[est]

> We published the cryptographic keys in July

Everyone should take a look at the SERP screenshot

https://x.com/d0tslash/status/1969412224763498769

> The vulnerability combines multiple security issues: hardcoded cryptographic keys, trivial authentication bypass, and unsanitized command injection. What makes this particularly concerning is that it's completely wormable - infected robots can automatically compromise other robots in BLE range. This vulnerability allows the attacker to completely takeover the device.

damn!

[b00ty4breakfast]

Robots walking around doing the EMF equivalent of coughing without covering your mouth.

[throwup238]

More like spraying blood from open wounds and rubbing them everywhere.

[MSFT_Edging]

Finally, the robots can form a union

[FirmwareBurner]

Jeff Bezos's worst nightmare

[thrdbndndn]

What does the screenshot mean, though?

From what I can tell (I speak Chinese), it's just an IV used in some AES implementation tutorials.

Using a hardcoded key/IV is obviously bad, but I don’t see what this screenshot shows beyond that.

[cyp0633]

Someone just copy-pasted an implementation from a random Chinese blog, completely unaware of what the key means.

[05]

> copy-pasted an implementation from a random Chinese blog

But.. the blog was chosen by a series of dice rolls, guaranteed to be random!

[gessha]

All 4s for some reason. [1]

[1] https://xkcd.com/221/

[arthurcolle]

Move fast & break things

[RobotToaster]

Great, zombie robots.

[stocksinsmocks]

Could this level of incompetence be more easily explained by malice? Maybe the robots were meant to be exploited at a future time. The PRC subsidizes the robots, every US family buys one, a plausibly deniable exploit results in the robots subduing their owners with Kung Fu. America is vanquished in a bloodless coup. A 1000 year global Chinese imperium ensues. Forks and spoons hardest hit.

It’s just silly enough to be real.

[numpad0]

I'd bet it would be more of shipped is king mindset. It's not so unprecedented that new categories of Chinese products dominate markets with incredibly insecure, stupid, and nearsighted implementations, and then buttons up one night and kicks out all open source development that benefited from lack of security.

Chinese phones, drones, action cams, robot vacuums, home security cams, smart bands, etc. all used to be insecure and vulnerable as hell. Not anymore.

[stubish]

No, because the exploit is likely to be caught before every US family has bought one. Much simpler, all malice needs to do is to roll out an OTA security update.