ESET researchers found serious security vulnerabilities in three different home hubs: Fibaro Home Center Lite, HomeMatic Central Control Unit (CCU2) and eLAN-RF-003.
Some of the flaws could be misused by an attacker to perform MitM attacks, eavesdrop on the victim, create backdoors, or gain root access to some of the devices and their contents. In worst case scenarios, these issues could even allow attackers to take control over the central units and all peripheral devices connected to them.
The issues have been reported to the vendors – who have then released patches for most of them – in 2018. The publication has been delayed due to our focus on research into other vulnerabilities that were still active.
Nonetheless, with the current heightened requirement for IoT security, we are releasing this compilation of older findings to further advise all owners of the affected devices to apply the latest updates to their devices to increase their security and reduce exposure to outside attacks.
“We found that security vulnerabilities in IoT devices are a prevalent issue. Our research also proves that flaws in settings, missing encryption or authentication are not exclusive to low-end cheap devices but are often present in high-end hardware too,” says ESET Security and Awareness specialist Ondrej Kubovič.
Fibaro Home Center Lite
One of the vulnerable devices was Fibaro Home Center Lite: a home automation controller, designed to control a wide variety of peripheral devices in a smart home.
A thorough inspection of the device by ESET researchers uncovered a mixture of serious vulnerabilities that could open the door for outside attackers. One combination of the flaws we found even allowed an attacker to create an SSH backdoor and gain full control over the targeted device. After being reported, the issue has promptly been fixed by the manufacturer.
Another device – Homematic CCU2 a central unit of user’s smart home system by eQ-3 – also displayed a serious security flaw during our testing, namely the ability of an attacker to perform unauthenticated remote code execution (RCE) as root user.
The flaw had serious security implications, allowing attackers to gain full access to Homematic CCU2 devices and potentially also to connected peripheral devices via numerous shell commands misusing the RCE vulnerability. After being reported, the issue has been fixed by the manufacturer.
The third vulnerable device was smart RF box eLAN-RF-003 designed as a central unit in a smart home, allowing the user to control a variety of home systems via an application installed on the customer’s devices such as a smartphone, smartwatch, tablet or smart TV.
Researchers tested the device together with two peripheral devices from the same manufacturer – wireless dimmable LED bulb and dimmable socket.
The test results showed that connecting the device to the internet or even operating it on one’s LAN could be potentially dangerous for the user due to a number of critical vulnerabilities. These included inadequate command authentication, which allowed all commands to be executed without a login, or radio communication with peripheral devices being vulnerable to record and replay attacks.
The vendor fixed some of the reported vulnerabilities and then focused on development of newer generations of the device.