Vulnerable AGFEO smart-home controllers get firmware update five months late
Smart-home appliances are all the rage these days, as the Internet of Things goes into full bloom, with tens of billions of IoT products estimated to ship annually by 2022. Their popularity, though, also breaks new fertile ground for hackers, and vendors are ill prepared to fight them, as one consulting firm recently showed.
In a July 12 disclosure screaming to be published for almost half a year, infosec consultancy firm SEC Consult reveals that smart-home controllers from AGFEO were highly susceptible to attacks before finally receiving patches in June.
AGFEO Smart Home ES 5xx and AGFEO Smart Home ES 6xx, devices capable of controlling smart-home appliances such as smoke detectors, lighting, heating, ventilation and even security, have been extremely vulnerable for almost half a year because of flaws left unpatched by AGFEO in the devices’ firmware.
One of the many flaws found is described as follows:
“The configuration of the device can be changed and arbitrary updates can be uploaded as well as music files for the answering machine. By reading the database content, the usernames and their passwords can be revealed and easily decrypted. This way the administrator password can be dumped from the database and the device can be fully administrated by an attacker.”
Another flaw, which enables root privileges and access to all files on the devices’ operating system, opens the door to “unauthenticated access to web services and authentication bypass.”
And because cryptographic keys are hardcoded into the devices’ firmware, a bad actor could carry out impersonation, man-in-the-middle or passive decryption attacks.
Although the flaws were reported to AGFEO as early as January, it took the company until late June to deploy a patch that users can cumbersomely install by either ringing up support, or by logging into their account on the vendor’s website. Since AGFEO is keeping quiet about the vulnerabilities and the firmware update is not automatic, many users are likely still at risk.
SEC Consult’s proof-of-concept shows a hacker would have to go to great lengths to compromise the controllers, but users should nonetheless update their firmware as soon as possible.
Last year, Gartner identified security as the #1 challenge for IoT vendors who fail to do proper testing before rushing Internet-connected devices to market.
An incident like the 2014 “baby monitor” case is enough to put a dent into any smart-home business. Vendors like AGFEO have both a moral and a financial obligation to respond to such discoveries quickly. Smart-home owners, for their part, should not postpone any security patches.firmware update Internet of Things IoT iot security patch smart home smart home security