[+] Credits: Ilia Shnaidman
iSmartAlarm cube - All versions
iSmartAlarm is one of the leading IoT manufactures in the domain of smart alarm systems.
It provides a fully integrated alarm system with siren, smart cameras and locks.
It functions like any alarm system, but with the benefits of a connected device: alerts pop up on your phone,
offering you full remote control via mobile app wherever you are.
iSmartAlarm's cube communicates with iSmartAlarm's backend using SSL encryption on port tcp/8443.
But the cube does not validate server certificate.
An attacker can get any password/personal data by setting man
in the middle sniffer attack with a fake certificate on port 8443.
Jan 30, 2017: Initial contact to vendor
Feb 1, 2017: Vendor replied, requesting details
Feb 2, 2017: Disclosure to vendor
Apr 12, 2017: After vendor didn't replied, I've approached CERT
Apr 13, 2017: Confirmed receipt by CERT and assigning CVEs
July 05, 2017: Public disclosure