Insteon Hub PubNub Firmware Downgrade Vulnerability (CVE-2018-3833)

Summary

An exploitable firmware downgrade vulnerability exists in Insteon Hub running firmware version 1013. The firmware upgrade functionality, triggered via PubNub, retrieves signed firmware binaries using plain HTTP requests. The device doesn’t check the firmware version that is going to be installed and thus allows for flashing older firmware images. To trigger this vulnerability, an attacker needs to impersonate the remote server “cache.insteon.com” and serve any signed firmware image.

Tested Versions

Insteon Hub 2245-222 - Firmware version 1013

Product URLs

http://www.insteon.com/insteon-hub

CVSSv3 Score

8.6 - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CWE

CWE-284: Improper Access Control

Details

Insteon produces a series of devices aimed at controlling and monitoring a home: wall switches, led bulbs, thermostats, cameras, etc. One of those is Insteon Hub, a central controller which allows an end-user to use his smartphone to connect to his own house remotely and manage any other device through it. The Insteon Hub board utilizes several MCUs, the firmware in question is executed by a Microchip PIC32MX MCU, which has a MIPS32 architecture.

The firmware uses Microchip’s “Libraries for Applications” as core for the application code. Its functionality resides on a co-operative multitasking loop, which continuously executes all the existing tasks: the library already defines several tasks, e.g. for reading and sending network packets and calling the relative callbacks. Custom applications building on this library simply need to add new functions at the end of the loop, taking care of executing tasks as quickly as possible, or splitting them in several loop cycles, in order to let other tasks running smoothly.

To enable remote interaction via the Internet, Insteon Hub uses an online service called PubNub (https://www.pubnub.com/). End-users install the “Insteon for Hub” application on their smartphone. Both the smartphone application and Insteon Hub include the PubNub SDK, which allows for a bi-directional communication using PubNub’s REST API.

Using the phone application, an user can decide to force an update. In this case, the phone will first retrieve the latest firmware for a given device using an HTTP GET request:

# phone --> connect.insteon.com:443
GET /HubService/Firmware?HubID=112233 HTTP/1.1

# connect.insteon.com:443 --> phone
[{"FW":"FW","Url":"cache.insteon.com\/software\/insteon\/hub2\/prod\/PROD_FW_03_33_1013.hex","Version":"1013","DevCat":"03","SubCat":"33"},{"FW":"PLM","Url":"cache.insteon.com\/software\/insteon\/hub2\/prod\/PROD_PLM_03_33_A3.hex","Version":"A3","DevCat":"03","SubCat":"33"}]

The answer contains the URL for the firmware in Intel HEX format. In this case there are 2 of them: one for the main PIC32MX MCU (“FW”) and one for the PLM, we’re interested in the former.

The phone will then communicate with the device via PubNub, asking to perform a firmware update using the FW URL.

# phone --> pubsub.pubnub.com:443
GET /publish/pub-c-a415cc66-b0ca-4d1d-8d9e-947390b35df3/sub-c-e1c54032-1685-11e4-b69f-02ee2ddab7fe/0/112233-ad/0/{"u":"\/software\/insteon\/hub2\/prod\/PROD_FW_03_33_1013.hex","msgid":"1234567890-3","cmd":"up_firm","ser":"4","h":"cache.insteon.com"}?&auth=11223344556677889900AABBCCDDEEFF

# pubsub.pubnub.com:443 --> phone
[1,"Sent","1234567890"]
When the device receives this message, it will fetch the firmware using a plain HTTP request to "http://cache.insteon.com/software/insteon/hub2/prod/PRODFW03331013.hex".

The device will then perform a signature check on the firmware, and if this check passes, the firmware will be flashed without verifying that the current firmware version is lower than the one downloaded.

An attacker which is able impersonate the HTTP server for “cache.insteon.com” (e.g. via MITM) would be able to serve any old firmware and later exploit any vulnerability available for it.