iSmartAlarm CubeOne Missing SSL Certificate Validation

Published
Credit
Risk
2017.07.13
Ilia Shnaidman
Medium
CWE
CVE
Local
Remote
N/A
CVE-2017-7726
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
None
Partial
None

[+] Credits: Ilia Shnaidman
[+] Source:
http://dojo.bullguard.com/blog/burglar-hacker-when-a-physical-security-is-compromised-by-iot-vulnerabilities/

Vendor:
=============
iSmartAlarm, inc.


Product:
===========================
iSmartAlarm cube - All versions

iSmartAlarm is one of the leading IoT manufactures in the domain of smart alarm systems.
It provides a fully integrated alarm system with siren, smart cameras and locks.
It functions like any alarm system, but with the benefits of a connected device: alerts pop up on your phone,
offering you full remote control via mobile app wherever you are.


Vulnerability Type:
======================
Missing SSL Certificate Validation


CVE Reference:
==============
CVE-2017-7726


Security Issue:
================
iSmartAlarm's cube communicates with iSmartAlarm's backend using SSL encryption on port tcp/8443.
But the cube does not validate server certificate.


Attack Vectors:
================
An attacker can get any password/personal data by setting man
in the middle sniffer attack with a fake certificate on port 8443.


Network Access:
===============
Remote


Severity:
=========
High


Disclosure Timeline:
=====================================
Jan 30, 2017: Initial contact to vendor
Feb 1, 2017: Vendor replied, requesting details
Feb 2, 2017: Disclosure to vendor
Apr 12, 2017: After vendor didn't replied, I've approached CERT
Apr 13, 2017: Confirmed receipt by CERT and assigning CVEs
July 05, 2017: Public disclosure


References:

http://dojo.bullguard.com/blog/burglar-hacker-when-a-physical-security-is-compromised-by-iot-vulnerabilities/


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com