Smart-home controller makers need to implement better security
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!
July 13, 2017
It looks like smart-home controllers from German maker Agfeo still aren't secure. The company has now offerd a new Web admin interface to its users but it's still not safe to use.
The now-patched attack vectors include unauthenticated access to some services, authentication bypass, cross-site scripting (XSS) security vulnerabilities, and hard-coded cryptographic keys.
The security flaws in question were discovered by SEC Consult and landed on Full Disclosure after the vendor finally released an update.
To be sure, the Agfeo ES 5xx and 6xx firmware has three security certificates with their associated private keys, which could ultimately allow an attacker to get administrative access and do as they please.
But the question is, why they would work so hard to get so little is still a mystery, because you don't need credentials to hack that sort of gear in the first place. The developers made a debugger Web service in the ES 5xx range, but forgot to remove it when the products shipped!
The security advisory asserts that the Web service is “accessible from an unusual port” and it runs with root privileges.
There's also a rather useful script to read those files, meaning “all files on the operating system” are visible...
The configuration ports (TCP 19002, 19004, 19006, 19009, 19010, 19080, and 19081) are also wide open: “Multiple different instances of TCP services are present on the device”, the note says, all of which are forked from the debug/config service, allowing attackers to read various device information and change their configuration.
Because user names and passwords are stored in an SQ Lite database, the hacking risk also lets an attacker dump credentials for all users. After being notified in January, Agfeo posted new firmware on June 30. But why did the company wait so long is still a mystery.
Source: SEC Consult.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.