Full Report
Marc Rogers and Silas Cutler expose how cheap smart home devices conceal a shadow supply chain of shell companies, firmware flaws, and foreign data routing.
Analysis Summary
# Vulnerability: Shadow Supply Chain and Firmware Flaws in Budget IoT Devices
## CVE Details
- **CVE ID:** CVE-2024-25076 (Note: While the article focuses on the broader ecosystem, this ID is the primary identifier for the Eken/Tuck vulnerabilities discussed by the researchers).
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-798 (Use of Hard-coded Credentials), CWE-319 (Cleartext Transmission of Sensitive Information).
## Affected Systems
- **Products:** Ultra-cheap smart home devices, specifically video doorbells and security cameras.
- **Versions:** Multiple iterations of hardware sharing the **Allwinner** semiconductor platform.
- **Brands:** Sold under rotating brand names including **Eken**, **Tuck**, and various "white-label" shell brands found on major e-commerce platforms.
- **Configurations:** Devices configured to use mobile applications (e.g., Aiwit) for remote monitoring.
## Vulnerability Description
Technical analysis of the firmware revealed several critical security failures:
1. **Hardcoded Credentials:** The presence of hardcoded root passwords, allowing unauthorized access to the device OS.
2. **Incomplete Patching:** "Fixes" for known vulnerable services involved merely commenting out service calls in startup scripts rather than removing the binaries or securing the underlying code.
3. **Insecure Data Routing:** Despite marketing claims of local or secure cloud storage, metadata and unencrypted video content are systematically routed through servers located in Hong Kong and mainland China.
4. **Remote Configuration Exploitation:** The devices can be reconfigured via "pushes" from overseas servers, effectively allowing the manufacturer to change device behavior or security posture at will.
## Exploitation
- **Status:** Vulnerabilities are present in shipping products; widespread "shadow" infrastructure suggests high potential for exploitation or state-sponsored data collection.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Total. Video feeds and metadata are accessible to unauthorized third parties and foreign entities.
- **Integrity:** High. Firmware and configurations can be modified remotely by the manufacturer or anyone controlling the update infrastructure.
- **Availability:** High. Devices can be disabled or "bricked" via remote configuration pushes.
## Remediation
### Patches
- **None:** The researchers note that these devices lack long-term support and sustainable update paths. "Patches" provided by the manufacturers have been found to be superficial (commenting out code).
### Workarounds
- **Network Isolation:** Place IoT devices on a dedicated VLAN with no access to the primary home/corporate network.
- **Egress Filtering:** Block all outbound traffic to unknown foreign IP ranges, specifically those associated with the Hong Kong/China-based servers used by these apps.
- **Disposal:** Due to the "shadow" nature of the companies (shell entities), the researchers imply that these devices are fundamentally untrustworthy.
## Detection
- **Indicators of Compromise:** Traffic destined for servers in Hong Kong/China from IoT devices; unauthorized SSH/Telnet attempts using default or common hardcoded passwords.
- **Detection Methods:** Monitor network logs for connections to manufacturers' backend infrastructure (e.g., servers associated with the "Aiwit" app or Allwinner updates).
## References
- SentinelOne Labs: hxxps[://]www[.]sentinelone[.]com/labs/labscon25-replay-are-your-chinese-cameras-spying-for-you-or-on-you/
- FCC Investigations into Eken/Tuck: hxxps[://]www[.]fcc[.]gov/enforcement/orders