Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Smart-home controller makers need to implement better security

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

July 13, 2017

It looks like smart-home controllers from German maker Agfeo still aren't secure. The company has now offerd a new Web admin interface to its users but it's still not safe to use.

The now-patched attack vectors include unauthenticated access to some services, authentication bypass, cross-site scripting (XSS) security vulnerabilities, and hard-coded cryptographic keys.

The security flaws in question were discovered by SEC Consult and landed on Full Disclosure after the vendor finally released an update.

To be sure, the Agfeo ES 5xx and 6xx firmware has three security certificates with their associated private keys, which could ultimately allow an attacker to get administrative access and do as they please.

But the question is, why they would work so hard to get so little is still a mystery, because you don't need credentials to hack that sort of gear in the first place. The developers made a debugger Web service in the ES 5xx range, but forgot to remove it when the products shipped!

The security advisory asserts that the Web service is “accessible from an unusual port” and it runs with root privileges.

There's also a rather useful script to read those files, meaning “all files on the operating system” are visible...

The configuration ports (TCP 19002, 19004, 19006, 19009, 19010, 19080, and 19081) are also wide open: “Multiple different instances of TCP services are present on the device”, the note says, all of which are forked from the debug/config service, allowing attackers to read various device information and change their configuration.

Because user names and passwords are stored in an SQ Lite database, the hacking risk also lets an attacker dump credentials for all users. After being notified in January, Agfeo posted new firmware on June 30. But why did the company wait so long is still a mystery.

Source: SEC Consult.

Sponsered ads:
Read the latest IT news. Visit ItDirection.net. Updated several times daily.

If you need reliability when it comes to SMTP servers, get the best, get Port 587.

Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!

Share on Twitter.


Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact
Copyright © Internet Security.ca    Terms of use    Privacy agreement    Legal disclaimer