CVE-2020-12730

Vulnerability

MagicMotion Flamingo 2 (all versions) transmits data over Bluetooth Low Energy (BLE) without encryption, as indicated by its classification under CWE-319 [1]. This means that all communication between the device and the controlling smartphone app is sent in cleartext, making it susceptible to eavesdropping and manipulation.

Exploitation

An attacker within BLE range (typically up to 10 meters) can use a standard BLE sniffer (e.g., a smartphone with a packet capture app or a dedicated tool like Ubertooth) to capture the unencrypted packets. No authentication or prior access to the device is required. The attacker can also inject forged BLE packets to send arbitrary commands to the device, as the protocol lacks any integrity checks.

Impact

Successful exploitation allows an attacker to sniff sensitive data, such as device control signals and potentially user interaction patterns. More critically, the attacker can forge packets to control the device remotely, including changing vibration modes, powering the device on/off, or triggering other functions. This compromises the confidentiality and integrity of device usage, and could lead to unexpected behavior without the user's consent.

Mitigation

As of the latest available references, no firmware update or patch has been released to address this vulnerability. Users are advised to use the device only in trusted environments, disable BLE when not in use if possible, and be aware that any communication can be intercepted. The vendor has not indicated plans to implement encryption in future versions [2].