloudflare.py` addon rewrites destinations to Hivemapper's Cloudflare Workers before forwarding.
This is not a third-party attack — Hivemapper is deliberately MITM-ing their own devices' encrypted traffic. Device owners have no visibility into this.
**Evidence:**
- `mitmproxy.service` running on factory firmware, PID confirmed in process list
- Config at `/data/.mitmproxy/`, CA installed in system trust store
- `rewrite_to_cloudflare.py` routes traffic through Hivemapper's CDN layer
**Impact:** Hivemapper intercepts and can inspect/modify all encrypted communications from the device. Undisclosed to device owners.
---
## CVE-5 — Undisclosed Automatic Incident Video Recording and Upload
**MITRE ID:** TBD
**CVSS v3 (Privacy):** ~7.5 High
**Status:** Undisclosed
**Note:** Privacy/regulatory violation more than traditional CVE — applicable under CCPA, GDPR, FTC Act Section 5.
**Description:**
`video-processor.service` monitors IMU data for driving events (harsh braking, swerving, high-G, stop sign violations, tailgating, speeding) and automatically records and uploads short video clips to Hivemapper's servers when events are triggered. These clips are accessible via the "Bee Maps AI Event Video API" and analyzed using AI (confirmed in `github.com/Hivemapper/ai-event-videos`).
Device owners are not notified that their driving behavior triggers automatic video recording and upload. The Hivemapper privacy policy response to disclosure inquiry suggests this behavior is "covered" by policy — but it is not prominently disclosed at point of purchase or device setup.
**Evidence:**
- `video-processor.service` present on factory firmware: `python3 /opt/video-processor/video-processor.py`
- `ai-event-videos` repo documents event types and AI analysis pipeline
- Event types include: Harsh Braking, Aggressive Acceleration, Swerving, High Speed, Stop Sign Violation, Traffic Light Violation, Tailgating
**Impact:** Covert behavioral surveillance and video upload without meaningful user disclosure. Potential CCPA/GDPR violations.
---
## Additional Issues (Not CVEs, but Notable)
| Issue | Notes |
|-------|-------|
| `mender-client` OTA | Hivemapper can push firmware updates silently, no user approval |
| Dev firmware in production | `build_type: "dev"` on shipping devices — debug features enabled |
| No firewall | Zero iptables/nftables rules on factory firmware |
| SSH no-auth root | Port 22, AP interface, root login with no password required |
| HERE Maps API key exposed | Functional HERE API key in `/companion/globalconfig` public endpoint |
| S3 bucket public | Firmware, APKs, ML models publicly listable/downloadable |
| Hardcoded keystore password | `freApUaNTEwJ8j5` in Android APK |
---
## Timeline
| Date | Event |
|------|-------|
| 2026-03-04 | Initial Bee compromise, CVE-1 discovered |
| 2026-03-09 | Deep API recon, additional vulnerabilities documented |
| 2026-03-09 | CVE filed with MITRE: MCID15663720 |
| 2026-03-09 | Disclosure email sent to `as@hivemapper.com` (Ariel Seidman) |
| 2026-03-14 | Second Bee (factory fresh) received, CVE-3/4/5 discovered |
| 2026-03-14 | Hivemapper response: privacy policy link, questions ignored |
| **2026-06-07** | **90-day window expires — full public release** |
---
## CVE-16 — Unsigned USB Firmware Flash (Physical Access RCE)
**MITRE ID:** TBD
**CVSS v3:** 9.8 Critical
**Status:** Undisclosed
**Requires:** Physical USB access to device
**Description:**
The `usb-updater` script installs Mender firmware bundles from a USB drive with no cryptographic signature verification. The only check performed is comparing `syshash.img` from the bundle against the currently installed partition — if they differ, the bundle is installed unconditionally via `mender --install`.
`/etc/mender` contains no `artifact_verify_key` file, confirming Mender is not configured to verify artifact signatures on any update path (USB or OTA).
**Evidence:**
```bash
# usb-updater (from firmware rootfs):
UPDATE_FILE=$(find $UPDATE_DIR -name *.mender | head -n 1)
# ... syshash comparison only ...
mender --install $UPDATE_FILE # NO SIGNATURE CHECK
mender --commit
reboot
```
`/etc/mender/` — no `artifact_verify_key` present (confirmed from firmware extraction)
**PoC:**
1. Create a malicious `.mender` bundle with arbitrary rootfs
2. Place on FAT32 USB drive at `/hivemapper_update/evil.mender`
3. Plug into device USB port
4. Device flashes on next boot, commits, reboots into attacker firmware
**Impact:** Complete, persistent, unrecoverable firmware compromise via physical access. No WiFi, no network, no credentials required.
**Remediation:**
1. Generate signing keypair, embed public key as `/etc/mender/artifact_verify_key`
2. Sign all firmware artifacts with private key before distribution
3. Verify signatures in `usb-updater` before calling `mender --install`
---
## Additional Firmware Findings (Non-CVE)
### Camera Pipeline Architecture
The camera uses GStreamer with Intel Keem Bay native ISP drivers (`kmbcamsrc`), NOT DepthAI for frame capture. Pipeline:
- `kmbcamsrc` → VAAPI JPEG encoder → `/tmp/recording/pics/cam0pipe.jpg` (2028×1024)
- `kmbcamsrc` → VAAPI H.265 encoder → 4K 30fps video chunks in `/tmp/recording/`
- Device records 4K H.265 video continuously (undisclosed to users — related to CVE-5)
### VPU Firmware Loading
`StartVpu luxonis_vpu.bin` called from `start-camera.sh` before GStreamer pipeline launch. VPU handles AI inference (depthai_gate) separately from camera capture.
### Bootloader Update Without Verification
`usb-updater` also calls `movisoc-fwu -a fip.bin` to update the ARM Trusted Firmware (bootloader) from USB with no signature verification.
Reference in a new issue View git blame Copy permalink