CVE-2022-29475

Vulnerability

The XFINDER service (UDP/55030) on Abode Systems iota All-In-One Security Kit versions 6.9X and 6.9Z uses a static XOR key for obfuscation, which can be recovered by an attacker. This allows specially crafted man-in-the-middle (MITM) attacks that exploit the weak encryption to reveal sensitive data [1].

Exploitation

An attacker must be positioned on the local network to perform a MITM attack between the iota device and legitimate XFINDER peers or the cloud. The attacker captures XFINDER network traffic, reverses the static XOR obfuscation (key is 64 bytes, used with bitwise NOT and XOR), and replays or modifies packets. No authentication is required, but the attacker must be able to intercept and inject packets on the LAN [1].

Impact

Successful exploitation leads to information disclosure of sensitive data transmitted via XFINDER, which can then be used to escalate privileges on the device. The attacker gains a low-level foothold (CVSS 4.7) with potential to compromise further security controls [1].

Mitigation

As of the advisory publication (October 25, 2022), no patched firmware version has been released by Abode Systems. Users should restrict local network access to the iota device, monitor for unauthorized traffic on UDP/55030, and apply any future updates promptly [1].