CVE Vulnerabilities

CVE-2024-36557

Authentication Bypass by Spoofing

Published: Feb 06, 2025 | Modified: Feb 10, 2025
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
RedHat/V2
RedHat/V3
Ubuntu

The device ID is based on IMEI in Forever KidsWatch Call Me KW50 R36_YDR_A3PW_GM7S_V1.0_2019_07_15_16.19.24_cob_h and Forever KidsWatch Call Me 2 KW60 R36CW_YDE_S4_A29_2_V1.0_2023.05.24_22.49.44_cob_b. If a malicious user changes the IMEI to the IMEI of a unit they registered in the mobile app, it is possible to hijack the device and control it from the app.

Weakness 

This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.

References  

  • https://www.diva-portal.org/smash/record.jsf?aq2=%5B%5B%5D%5D\u0026c=1\u0026af=%5B%5D\u0026searchType=SIMPLE\u0026sortOrder2=title_sort_asc\u0026query=Exploiting+Vulnerabilities+to+Remotely+Hijack+Children%E2%80%99s+Smartwatches\u0026language=en\u0026pid=diva2%3A1933447\u0026aq=%5B%5B%5D%5D\u0026sf=undergraduate\u0026aqe=%5B%5D\u0026sortOrder=author_sort_asc\u0026onlyFullText=false\u0026noOfRows=50\u0026dswid=-8296