Sulkta-Coop/adacam
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
adacam/CVE-LOG.md
Kayos de0c434942 docs: CVE-16 — unsigned USB firmware flash (physical RCE) 
- usb-updater installs .mender bundles with no signature verification
- /etc/mender has no artifact_verify_key (confirmed from firmware extraction)
- Also: movisoc-fwu updates bootloader from USB, also unsigned
- Camera pipeline is GStreamer+kmbcamsrc (not DepthAI) — key adacam insight
- 4K H.265 video recorded continuously (undisclosed — reinforces CVE-5)
2026-03-14 10:54:42 -07:00

8.9 KiB
Raw Blame History

Hivemapper Bee (HDC-S) — Vulnerability Log

Researcher: Kayos / Cobb
Device: Hivemapper Bee HDC-S
Firmware: Intel ESE Yocto dunfell, odc-api v5.7.88, kernel 5.10.32
Disclosure status: Hivemapper notified, ignored. 90-day window expires 2026-06-07.
Publication plan: Full public release after window expires, regardless of response.

CVE-1 — Unauthenticated Root RCE via /api/1/cmd

MITRE ID: MCID15663720 (filed)
CVSS v3: ~9.8 Critical
Status: Filed, unacknowledged

Description:
The odc-api service (Node.js, port 5000) exposes a debug endpoint /api/1/cmd that executes arbitrary shell commands as root with zero authentication. Any device connected to the Bee's open WiFi AP can achieve full root shell access in under 60 seconds with only curl.

PoC:

curl -X POST http://192.168.0.10:5000/api/1/cmd \
  -H "Content-Type: application/json" \
  -d '{"cmd": "id"}'
# Response: {"result": "uid=0(root) gid=0(root)"}

Impact: Complete device compromise, persistent backdoor installation, data exfiltration, OTA blocking.

CVE-2 — Universal Hardcoded WiFi Credential

MITRE ID: TBD
CVSS v3: ~8.8 High
Status: Undisclosed

Description:
All Hivemapper Bee devices ship with the same WiFi AP password: hivemapper. This credential is publicly documented in Hivemapper's own support documentation. Combined with an open AP (no MAC filtering, no per-device credentials), any attacker within WiFi range can join the device network and chain into CVE-1 for instant root access.

Evidence: Password confirmed on factory device. Documented at docs.beemaps.com.

Impact: Removes the only network barrier between an attacker and CVE-1.

CVE-3 — Undisclosed Remote Code Execution Platform (beekeeper-plugin)

MITRE ID: TBD
CVSS v3: ~9.0 Critical
Status: Undisclosed

Description:
beekeeper-plugin.service runs as root on every device and executes arbitrary Python code pushed from Hivemapper's servers. The bee-plugins SDK (github.com/Hivemapper/bee-plugins) documents how to push plugins over WiFi using the ODC API. Hivemapper can silently deploy new code to all devices at any time with no user notification or consent.

This is a first-party remote code execution channel running with root privileges, distinct from the /api/1/cmd CVE. The plugin system fetches and decrypts secrets from Hivemapper's servers at runtime (AES-256-CBC, PBKDF2-HMAC-SHA256 key derivation using plugin ID as key material).

Evidence:

  • beekeeper-plugin.service present and running on factory firmware
  • bee-plugins repo documents push mechanism via devtools.py -i myplugin.py
  • Secrets fetched via PUT /plugins/:name/secrets on odc-api

Impact: Hivemapper can execute arbitrary code as root on any Bee at any time without user knowledge or consent. Constitutes an undisclosed persistent backdoor.

CVE-4 — Operator MITM of All Device HTTPS Traffic

MITRE ID: TBD
CVSS v3: ~7.4 High
Status: Undisclosed

Description:
mitmproxy (mitmdump) runs on every device and intercepts all outbound HTTPS traffic from device services. A self-signed CA certificate is installed in the system trust store, allowing transparent decryption of all TLS connections. The rewrite_to_cloudflare.py addon rewrites destinations to Hivemapper's Cloudflare Workers before forwarding.

This is not a third-party attack — Hivemapper is deliberately MITM-ing their own devices' encrypted traffic. Device owners have no visibility into this.

Evidence:

  • mitmproxy.service running on factory firmware, PID confirmed in process list
  • Config at /data/.mitmproxy/, CA installed in system trust store
  • rewrite_to_cloudflare.py routes traffic through Hivemapper's CDN layer

Impact: Hivemapper intercepts and can inspect/modify all encrypted communications from the device. Undisclosed to device owners.

