Minut M2 (P2/Point) IoT devices with firmwares up to and including #15142 are susceptible to hostile takeover by a physically proximate attacker. The vendor was notified 2024-08-16 and any device in active use should have received updated firmware.

These devices are marketed towards the short-term rental market thus the intended use case is for possible attackers to have physical access, and the attack can be performed through the externally accessible USB-C port. The attack gives full persistent control over the device and can be used to invalidate the intended notifications for the short-term rental host regarding noise levels and occupancy by guests. It's also possible for an attacker to persist surveillance code that will spy on other guests and/or the host and exfiltrate over the network.

The attacker needs to have crafted new firmware in advance using keys extracted from any other Minut M2 device running firmware #15142 or below.

Minut M2 owners should verify that their devices have received a recent firmware update to at least version #1056696.

Vendor website: minut.com

Research and reporting by Troed Sångberg, Amlisoft AB