Unpatched Smart Home Hubs could allow Remote Access Attacks
April 23, 2020
Earlier this week some flaws in a few different connected home hub devices was disclosed to have multiple vulnerabilities. A home hub is a device that is used to connect a wide range of devices to a single managed point. These items could be video doorbells, thermostats, appliances, IP cameras, alarm systems, Google Home, Alexa, and so much more. These devices are known as the Internet of Things (IoT).
The researchers at ESET cybersecurity team disclosed that Fibaro Home Center Lite, eQ-3's Homematic Central Control Unit (CCU2) and ElkoEP's eLAN-RF-003 had critical bugs that allowed attackers to trigger data leaks, Man-in-the-Middle (MitM) attacks, and remote code execution (RCE). These types of vulnerabilities would allow an attacker to scan and detect these devices from the Internet and attempt to breach the devices. If successful, the attacker would be able to remotely access all the connected devices and on that hub. Additionally, once the home hub device is compromised then the attacker would be able to completely take control of all connected devices. They could even utilize those devices as a jumping point to gain access to other computers and connected devices to the home/business network.
The flaws that were identified by the ESET cybersecurity team were reported to the various vendors and have already been addressed in previous updates to most of these devices. The problem, however, is that many people do not update their devices frequently enough if at all. This means that there are many devices on the internet that are susceptible to attack with these vulnerabilities.
The ESET team noticed that many of the vulnerabilities that lower-end devices have are not exclusive to lower-priced items. The higher-priced and larger companies also have been found to have issues with encryption, security settings, authentication mechanisms, and other settings. This finding is critical that users should not let their guard down thinking a higher-priced big named vendor will have a superior security product. The demand for IoT devices has pushed developers to create code and devices at a rapid speed that often lacks testing proper update schedules.
Of the devices listed in the report the Fibaro Home Center Lite, a home automation center, was identified as having a major vulnerability that would allow an attacker remotely to open up an SSH backdoor to the device. This essentially allows an attacker to directly connect to the Fibaro Home Center as if it were just another computer. This would then bypass any firewalls or other restrictive measures the network may have and allow an attacker a gateway directly to the internal network.
In this scenario, a person could remotely access the home hub and then run additional attacks on other devices at the house. With the COVID-19 pandemic putting millions of people at home to work, the attacker would have easy access to corporate laptops and services that they could otherwise not get when those computers are at the office. The various other security measures on that work laptop could be subverted by an internal hacker that does not have to try and bypass corporate security measures.
A smart home central unit device from eQ-3 known as Homematic CCU2 was also found to have a number of serious bugs in their coding. One of those issues was that the vulnerability found allowed an attacker to perform unauthenticated remote code execution (RCE) of the unit running as root. The root users have ultimate access to the device so the attacker would have the ability to carry out many different types of attacks on any device connected to the LAN. Once ESET notified eQ-3 of the device's flaws they immediately patched the software to remove that vulnerability.
The third device that was discovered to have multiple critical vulnerabilities was a smart RF device called eLAN-RF-003. This device allowed users to install an application on their phones, tablets, smartwatch, or TV to control various items in their homes. When researchers tested this device with two other products from the same vendor, they discovered that an attacker could run all commands without logging in due to the devices lack of security on their command authentication. This device also works on RF so it could interact with other peripheral that was not on a network by using the radio frequencies built into the box. The vendor also fixed some of the issues found but pursued developing a newer generation model to overcome some of the other critical vulnerabilities.
To read the full report visit ESET’s press release here to read about all the vulnerabilities found.