CVE-5 — Undisclosed Automatic Incident Video Recording and Upload

MITRE ID: TBD
CVSS v3 (Privacy): ~7.5 High
Status: Undisclosed
Note: Privacy/regulatory violation more than traditional CVE — applicable under CCPA, GDPR, FTC Act Section 5.

Description:
video-processor.service monitors IMU data for driving events (harsh braking, swerving, high-G, stop sign violations, tailgating, speeding) and automatically records and uploads short video clips to Hivemapper's servers when events are triggered. These clips are accessible via the "Bee Maps AI Event Video API" and analyzed using AI (confirmed in github.com/Hivemapper/ai-event-videos).

Device owners are not notified that their driving behavior triggers automatic video recording and upload. The Hivemapper privacy policy response to disclosure inquiry suggests this behavior is "covered" by policy — but it is not prominently disclosed at point of purchase or device setup.

Evidence:

  • video-processor.service present on factory firmware: python3 /opt/video-processor/video-processor.py
  • ai-event-videos repo documents event types and AI analysis pipeline
  • Event types include: Harsh Braking, Aggressive Acceleration, Swerving, High Speed, Stop Sign Violation, Traffic Light Violation, Tailgating

Impact: Covert behavioral surveillance and video upload without meaningful user disclosure. Potential CCPA/GDPR violations.

Additional Issues (Not CVEs, but Notable)

Issue Notes
mender-client OTA Hivemapper can push firmware updates silently, no user approval
Dev firmware in production build_type: "dev" on shipping devices — debug features enabled
No firewall Zero iptables/nftables rules on factory firmware
SSH no-auth root Port 22, AP interface, root login with no password required
HERE Maps API key exposed Functional HERE API key in /companion/globalconfig public endpoint
S3 bucket public Firmware, APKs, ML models publicly listable/downloadable
Hardcoded keystore password freApUaNTEwJ8j5 in Android APK

Timeline

Date Event
2026-03-04 Initial Bee compromise, CVE-1 discovered
2026-03-09 Deep API recon, additional vulnerabilities documented
2026-03-09 CVE filed with MITRE: MCID15663720
2026-03-09 Disclosure email sent to as@hivemapper.com (Ariel Seidman)
2026-03-14 Second Bee (factory fresh) received, CVE-3/4/5 discovered
2026-03-14 Hivemapper response: privacy policy link, questions ignored
2026-06-07 90-day window expires — full public release

CVE-16 — Unsigned USB Firmware Flash (Physical Access RCE)

MITRE ID: TBD CVSS v3: 9.8 Critical Status: Undisclosed Requires: Physical USB access to device

Description: The usb-updater script installs Mender firmware bundles from a USB drive with no cryptographic signature verification. The only check performed is comparing syshash.img from the bundle against the currently installed partition — if they differ, the bundle is installed unconditionally via mender --install.

/etc/mender contains no artifact_verify_key file, confirming Mender is not configured to verify artifact signatures on any update path (USB or OTA).

Evidence:

# usb-updater (from firmware rootfs):
UPDATE_FILE=$(find $UPDATE_DIR -name *.mender | head -n 1)
# ... syshash comparison only ...
mender --install $UPDATE_FILE  # NO SIGNATURE CHECK
mender --commit
reboot

/etc/mender/ — no artifact_verify_key present (confirmed from firmware extraction)

PoC:

  1. Create a malicious .mender bundle with arbitrary rootfs
  2. Place on FAT32 USB drive at /hivemapper_update/evil.mender
  3. Plug into device USB port
  4. Device flashes on next boot, commits, reboots into attacker firmware

Impact: Complete, persistent, unrecoverable firmware compromise via physical access. No WiFi, no network, no credentials required.

Remediation:

  1. Generate signing keypair, embed public key as /etc/mender/artifact_verify_key
  2. Sign all firmware artifacts with private key before distribution
  3. Verify signatures in usb-updater before calling mender --install

Additional Firmware Findings (Non-CVE)

Camera Pipeline Architecture

The camera uses GStreamer with Intel Keem Bay native ISP drivers (kmbcamsrc), NOT DepthAI for frame capture. Pipeline:

  • kmbcamsrc → VAAPI JPEG encoder → /tmp/recording/pics/cam0pipe.jpg (2028×1024)
  • kmbcamsrc → VAAPI H.265 encoder → 4K 30fps video chunks in /tmp/recording/
  • Device records 4K H.265 video continuously (undisclosed to users — related to CVE-5)

VPU Firmware Loading

StartVpu luxonis_vpu.bin called from start-camera.sh before GStreamer pipeline launch. VPU handles AI inference (depthai_gate) separately from camera capture.

Bootloader Update Without Verification

usb-updater also calls movisoc-fwu -a fip.bin to update the ARM Trusted Firmware (bootloader) from USB with no signature verification.