> The vulnerability combines multiple security issues: hardcoded cryptographic keys, trivial authentication bypass, and unsanitized command injection. What makes this particularly concerning is that it's completely wormable - infected robots can automatically compromise other robots in BLE range. This vulnerability allows the attacker to completely takeover the device.
Could this level of incompetence be more easily explained by malice? Maybe the robots were meant to be exploited at a future time. The PRC subsidizes the robots, every US family buys one, a plausibly deniable exploit results in the robots subduing their owners with Kung Fu. America is vanquished in a bloodless coup. A 1000 year global Chinese imperium ensues. Forks and spoons hardest hit.
I'd bet it would be more of shipped is king mindset. It's not so unprecedented that new categories of Chinese products dominate markets with incredibly insecure, stupid, and nearsighted implementations, and then buttons up one night and kicks out all open source development that benefited from lack of security.
Chinese phones, drones, action cams, robot vacuums, home security cams, smart bands, etc. all used to be insecure and vulnerable as hell. Not anymore.
No, because the exploit is likely to be caught before every US family has bought one. Much simpler, all malice needs to do is to roll out an OTA security update.
Everyone should take a look at the SERP screenshot
https://x.com/d0tslash/status/1969412224763498769
> The vulnerability combines multiple security issues: hardcoded cryptographic keys, trivial authentication bypass, and unsanitized command injection. What makes this particularly concerning is that it's completely wormable - infected robots can automatically compromise other robots in BLE range. This vulnerability allows the attacker to completely takeover the device.
damn!