Burglary in mind? Easy, just pwn the home alarm
It’s Monday, and infosec-watchers are showing their age by calling internet of things security disclosures “a broken record”. This time, it’s a home security system that’s remotely p0wnable.
iSmartAlarm ships a variety of app-linked security products, including door sensors, motion sensors, cameras, locks, and a controller unit (called the Cube), with iOS and Android apps, Alexa capabilities … pretty much the full suite of ShinyHappySmartLife™ must-haves.
Now, it’s time to get out your bingo cards, because the list of vulnerabilities includes issues with SSL certificate validation, authentication errors, an access control blunder, and a denial of service.
The vulnerabilities were turned up by Ilia Shnaidman of Bullguard Security (developer of a competing system called Dojo), with one CVE request rejected as in error.
So let’s stick with the vulnerabilities that got Common Vulnerabilities and Errors listings, whose discovery is detailed here.
The SSL certificate validation bug is in the CubeOne that handles communications between the iSmartAlarm-protected home and the smartphone app.
During the SSL handshake with its server, the CubeOne doesn’t check the server certificate’s validity, so Shnaidman only needed to forge a self-signed cert to get control over CubeOne-to-server traffic.
An error in how the system handles its XXTEA (corrected block Tiny Encryption Algorithm) keys allowed the researcher to create and use a valid encryption key, leading to the access control and authentication bypass bugs.
Shnaidman says he went public after the vendor didn’t reply to his disclosure (we have contacted the company for confirmation).
At the time of writing, The Register couldn’t find an iSmartAlarm firmware update more recent than March 2017. ®
via The Register – Security http://ift.tt/2jCNZ5O
July 16, 2017 at 11:00PM