CVE-2024-35537

Vulnerability

The TVS Connect mobile application (Android v4.6.0 and iOS v5.0.0) suffers from a broken cryptography vulnerability where the RSA key pair is handled insecurely [1]. The private key is leaked within the application binary, allowing an attacker to recover it and use it to decrypt communications or stored data that were meant to be confidential.

Exploitation

An attacker with access to the application binary (e.g., by downloading the APK or IPA file) can extract the embedded RSA private key [1]. No special authentication or elevated privileges are required beyond possession of the application package. The key can be used offline to decrypt any data that was encrypted with the corresponding public key.

Impact

Successful exploitation leads to disclosure of sensitive information that was protected by RSA encryption [1]. This could include personally identifiable information of users, vehicle data, or other confidential communications. The impact is primarily a breach of confidentiality.

Mitigation

As of the publication date (2024-06-21), TVS Motor Company Limited has not yet released a patched version that addresses this issue. The report recommends that vendors rotate cryptographic keys and store them securely, such as in a hardware-backed keystore [1]. Users should update the application once a fix becomes available.