Critical: BindKey disclosure and full unauthorised access to THB devices (THB3 / BTH01, fw v2.1) — URGENT: immediate firmware update required #155
Description
In the current THB firmware implementation (tested on THB3 and BTH01, firmware v2.1), using the public web tool
PHY62x2BTHome.html allows anyone in BLE range to connect at any time to any device and:
• READ the current BindKey (even if the owner has already enabled broadcast encryption),
• DECRYPT and monitor telemetry (e.g. temperature, humidity),
• CHANGE device parameters and SET A NEW BindKey,
• POTENTIALLY UPLOAD OWN (including malicious) firmware if OTA images are not verified.
In short: an attacker within BLE range can fully surveil and/or hijack devices without any owner interaction.
This represents a critical privacy and security risk for all deployed devices.
⸻
Affected
• THB3 — firmware v2.1 (tested, bin: THB3_v21.bin)
• BTH01 — firmware v2.1 (tested)
⸻
URGENT: What must be done NOW (priority)
1. Immediately release a firmware update that requires an explicit physical owner action before allowing any administrative connection from the web/OTA tool https://pvvx.github.io/THB2/web/PHY62x2BTHome.html.
• Devices must refuse administrative queries (including BindKey reads and OTA-trigger operations) from external tools by default.
• Administrative access should be enabled only after the owner explicitly allows it through a physical action — either by pressing a hardware button on the device (e.g., one long press or two short presses), or automatically for a limited time window (recommended 60–180 seconds) immediately after battery insertion.
• The administrative window must automatically close after the timeout, and the device must block all new administrative pairing attempts until the next explicit physical action.
• This firmware change is the highest priority — it immediately closes the open attack vector and prevents unauthorised BindKey reading or firmware uploads.
2. Block remote READ access to the BindKey.
Once a BindKey is set, the device must never return its value to any external tool; it should only acknowledge that a key has been configured.
3. Suspend or restrict OTA updates from unverified sources until proper signature verification (signed firmware) is implemented and enforced.
These three actions are Priority 1 and should be implemented in the next firmware release to mitigate the vulnerability as fast as possible.
⸻
Reproduction steps (for maintainer verification)
1. Open: https://pvvx.github.io/THB2/web/PHY62x2BTHome.html
2. Discover and connect to any THB3 / BTH01 device running THB2 fw (v2.1).
3. Go to the Service tab.
4. Read the current BindKey (even if the owner has previously configured encryption).
5. Use the read BindKey to decrypt the BLE broadcasts — telemetry is decrypted successfully.
No special logs are required (the behaviour is identical to a normal connection).
A short screen recording or BLE capture can be provided upon request if needed for verification.
⸻
Impact
• Disclosure of BindKey → full decryption of telemetry data.
• Violation of user privacy (enables tracking of habits or presence, e.g. shower or occupancy patterns).
• Possible installation of malicious firmware → permanent device compromise.
• Potential use of compromised devices as a stepping stone into local networks or other systems.
⸻
Long-term recommendations
• Implement per-device or vendor-level firmware signing and verify signatures in the bootloader (secure boot chain).
• Store BindKey in a non-exportable form — usable by the device but never retrievable externally.
• Notify owners (e.g. through the app) about administrative connection attempts from unknown sources.
• Harden production builds to disable debug/admin interfaces or enforce proper authentication.
⸻
Request & next steps
Please confirm receipt of this report and indicate which of the Priority 1 mitigations will be included in the next firmware release.
I can supply a short screen recording demonstrating BindKey reading and provide BLE logs if needed for internal testing.
Best regards,
Piotr