Users are encouraged to apply latest updates to reduce their risk exposure
BRATISLAVA April 22, 2020 - ESET’s IoT Research team found numerous serious security vulnerabilities in three different home hubs – Fibaro Home Center Lite, HomeMatic Central Control Unit (CCU2) and eLAN-RF-003.
Some of the flaws could be misused by an attacker to perform MitM attacks, eavesdrop on the victim, create backdoors, or gain root access to some of the devices and their contents. In worst case scenarios, these issues could even allow attackers to take control over the central units and all peripheral devices connected to them.
ESET provides more details in the blog post “Serious flaws found in multiple smart home hubs: Is your device among them?”
The issues described in this article have been reported to the vendors – who have then released patches for most of them – in 2018. The publication has been delayed due to our focus on research into other vulnerabilities that were still active. Nonetheless, with the current heightened requirement for IoT security, we are releasing this compilation of older findings to further advise all owners of the affected devices to apply the latest updates to their devices to increase their security and reduce exposure to outside attacks.
“We found that security vulnerabilities in IoT devices are a prevalent issue. Our research also proves that flaws in settings, missing encryption or authentication are not exclusive to low-end cheap devices but are often present in high-end hardware too,” said ESET Security and Awareness Specialist Ondrej Kubovič.
One of the vulnerable devices was Fibaro Home Center Lite, a home automation controller, designed to control a wide variety of peripheral devices in a smart home. A thorough inspection of the device by the ESET IoT Research team uncovered a mixture of serious vulnerabilities that could open the door for outside attackers. One combination of the flaws we found even allowed an attacker to create an SSH backdoor and gain full control over the targeted device. After being reported, the issue has promptly been fixed by the manufacturer.
Another device - Homematic CCU2 a central unit of user’s smart home system by eQ-3 - also displayed a serious security flaw during our testing, namely the ability of an attacker to perform unauthenticated remote code execution (RCE) as root user. The flaw had serious security implications, allowing attackers to gain full access to Homematic CCU2 devices and potentially also to connected peripheral devices via numerous shell commands misusing the RCE vulnerability. After being reported, the issue has been fixed by the manufacturer.
The third vulnerable device was smart RF box eLAN-RF-003 designed as a central unit in a smart home, allowing the user to control a variety of home systems via an application installed on the customer’s devices such as a smartphone, smartwatch, tablet or smart TV. ESET IoT Research tested the device together with two peripheral devices from the same manufacturer – wireless dimmable LED bulb and dimmable socket.
The test results showed that connecting the device to the internet or even operating it on one’s LAN could be potentially dangerous for the user due to a number of critical vulnerabilities. These included inadequate command authentication, which allowed all commands to be executed without a login, or radio communication with peripheral devices being vulnerable to record and replay attacks. The vendor fixed some of the reported vulnerabilities and then focused on development of newer generations of the device.
For more details about the tested devices, their vulnerabilities and possible attacks, read the blogpost “Serious flaws found in multiple smart home hubs: Is your device among them?” on WeLiveSecurity.com. Make sure to follow ESET research on Twitter for the latest news from ESET Research.
About ESET
For more than 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET is the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit www.eset.com or follow us on LinkedIn, Facebook, and Twitter.