来源

关联漏洞

介绍

# CVE-2025-51643: Unprotected SPI Flash Enables Firmware Extraction in Meitrack T366G-L

## Description
Meitrack T366G-L GPS Tracker devices contain an SPI flash chip (Winbond 25Q64JVSIQ) that is accessible without authentication or tamper protection. An attacker with physical access can attach a standard SPI programmer and use `flashrom` to extract the device firmware. This leads to exposure of sensitive configuration data - such as APN credentials, backend server information, and network parameters - stored in plaintext. The same access path also enables potential firmware modification and re-flashing.

## Affected Products
- **Vendor:** Meitrack Group  
- **Product:** Meitrack T366G-L  
- **Firmware:** T366L_Y24H131V039 (confirmed)

## Vulnerability Type
- **CWE-1191:** On-Chip Debug and Test Interface With Improper Access Control  
- **CWE-922 (related):** Insecure Storage of Sensitive Information

## Impact
- **Confidentiality:** High - full firmware and plaintext configuration disclosure (e.g., APN credentials).
- **Integrity:** Potential - attacker can modify and reflash firmware offline.
- **Availability:** None - no direct service disruption required.

## Affected Component
- **Hardware:** Winbond 25Q64JVSIQ SPI flash memory chip
- **Role:** Stores device firmware and configuration, including sensitive parameters in plaintext
- **Exposure:** Accessible via an unprotected/debug header/test pads on the PCB

## Attack Vectors
**Physical** - local access to the tracker hardware.

### Steps to Reproduce
1. **Disassemble** the T366G-L enclosure to access the PCB.  
2. **Identify** the SPI flash chip (Winbond 25Q64JVSIQ) and corresponding test pads/debug header.  
3. **Connect** a common SPI programmer (e.g., CH341A) with SOIC clip or wires to `VCC`, `GND`, `CS`, `CLK`, `MOSI`, `MISO`.  
4. **Dump firmware** using `flashrom`:
   ```bash
   # Example command (programmer may vary)
   sudo flashrom -p ch341a_spi -r meitrack_t366g-l.bin
## Discoverer
Hattan Hassan D Althobaiti

## References
- CWE-1191: https://cwe.mitre.org/data/definitions/1191.html
- CWE-922: https://cwe.mitre.org/data/definitions/922.html

## Mitigation
### For vendors (Meitrack):
 -Implement board-level protections (epoxy/potting, shield cans) and remove/disable debug pads on production units.
 -Enforce secure boot with signed firmware to prevent unauthorized reflashing.
 -Encrypt sensitive configuration at rest; avoid storing plaintext credentials.
 -Provide a provisioning flow that rotates secrets on first boot and supports remote credential updates.

### For operators:
 -Treat physical access as compromised: restrict device access, use tamper-evident seals.
 -Rotate backend credentials if device integrity is suspected.
 -Network-segment tracker infrastructure and enforce IP allow-lists/MFA on management endpoints.

文件快照

 [4.0K]  /data/pocs/83ef23303c14cca57b57afb3d35c011e149ae75e
└── [2.8K]  README.md

0 directories, 1 file

备注