Products
EXPLIoT CloudFuzz

Technical
Advisory

Through sharp, technical and insightful analysis, the Payatu Team is constantly on the lookout for vulnerabilities and threats. This section exhibits a few of our findings.

...
...

Unauthenticated Firmware Update in Fastrack Reflex 2.0 Activity Tracker

Vulnerability:

Unauthenticated Firmware Update

Vulnerability Description

It was identified on analyzing the Bluetooth LE Characteristics of the device that it is using Nordic DFU 0.1 and has no signature verification for OTA Firmware Update. An attacker can send a malicious firmware and brick the device

CVE-ID

CVE-2021-35951

Vendor

Fastrack

Product

Fastrack Reflex 2.0 Activity Tracker

https://www.fastrack.in/collections/reflex-2

Disclosure Timeline

17 Nov 2020 reported to the vendor

30th June 2021 CVE was assigned and reserved by MITRE

7 April 2022 No response from the vendor and moving forward to Public disclosure.

Credit

Shakir zari