Welcome to the research page of TASZK Security Labs!

In this blogpost, the newest full-time member of our research team describes his internship project. If you would also like to try your hand at our hacking tools and techniques, don’t hesitate to check out our training offerings! Currently available: https://www.offensivecon.org/trainings/2026/exploiting-smartphones-through-baseband.html Last summer, I had an opportunity to join TASZK Security Labs for a summer internship. The target we selected for this 2 months project was to hack Xiaomi Security Cameras, specifically a Xiaomi C400 Smart Camera, a very popular device in our market that we also happened to already have at hand. We defined two end goals: create an RCE exploit via any wireless/LAN interface use the exploit to create a full “cloud jailbreak” The motivation for the latter was that we knew that these devices are heavily dependent for their operation on the Xiaomi Smartphone Application and Xiaomi Cloud Server.

In the past few years, we’ve tried our hand at Vulnerability Reward Programs of all kinds of mobile vendors’ products and attack surfaces. Like many others, we’ve encountered as many misses as hits, learning valuable lessons from the mistakes we (and sometimes the vendors) have made. We presented our experiences in a talk this summer at Troopers and Le Hack. You can download the slides from here. A video of the presentations is not available yet, but the Troopers one will eventually be available here. The talk covered several VR projects which were discussed publicly for the first time. We have now released advisories for all of these newly discussed vulnerabilities, including:

An attacker sending malformed miIO messages over WiFi to a Xiaomi Smart camera device can trigger the vulnerability described here. This report describes a secure protocol design issue, which leads to authentication bypass in the proprietary Xiaomi miIO protocol. The vulnerability described in this advisory affects a potentially wide range of Xiaomi Smart devices. This vulnerability has not yet been issued a public patch or advisory or assigned a CVE by the vendor despite repeated requests and a lapse of more than six months since the original vendor disclosure. Vulnerability Details For packets received in UDP port 54321, the miio_client binary verifies the MAC and then decrypts the received packet.

An attacker sending malformed miIO messages over WiFi to a Xiaomi Smart camera device can trigger the vulnerability described here. This report describes a use of cryptographically weak PRNG implementation issue, which leads to reliable prediction of cryptographic primitives used in the proprietary Xiaomi miIO protocol’s authentication and key agreement procedure. The vulnerability described in this advisory affects a potentially wide range of Xiaomi Smart devices. This vulnerability has not yet been issued a public patch or advisory or assigned a CVE by the vendor despite repeated requests and a lapse of more than six months since the original vendor disclosure.