CVE-2023-46916

Vulnerability

CVE-2023-46916 affects Maxima Max Pro Power 1.0 486A smartwatches. The device's Bluetooth Low Energy (BLE) implementation fails to protect against replay attacks. Specifically, an attacker can capture and retransmit BLE packets targeting GATT characteristic handle 0x0012, which is used for potentially disruptive device functions such as starting a Heart Rate monitor. The vulnerability exists in the firmware of these devices, with no version-specific patch noted in available references [1].

Exploitation

An attacker must be within BLE radio range (approximately 10–100 meters depending on environment) and able to capture legitimate BLE traffic between the smartwatch and its connected app. The attacker does not need authentication or pairing; they can passively record a valid command packet directed at characteristic handle 0x0012 and later replay it to the watch. No user interaction is required beyond the initial legitimate use of the feature.

Impact

Successful exploitation allows an attacker to trigger device functions associated with characteristic 0x0012 — such as starting a Heart Rate monitor — without authorization. The primary impact is a disruption of device behavior (availability/functionality). The attacker does not gain access to stored personal data, nor can they execute arbitrary code. The compromise is limited to BLE command replay, potentially causing nuisance or confusion if the watch acts unexpectedly.

Mitigation

No official fix or firmware update has been released by the vendor as of the publication date (December 2023). The product may be at end-of-life, as the vendor page [1] shows only sales and no support section. The only mitigation is to disable BLE on the watch when not in use, or avoid using the vulnerable characteristic. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.