Headline
CVE-2023-34761: GitHub - actuator/7-Eleven-Bluetooth-Smart-Cup-Jailbreak: 'Hacking' a 7-Eleven Bluetooth Smart Cup | CVE-2023-34761
An unauthenticated attacker within BLE proximity can remotely connect to a 7-Eleven LED Message Cup, Hello Cup 1.3.1 for Android, and bypass the application’s client-side chat censor filter.
** 7-Eleven Bluetooth Smart Cup Jailbreak **
In 2019 7-Eleven distributed a limited promotional item they generically named the 'Custom Message Cup’*.
- https://fccid.io/2AQNV-60961HC
Customers could personalize their cups with their own messages & slogans.
The cup consists of a plastic shell lined with an LED strip that communicates via BlueTooth Low Energy & allows users to send messages from their mobile device & is available for Android & iOs.
There is a word filter restriction on this promotional cup that displays filtered words using asterixis '*’.
Searching the source via JADX-GUI revealed the de-facto list of vulgar words & the regex word filter accomplished via client-side filtering* so I proceeded to edit that wordlist.
APK Easy Tool was effective in providing a turn-key solution to decompile, sign & recompile the ‘Hello Cup’(v1.3.1) Application.
The first step was to retrieve the Smali resource files that is essentially specialized assembly language code that is used to represent the Dalvik bytecode of Android applications & specific to the Android runtime environment.
Because I quit ‘Pokemon GO’ only the string ‘pogo’ will be restricted & everything else previously banned such as ‘ugly’ (really?) will no longer be filtered.
As a result the message ‘UGLY POGO STICK’ previously rendered as ‘**** POGO STICK’ will now display 'UGLY **** STICK’.
Although modifying the application was trivial, it served as an interesting illustration bypassing client-side filtering.
** CWE-602: Client-Side Enforcement of Server-Side Security
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-34761