Cube Studio

SML678

1. Product Cybersecurity Information

 

1. Product Identification and Version

Product Name/Model：CUBE STUDIO (Model: SML678)

Hardware Version：V1.0

Firmware Version：V1.0

Unique Identifiers：Version 109

 

2. Network and Communication Interfaces

Bluetooth Version：5.0

Bluetooth Profiles：A2DP, AVRCP, HFP, SPP

Communication Encryption：Enable Bluetooth Secure Connections or not

Authentication Method：PIN code pairing, Just Works, Passkey Entry

OTA Update Support：Yes

 

3. Security Feature Configuration

Default Password："0000"

Factory Reset Support：Yes

Logging：Whether security events (pairing failures, firmware update attempts) are logged

 

4. Security Threat and Risk Analysis (Examples)

Unauthorized Bluetooth connection → requires pairing confirmation

Firmware downgrade attack → OTA must use signed firmware validation

Privacy leakage (device name linked to location) → assess enabling Bluetooth address randomization

 

2. Component-Level Cybersecurity Information

 

1. Main Controller Chip / SoC

Model：AC6956C

Chip Security Documentation Link："Hardware Security Manual"

Known Vulnerabilities：fixed firmware version V1.0

 

2. Bluetooth Module

Module Model：e.g., TI CC254x, CSR8670, Realtek RTL8763

Bluetooth Stack Version：HCI, L2CAP, SDP, GATT

Security Mechanisms：LE Privacy support, required key size (≥7 octets)

Bluetooth Certification：SIG certification and security testing passed or not

 

3. Firmware and Software Components

Operating System：FreeRTOS, Zephyr, or bare metal

Third-party Libraries：

Bluetooth stack library (version)

Audio codec library

OTA bootloader

SBOM (Software Bill of Materials) for all components, including versions, sources, known vulnerability tracking

 

4. Manufacturing and Debugging

Factory test interfaces retained：serial commands, test points

Test mode disabled before shipment：evidence required

Production flashing tools：control measures against firmware leak or malicious injection

 

3. Lifecycle Storage and Maintenance Information

 

1. Lifecycle Stage       

Security design document, threat modeling report, code review records

2. Testing & Validation — Bluetooth security test report (e.g., pairing sniffing, DoS test)

3. Production   — Flashing records, debug port disabled status, unique key injection certificate. Initial firmware version, default security settings, user security guide

4. Operations & Maintenance  

Vulnerability disclosure report, OTA update records, user security feedback

5. Last supported security version, notice of no further updates

 

4. Recommended Storage Format and Location

 

Storage method：

Internal product security database, PLM system, secure branch of code repo, compliance management tool (e.g., Jira security panel)

Example stored content：

product_security_spec_BT_Speaker_V1.xlsx

bluetooth_security_test_report_V1.0.pdf

SBOM_BT_Speaker_FW1.0.json

known_vulnerabilities_tracking.xls

 

 

5. After-Sales Support and Vulnerability Management

 

1. After-Sales Support Terms

Security Update Support

The manufacturer commits to providing security updates for this product (Model: SML678, CUBE STUDIO) throughout its supported lifecycle. Security updates include firmware patches addressing identified vulnerabilities in the Bluetooth stack, OTA mechanism, and other software components.

 

Minimum Support Period

The support cycle for this product is at least 3 years from the date of first shipment. During this period, the manufacturer will provide security updates, maintain security response commitments, and address reported vulnerabilities in accordance with the response timeline outlined in this document.

 

End of Support Notification

Upon termination of the support period, a notice will be published, and the last supported security version will be clearly identified.

 

Vulnerability Event Description Table

Event ID	Date Discovered	Vulnerability Description	Severity Level	Status (Open/Investigating/Patched/Closed)	Patch Version

 

6. Additional Cybersecurity Information from R&D Party

1.The R&D party will issue cybersecurity alerts and vulnerability warnings through official channels (e.g., website, security bulletin emails). For identified vulnerabilities, the R&D party will provide corresponding solutions, including but not limited to: firmware patch updates, configuration modification guides, temporary mitigation measures, and permanent fixes. Users may contact the Security Response Center (security@singingmachine.com) to obtain the latest alert information and targeted solutions

 

2.The R&D party follows industry-leading information security management standards (e.g., ISO/IEC 27001 framework) and adopts multi-layered security protection measures, including:

 

DevSecOps: Embedding security activities in requirements, design, coding, and testing phases;

Access Control: Role-based least privilege principle and multi-factor authentication;

Data Protection: Encryption in transit (TLS), encryption at rest, and sensitive data masking;

Vulnerability Management: Regular scanning, third-party component vulnerability monitoring, and penetration testing;

Supply Chain Security: Source review and known vulnerability tracking for third-party libraries and components.

 

3.The R&D party has obtained the following certifications and audit results for its cybersecurity systems:

ISO/IEC 27001 Information Security Management System Certification (valid);

ISO/IEC 27701 Privacy Information Management System Certification (where applicable);

Third-Party Security Audits: Annual penetration testing and code security audits have passed review;

Product Security Certification: Bluetooth SIG security compliance testing passed;

Supply Chain Security Assessment: Compliant with local cybersecurity regulations (e.g., relevant IoT security acts).

 

4.Based on the most recent internal risk assessment, the security risk posture summary of the R&D party’s business environment is as follows:

 

Overall Risk Level: Low-Medium (systematic management mechanisms established);

Main Risk Points: Vulnerabilities in third-party open-source components (SBOM monitoring established), access rights to development/testing environments (hardening implemented);

Controlled Items: Network security isolation of production environment, code repository access auditing, 100% employee security awareness training coverage;

Residual Risk Acceptability: All residual risks have been reviewed and documented, remaining within acceptable range;

 

Cybersecurity Information Receiving Center

This page is dedicated to receiving cybersecurity-related information about our Bluetooth speaker product and its components. You may submit vulnerability reports, security inquiries, or any questions related to product cybersecurity.

 

Contact Information

Dedicated Contact Email: security@singingmachine.com

 Information We Can Receive (including but not limited to)

Security vulnerabilities in product firmware or Bluetooth stack

 Abnormal security issues during pairing and connection

 Privacy leakage risks or data security concerns

 Known vulnerability alerts for third-party components

 Security maintenance inquiries throughout the product lifecycle

 

Response Commitment

Upon receiving your report or inquiry, we commit to:

 Acknowledge receipt within 5 business days

 Provide initial assessment within 15 business days

 Follow up continuously until the issue is resolved (where applicable)

 

 

manuals-end