A security researcher discovered vulnerabilities in an automation system for smart homes and buildings that allowed taking over accounts belonging to other users and control associated devices.
In a presentation on Saturday at the IoT Village during the DEF CON hacker conference, Barak Sternberg shows how some weak spots in the HDL automation system could have been leveraged by attackers to fully compromise it.
Looking at how a user can configure and control HDL components, the researcher noticed that registering a new account (email and password) on the mobile app automatically generates another account for applying the settings.
This additional account has the string “debug” in the username (Αυτή η διεύθυνση ηλεκτρονικού ταχυδρομείου προστατεύεται από τους αυτοματισμούς αποστολέων ανεπιθύμητων μηνυμάτων. Χρειάζεται να ενεργοποιήσετε τη JavaScript για να μπορέσετε να τη δείτε.) and the same password defined by the user for their account.
Its purpose is to apply the settings and send the configuration for the local devices to an external HDL server so that other authorized users can download it and control the smart home.
Sternberg found that the password changing process allows defining a new password for the “debug” account while the one for the user remains the same.
An attacker could register the email address for the “debug” username to receive the instructions for changing the password. Once the procedure completes, the attacker can control the components (lights, temperature, cameras, various sensors) in the HDL automated environment as well as configure them.
Sternberg also found an HDL endpoint (“/api/GetRoomBindingDevice”) that was vulnerable to SQL injection. Using a special query, Sternberg received the following response data:
Although he did not go any further, the researcher says that “extracting email, clients list, user list and probably passwords and others is straightforward.”
Additional details about the internal network, such as subnet and HDL controller parameters, could be extracted from gateway info.
There are some questions about the firmware and device backup tables, but some potential scenarios may have allowed supplying malicious software or altering user configurations.
As such, scenarios with an impact on people and hardware inside an HDL automated building become possible. One example from Sternberg is raising the temperature in the server room.
HDL Automation provides intelligent control systems and integrated solutions for hotels, homes, and various types of other buildings so the security implications in its systems could have disastrous effects.
Sternberg says that the company moved quickly to fix the issues he discovered, which did not allow him to fully explore the exploitation avenues presented by the vulnerabilities.
The information contained in this website is for general information purposes only. The information is gathered from Bleeping Computer, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk. Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.