A security assessment discovered a critical vulnerability in Uhale-powered digital photo frames, exposing them to remote code execution.
Vulnerability Details
The Uhale app pre-installed on digital photo frames allows attackers to download and execute malware silently during boot or updates. This is due to insecure network connections and improper handling of unverified certificates.
- The Uhale vulnerability has a CVSS score of 9.4 (Critical).
- Affected devices run outdated Android versions, mainly 6.0/6.0.1.
- Attackers can gain access to private photos, exfiltrate data, and recruit devices into botnets.
- The local file transfer service listens on fixed TCP ports without authentication, enabling unauthorized file operations.
Security Recommendations
Security experts suggest manufacturers update firmware to modern Android versions, enable SELinux, and require SSL/TLS validation. Users should update or disconnect affected devices to reduce risk.
These findings underscore the importance of robust security practices in app and firmware development to protect user data and maintain network integrity.
