id: 3330
title: 'RVD#3330: Use of Hard-coded Credentials in Robotemi Global Ltd Temi Firmware'
type: Vulnerability exploitable remotely
description: Use of Hard-coded Credentials in Robotemi Global Ltd Temi Firmware up
to 20190419.165201, Launcher OS prior to 11969-13146, Robox OS prior to 117.21-119.24,
and their Android phone app prior to 1.3.3-1.3.7931 allows remote attackers to gain
raised privileges on the temi and have it automatically answer the attacker's calls,
granting audio, video, and motor control.
cwe: CWE-798
cve: CVE-2020-16170
keywords:
- temi, Hard-Coded Creds
system:
- Robotemi up to 20190419.165201
vendor: Robotemi Global Ltd
severity:
rvss-score: 10.0
rvss-vector: RVSS:1.0/AV:RN/AC:L/PR:N/UI:N/S:U/Y:O/C:H/I:H/A:H/H:U
severity-description: critical
cvss-score: 9.8
cvss-vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
links:
- https://nvd.nist.gov/vuln/detail/CVE-2020-16170
- https://github.com/aliasrobotics/RVD/issues/3330
flaw:
phase: runtime-operation
specificity: general issue
architectural-location: application-specific
application: Robox OS
subsystem: N/A
package: N/A
languages: N/A
date-detected: '2020-08-18'
detected-by: Patxi Mayoral (Alias Robotics)
detected-by-method: testing-dynamic
date-reported: '2020-08-25'
reported-by: Patxi Mayoral (Alias Robotics)
reported-by-relationship: security researcher
issue: https://github.com/aliasrobotics/RVD/issues/3330
reproducibility: always
trace: N/A
reproduction: Not Disclosed
reproduction-image: Not Disclosed
exploitation:
description: Not Disclosed
exploitation-image: Not Disclosed
exploitation-vector: Not Disclosed
exploitation-recipe: ''
mitigation:
description: this issue was not acknowledged by the company yet
pull-request: N/A
date-mitigation: null