RVD#3330: Use of Hard-coded Credentials in Robotemi Global Ltd Temi Firmware

[glerapic]

id: 3330
title: 'RVD#3330: Use of Hard-coded Credentials in Robotemi Global Ltd Temi Firmware'
type: Vulnerability exploitable remotely
description: Use of Hard-coded Credentials in Robotemi Global Ltd Temi Firmware up
  to 20190419.165201, Launcher OS prior to 11969-13146, Robox OS prior to 117.21-119.24,
  and their Android phone app prior to 1.3.3-1.3.7931 allows remote attackers to gain
  raised privileges on the temi and have it automatically answer the attacker's calls,
  granting audio, video, and motor control.
cwe: CWE-798
cve: CVE-2020-16170
keywords:
- temi, Hard-Coded Creds
system:
- Robotemi up to 20190419.165201
vendor: Robotemi Global Ltd
severity:
  rvss-score: 10.0
  rvss-vector: RVSS:1.0/AV:RN/AC:L/PR:N/UI:N/S:U/Y:O/C:H/I:H/A:H/H:U
  severity-description: critical
  cvss-score: 9.8
  cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
links:
- https://nvd.nist.gov/vuln/detail/CVE-2020-16170
- https://github.com/aliasrobotics/RVD/issues/3330
flaw:
  phase: runtime-operation
  specificity: general issue
  architectural-location: application-specific
  application: Robox OS
  subsystem: N/A
  package: N/A
  languages: N/A
  date-detected: '2020-08-18'
  detected-by: Patxi Mayoral (Alias Robotics)
  detected-by-method: testing-dynamic
  date-reported: '2020-08-25'
  reported-by: Patxi Mayoral (Alias Robotics)
  reported-by-relationship: security researcher
  issue: https://github.com/aliasrobotics/RVD/issues/3330
  reproducibility: always
  trace: N/A
  reproduction: Not Disclosed
  reproduction-image: Not Disclosed
exploitation:
  description: Not Disclosed
  exploitation-image: Not Disclosed
  exploitation-vector: Not Disclosed
  exploitation-recipe: ''
mitigation:
  description: this issue was not acknowledged by the company yet
  pull-request: N/A
  date-mitigation: null