| Title | Shenzhen HCC Technology Co., Ltd M6PLUS MPOS M6PLUS-FW-1V.31-N Missing Cryptographic Authentication |
|---|
| Description | A vulnerability was found in the Shenzhen JingHanDa (HCCTG) M6PLUS Mobile Payment Terminal. The flaw is located within the Bluetooth SPP/RFCOMM communication protocol handler, where a total lack of command origin verification leads to a missing cryptographic authentication vulnerability. Classified as CWE-306 and CWE-345, the issue stems from the device's reliance on a non-cryptographic integrity check that fails to distinguish between a legitimate certified application and an adversarial device. Consequently, this architectural failure has a high impact on confidentiality and integrity, allowing for unauthorized financial operations and the complete bypass of security controls.
The technical analysis reveals that the protocol utilizes only a single-byte XOR checksum for message validation, which can be recalculated by an attacker. There is a complete absence of HMAC, digital signatures, session tokens, or challenge-response mechanisms in the communication flow. By sniffing Bluetooth traffic, an attacker can modify critical transaction parameters—such as disabling PIN requirements via Tag 1F02 (internal proprietary tag) or elevating risk limits through Tag 1F0B (sub-tag DF8126)—and inject these forged commands directly into the terminal's control plane. This vulnerability achieves a CVSS 3.1 score of 9.3, representing a functional compromise of the fundamental EMV security model.
This exploitation was demonstrated in portable hardware, such as a Raspberry Pi Zero W, within a 10-meter Bluetooth range. The attack technique is identified by the MITRE ATT&CK project as T1040 (Network Sniffing) and T1565 (Data Manipulation), requiring no user interaction or specialized privileges. Although the manufacturer, Shenzhen JingHanDa Technology Co., Ltd., was already formally contacted, no immediate firmware patches were available at the time of reporting. Suggested mitigations include implementing HMAC-SHA256 with terminal-unique keys or migrating the entire stack to TLS 1.3 over Bluetooth to ensure mutual authentication. |
|---|
| Source | ⚠️ https://github.com/Davim09/m6plusexploit/blob/main/docs/CVE-1-Authentication.md |
|---|
| User | davimo (UID 79678) |
|---|
| Submission | 03/09/2026 01:41 (1 month ago) |
|---|
| Moderation | 03/22/2026 09:59 (13 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 352419 [Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N Bluetooth missing authentication] |
|---|
| Points | 20 |
|---|