CVE-2020-12729

Vulnerability

MagicMotion Flamingo 2, a wearable device described on the vendor's product page [1], suffers from a lack of access control for reading device descriptors. This vulnerability affects all versions of the Flamingo 2 (no specific version range is provided in the available references). The issue lies in the device's firmware or communication protocol, which does not enforce authentication or authorization when a remote entity requests descriptor data.

Exploitation

An attacker with physical proximity or within Bluetooth range (if the device uses wireless communication) can read device descriptors without any authentication or user interaction. No special privileges or prior access are required; the attacker simply sends a read request to the device.

Impact

Successful exploitation allows the attacker to obtain device descriptors, which may contain sensitive configuration details, hardware identifiers, or other information that could aid in further attacks. The primary impact is information disclosure, potentially compromising user privacy or device integrity.

Mitigation

As of the publication date (2021-07-15), no official fix or workaround has been disclosed in the available references [1]. The vendor may need to release a firmware update to implement proper access control. This CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.