Connected Home Hubs Open Houses to Full Remote Takeover

Three different connected home hubs – Fibaro Home Center Lite, Homematic Central Control Unit (CCU2) and Elko’s eLAN-RF-003 – are vulnerable in their older versions to serious bugs that would allow information disclosure, man-in-the-middle (MiTM) attacks and unauthenticated remote code execution (RCE), according to researchers.

Home hubs are used to connect a range of smart devices (including appliances, IP cameras, smart thermostat and doorbell gadgets, connected TVs, Google Home and Amazon Alexa offerings, plus laptops, phones and the like). Researchers at ESET pointed out in Tuesday research that an attacker that compromises one of these could in theory gain full access to all of the peripheral devices connected to it – a scenario that could also impact businesses given that more people are working from home.

The flaws were disclosed by ESET just this week, though most of them were fixed in previous updates. They still impact a number of IoT devices, the analyst firm said – likely because consumers don’t tend to update their device firmware very often, if at all; and, a handful of the flaws remain unaddressed.

Fibaro Home Center Lite

Fibaro Home Center Lite (firmware version 4.170) was found by the ESET IoT research team to be vulnerable to a range of bugs. The problems included TLS connections that were vulnerable to MitM attacks thanks to a missing certificate validation – which would open the door to command injection; the use of very short, hardcoded password stored in the file /etc/shadow in the device’s firmware, ripe for brute-forcing; the use of a hardcoded password salt; and a vulnerable weather service API that leaked the exact GPS coordinates of the device due to the use of unencrypted HTTP communications.

Some of these could be chained together to create an SSH backdoor for full control of a targeted device.

For instance, ESET researchers were able to create their own MiTM server, thanks to the fact that the Fibaro Home Center Lite communicates with its cloud server via a standard SSH tunnel, but it fails to validate the certificate for TLS communications with the server.

“Fibaro Home Center Lite sends two separate TLS-encrypted requests asking for the SSH server’s hostname and listening port,” the researchers explained. “Based on the information returned, Fibaro Home Center Lite creates a secured connection via an SSH tunnel to the specified SSH server.”

Because of the failure to perform certificate verification on the TLS requests, any attacker can use fake certificates signed by their proxy server to accept the public key of the targeted device and mimic the original Fibaro server.

“To make matters worse, intercepted TLS requests – intended to create the SSH tunnel between the device and the legitimate server – are vulnerable to command injection,” according to the research. “By using the MitM server, attackers can replace the address of the original server lb-1.eu.ra.fibaro.com with whatever they wish.”

For example, the attacker can generate a malicious response with a command injection that causes the device’s initialization shell script to fail. That prompts the device to request the server’s IP address once again – a request that can now be intercepted by the attacker and replaced with a different tunnel.

“Another tunnel is created, through which the attacker’s SSH backdoor port is forwarded,” according to the analysis. “This reroutes the communication from both ports (SSH 666, HTTP 80) to the attacker’s MitM server. From this point on, the attacker has root access to Fibaro Home Center Lite.”

From there, attackers can intercept firmware updates and uncover the hardcoded root password, valid for all Fibaro Home Center Lite devices – can be “trivially brute-forced,” according to the security firm.

Attackers can also manipulate user credentials for the device’s web interface, stored in an SQLite database on Fibaro Home Center Lite.

“These passwords are stored SHA-1 hashed, created from the supplied password salted with a hardcoded string that can easily be extracted from a script in the firmware image file,” the analysis detailed. “Using the salt, an attacker can rewrite existing credentials in the appropriate row of the Home Center Lite’s SQLite database located at /mnt/user_data/db, rendering the legitimate password invalid.”

Fibaro issued patches for the issues, so that the home hubs now verify server certificates and disallow command injections; and the hardcoded root password has been replaced with a “longer and more secure alternative,” according to ESET.

The hardcoded salt string used to create the SHA-1 hash of the password is however a lingering issue.

Homematic Central Control Unit (CCU2)

The Homematic CCU2 (firmware version 2.31.25) harbors a bug that would allow unauthenticated remote code execution (RCE) as a root user.

The issue arises from a common gateway interface (CGI) script that handles the logout procedure of the Homematic CCU2’s web-based administration interface.

“The $sid (session ID) parameter was not properly escaped, enabling an attacker to inject malicious code and run arbitrary shell commands as the root (administrator) user,” according to the research. “As the logout script did not check that it is processing a request from a currently logged-in session, an unlimited number of these requests could be made by an attacker without ever having to log into the device.”

Using this, an attacker could set a new root password.

The issue has been patched.

Elko’s eLAN-RF-003

The eLAN-RF-003 (firmware version 2.9.079) is a smart RF box that allows user to control a variety of systems such as lighting, hot-water temperature, heating, smart locks, shutters, blinds, fans, power outlets and more via an application installed on a smartphone.

ESET uncovered critical vulnerabilities in the hub, including the use of unencrypted HTTP protocol for the box’s web GUI communication; essentially, all user communications – including sensitive data such as usernames and passwords – was sent over the network without encryption or any other form of protection, allowing any attacker to intercept the information in the clear.

Also at issue: Inadequate authentication, allowing all commands to be executed without requesting a login; a lack of session cookies, thus lacking any mechanism that could verify that the user was correctly logged in; and, peripheral devices connected to the smart RF box were vulnerable to record and replay attacks.

“Unauthenticated access to the web interface is a severe issue, as it gives anyone with access to the local network the ability to take control over the smart RF box and subsequently all the devices connected to it,” according to the analysis. “This is especially worrying due to possible combination with other vulnerabilities that allow the attacker to gain a foothold in the local Wi-Fi network.”

Attackers would be able to extract information about peripheral devices, floor plans, errors, attributes of the managed smart home, the device’s firmware version, and so on, ESET noted.

Unfortunately, two of reported vulnerabilities (the unencrypted web interface communication and insecure radio frequency (RF) communication) appear to have remained unpatched, while only partial patches were issue for the others, ESET said. That said, the researchers haven’t probed the latest generation of the device.

Threatpost has reached out to the vendors for further comment.

“Most of the flaws disclosed by ESET have been fixed by the vendors of these particular devices,” the researchers concluded. “However, some of the issues appear to have been left unresolved, at least on older generations of devices. Even if newer, more secure generations are available, though, the older ones are still in operation….security vulnerabilities in IoT devices are a prevalent issue.”

_Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, _A Practical Guide to Securing the Cloud in the Face of Crisis_. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. _Please register here** for this sponsored webinar.**