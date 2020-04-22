Researchers have found a wide variety of Internet of Things (IoT) centers commonly found in our homes and offices.

ESET’s cybersecurity team stated on Wednesday three different centers: the Fibaro Home Center Lite, the EQ-3 Central Homemade Control Unit (CCU2) and the ElkoEP eLAN-RF-003 – all contained bugs that were dangerous enough for trigger remote code execution (RCE). , data leaks, and Man-in-the-Middle (MitM) attacks.

The Fibaro Home Center Lite is a compact, simple controller for managing smart devices such as lighting and smart appliances. The eQ-3 Homematic CCU2, a legacy product followed by the CCU3, manages programming and logic functions for home appliances, and the eLAN-RF-003, developed by ElkoEP, is a smart, RF-compatible box. to a LAN to control networks using mobile devices.

The Fibaro Home Center (HC) Lite – firmware version 4.170 – was discovered to detect security flaws, including the lack of validation of certificates on TLS connections, expose users to MiTM attacks and command injection.

It was also possible to force the hub to expose a hard disk code password stored in the firmware; to create an SSH backdoor without much hassle and gain complete root access for device hijacking. The password salt, encoded in the hub, was easily accessible via Fibaro’s web interface.

Finally, if requests were made to a Fibaro HC Lite responsible for weather monitoring, the device filtered its exact GPS coordinates. Firmware updates were also downloaded via HTTP and were not encrypted or protected.

Homework CCU2 of eQ-3, deployed throughout Europe, also posed a serious vulnerability. After trying firmware version 2.31.25, ESET encountered an RCE error in the CGI script of the hub, which led to remote code execution attacks of unauthenticated users and full device hijacking.

Elko’s eLAN-RF-003, which was running firmware version 2.9.079, contained critical errors including HTTPS implementation for communications encryption, inadequate authentication checks that made it possible to execute all commands without credentials and no use of session cookies.

These vulnerabilities could be used to filter sensitive data, expose users to MiTM attacks, and also allow attackers to deploy malicious packages for code execution. There was also little protection for the device’s web interface, which could allow threatening actors to hijack the RF smart box and its connections.

The vendors were notified of the issues in 2018. , as many of us already work or work. ESET wanted to delete this advice.

However, users of these devices are still asked to check for updates.

ESET reported Elko and eQ-3 vulnerabilities in February and March. Elko released a patch in May to fix some of the bugs with firmware version 3.0.038, but unencrypted web GUI communication and vulnerable RF communication issues remain to this day. The eQ-3 hit the RCE defect in July.

Fibaro’s set of bugs was revealed privately to the seller in August. Within a few days, the vendor solved everything except the hard-coded salt chain, which ESET says is still being used to create SHA-1 password hashes.

ESET has not tested new generations of vendor IoT centers.

“Some of the problems seem to have been resolved, at least in older generations of devices,” says ESET. “Although newer and more secure generations are still available, the older ones are still in operation (…) With little incentive for users of older but functional devices to upgrade, they (users) they need to be careful, because they could still be exposed. ”

