| Title | Shenzhen HCC Technology Co., Ltd M6PLUS MPOS M6PLUS-FW-1V.31-N Missing Anti-Replay Protection |
|---|
| Description | A vulnerability was found in the Shenzhen JingHanDa M6PLUS Mobile Payment Terminal. The issue affects the Bluetooth SPP/RFCOMM communication handler, where a complete lack of temporal validation mechanisms leads to an authentication replay vulnerability. Classified as CWE-294 (Authentication Bypass by Capture-replay), the flaw exists because the protocol's design fails to implement cryptographic nonces, sequence counters, or session identifiers. This architectural omission allows an attacker to sniff legitimate Bluetooth traffic and bypass the transaction's intended single-use nature by replaying authorized messages to the terminal to the same effect as the original.
Technical analysis performed confirms that the protocol is entirely stateless and does not track transaction history. Although the protocol includes a Date/Time tag (1F03), it serves only as decorative metadata and is not validated against a secure internal real-time clock (RTC). Experimental evidence proved that a legitimate command captured 30 to 45 days prior remained valid and was accepted by the terminal as a new, successful transaction.
This vulnerability is considered independent of authentication flaws, as even a cryptographically signed command can be replayed if it lacks a unique nonce. The impact is primarily on integrity, enabling the unauthorized multiplication of transactions where a single cardholder approval can generate unlimited fraudulent charges. Although the manufacturer, Shenzhen JingHanDa Technology Co., Ltd., was already formally contacted, no immediate firmware patches were available at the time of reporting. Recommended countermeasures include the implementation of 64-bit cryptographic nonces and strict timestamp validation within a ±5 minute window against a secure clock. |
|---|
| Source | ⚠️ https://github.com/Davim09/m6plusexploit/blob/main/docs/CVE-2-Replay.md |
|---|
| User | davimo (UID 79678) |
|---|
| Submission | 03/09/2026 01:41 (1 month ago) |
|---|
| Moderation | 03/22/2026 09:59 (13 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 352420 [Shenzhen HCC Technology MPOS M6 PLUS 1V.31-N Bluetooth authentication replay] |
|---|
| Points | 20 |
|---|