Thinkware Cloud APK Vulnerability Allows Code Execution With Elevated Privileges

A critical vulnerability identified as CVE-2024–53614 has been discovered in the Thinkware Cloud APK version 4.3.46.

This vulnerability arises from the use of a hardcoded decryption key within the application. It allows malicious actors to access sensitive data and execute arbitrary commands with elevated privileges, potentially compromising the security of users’ devices and data.

The presence of a hardcoded key, which is a serious security flaw, means that attackers can easily decrypt data transferred between the app and the cloud service.

This can expose personal information, including login credentials, which could then be exploited to gain unauthorized access to the cloud service containing sensitive video and audio footage from dashcams, as per a report by George Chen shared in Medium.

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

The vulnerability was responsibly disclosed to Thinkware on November 12, 2024. The disclosure was made through Thinkware’s PSTI vulnerability disclosure program under support ticket #132091.

Thinkware acknowledged the report on November 13, 2024, and confirmed that it had been forwarded to their mobile app development team for assessment.

A request for public disclosure of the vulnerability was initiated on November 19, 2024, and Thinkware was informed that the report would be shared with MITRE to ensure appropriate tracking and awareness.

Vulnerability Details:

The vulnerability is categorized under CWE-321: Use of Hard-coded Cryptographic Key.

This type of flaw indicates that the cryptographic key is embedded directly in the application code rather than being securely managed, allowing attackers to easily obtain the key and decrypt sensitive data.

For security reasons, the specific component affected within the Thinkware Cloud APK has been redacted. However, it is important for users and organizations relying on this application to be aware of the potential risks associated with this vulnerability.

The specific version of the Thinkware Cloud APK affected by this vulnerability is version 4.3.46. Users running this version are at risk and should take immediate action to secure their data and systems.

The attack vector involves a man-in-the-middle (MitM) scenario where an attacker intercepts the encrypted login data exchanged between the user and the Thinkware cloud service.

By leveraging the hardcoded decryption key, the attacker can decrypt the data to reveal login credentials, thereby gaining unauthorized access to sensitive data, such as video and audio footage captured by Thinkware’s dashcams.

To mitigate this vulnerability, users are advised to update to the latest version of the Thinkware Cloud APK as soon as an update is released. Developers should also remove hardcoded keys and implement secure key management practices.

Additionally, users should be cautious about using unsecured or public networks where MitM attacks are more likely to occur.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses