CVE-2023-46102

Name of the Vulnerable Software and Affected Versions Android Client application (affected versions not specified)

Description The issue concerns the Android Client application's connection to an MQTT broker for exchanging messages and receiving commands. The protocol used for remote management of the device is encrypted with a hard-coded DES symmetric key. This key can be retrieved by reversing both the Android Client application and the server-side web application. An attacker controlling a malicious MQTT broker on the same subnet network as the device can craft malicious messages, sending them to the HMI device and executing arbitrary commands.

Recommendations For the Android Client application, consider disabling the MQTT broker connection until a secure encryption method is implemented. Restrict access to the device's subnet network to minimize the risk of a malicious MQTT broker being introduced. Avoid using hard-coded symmetric keys for encryption; instead, implement a secure key exchange mechanism. At the moment, there is no information about a newer version that contains a fix for this vulnerability.