Vivint Sky Control Panel Unauthenticated Access Vulnerability
Solutionary ID: SERT-VDN-1017
Risk Rating: High
CVE ID: CVE-2014-8362
Product: Vivint Sky Control Panel
Application Vendor: Vivint
Vendor URL: http://www.vivint.com/en/
Date discovered: 09/25/2014
Discovered by: Jeremy Scott and Solutionary Security Engineering Research Team (SERT)
Vendor notification date: 10/17/2014
Vendor response date: No Response
Vendor acknowledgment date: No Response
Public disclosure date: 09/22/2015
Type of vulnerability: Unauthenticated Administrative Access
Exploit Vectors: Local and Remote
Vulnerability Description: Vivint Sky Control Panel contains a flaw allowing unauthenticated access through a Web-enabled interface (default port 8090) to the Vivint Sky application. Unauthenticated access allows modifications to security settings including the capability to enable and disable the alarm.
Tested on: Vivint Sky Control Panel v1.1.1.9926
Affected software versions: Vivint Sky Control Panel v1.1.1.9926
Impact: Successful access to the control panel without requiring authentication allows an attacker to modify the alarm settings to aid in the unauthorized access of the physical premises, affect the integrity of the alarm system and create false alarms.
Fixed in: Current version
Remediation guidelines: The vendor has implemented authentication to require authentication to the Web interface. Please contact the vendor and request a firmware update to mitigate the vulnerability, if identified.