The exploit struck me as exceptionally nasty given screen mirroring[1] is one of Supernote's attractive features.

Am I correct in understanding that the public debug key firmware signing faux pas was plugged in Chauvet 3.21.31 [2], while the unsolicited/unauthenticated P2P file transfer hole was plugged in the most recent Chauvet 3.23.32 [3]?

The changelog doesn't list any updates released circa December 2024 despite disclosure timeline noting that Supernote "...plan[ned] to address the issues in the December update."

[1] https://support.supernote.com/en_US/Tools-Features/1791924-s...

[2] https://support.supernote.com/en_US/change-log/changelog-for...

  [System] Enhanced security for system upgrade verification.

  [Supernote Linking] Enhanced the security of transferring files through the Supernote Linking feature.