Smart IoT home hubs vulnerable to remote code execution attacks

A range of smart Internet of Things (IoT) hubs commonly found in our homes and offices are harboring severe security flaws, researchers have found.

On Wednesday, the ESET cybersecurity team said three different hubs -- the Fibaro Home Center Lite, eQ-3's Homematic Central Control Unit (CCU2) and ElkoEP's eLAN-RF-003 -- contained bugs dangerous enough to trigger remote code execution (RCE), data leaks, and Man-in-the-Middle (MitM) attacks. 

The Fibaro Home Center Lite is a compact, simple controller for managing intelligent devices such as smart lighting and appliances. eQ-3's Homematic CCU2, a legacy product followed by the CCU3, manages programming and logic functions for Homematic appliances, and the eLAN-RF-003, developed by ElkoEP, is a smart RF box that can be connected to a LAN to control networks via mobile devices. 

The Fibaro Home Center (HC) Lite -- firmware version 4.170 -- was tested, leading to the discovery of security flaws including missing certificate validation in TLS connections, exposing users to MiTM attacks and command injection.

See also: Students, university clash over forced installation of remote exam monitoring software on home PCs

It was also possible to brute-force the hub to expose a short hardcoded password stored in the firmware; to create an SSH backdoor without too much difficulty, and obtain full root access for device hijacking. The password salt, hardcoded into the hub, was easily accessible through the Fibaro web interface. 

Finally, if requests were sent to a function in the Fibaro HC Lite responsible for weather monitoring, the device leaked its exact GPS coordinates. Firmware updates were also downloaded over HTTP and were not encrypted or protected. 

The eQ-3's Homematic CCU2, deployed across Europe, also harbored a severe vulnerability. After testing firmware version 2.31.25, ESET found an RCE bug in the CGI script of the hub, leading to remote code execution attacks by unauthenticated users and full device hijacking.  

Elko's eLAN-RF-003, running on firmware version 2.9.079, contained critical bugs including no implementation of HTTPS to encrypt communications, inadequate authentication checks that allowed all commands to be executed without credentials, and no session cookie usage. 

These vulnerabilities could be used to leak sensitive data, expose users to MiTM attacks, and also permitted attackers to deploy malicious packets for code execution. There was also little protection in place for the device's web interface, which could allow threat actors to hijack the smart RF box and its connections.

CNET: Senator asks Google and Apple CEOs to be personally liable for COVID-19 tracking project privacy

The issues were reported to the vendors in 2018. While this is a long time ago and the research team said that other disclosure projects became the priority -- leading to the delay in public release -- as so many of us are now working or running our businesses from home, ESET wanted to clear this particular board. 

Nonetheless, users of these devices are still urged to check that updates have been installed. 

ESET reported the Elko and eQ-3 vulnerabilities during February and March. By May, Elko released a patch fixing some of the bugs through firmware version 3.0.038, but the unencrypted web GUI communication and vulnerable RF communication issues remain to this day. eQ-3 patched the RCE flaw in July. 

TechRepublic: Security teams want new tools but lack the budget to experiment

Fibaro's set of bugs was disclosed privately to the vendor in August. Within days, the vendor resolved everything except the hardcoded salt string, which didn't change and ESET says is still being used to create password SHA-1 hashes. 

ESET has not tested newer generations of the vendors' IoT hubs. 

"Some of the issues appear to have been left unresolved, at least on older generations of devices," ESET says. "Even if newer, more secure generations are available, though, the older ones are still in operation [...] With little incentive for users of older-but-functional devices to upgrade them, they [users] need to be cautious, as they could still be exposed."

Previous and related coverage

• Hackers steal $25 million worth of cryptocurrency from Lendf.me platform
  
• France asks Apple to relax iPhone security for coronavirus tracking app development
  
• PoetRAT Trojan targets energy sector using coronavirus lures
  

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0