It is currently 16-12-2017 12:16

"Smart" outlet from the popular manufacturer are exposed to multiple vulnerabilities

"Smart" outlet from the popular manufacturer are exposed to multiple vulnerabilities

by sigismund » 2016-08-19 12:43:05


Fixes the vulnerability the update will be released in the third quarter of 2016.


Researchers from Bitdefender have detected a number of serious vulnerabilities in "smart" electrical outlets from the popular manufacturer. The company name is not specified, as the patch will be released only in the third quarter of 2016.

Smart power sockets are part of the "Internet of things" and allow users to set a schedule to turn on and off power devices to save electricity and prevent overheating. In most cases, to manage such outlets, you can remotely through a mobile app. Installation, configuration and management of product researched by experts Bitdefender, is via iOS and Android apps available in the App Store and Google Play.

To connect the product to a local wireless network, the user needs the configuration process to specify the credentials to Wi-Fi. The device is also registered on the vendor's server, sending a UDP message with your name, the model and MAC address.

One of the researchers discovered vulnerabilities is to use the access point insecure default password. In this case the manufacturer does not warn users about the need to change the password represents a security risk.

The second problem is that the mobile application passes the credentials to access the Wi-Fi in plain text, and attackers are able to intercept it. Data transfer between the application and the vendor's server is also not encrypted.
As explained by the experts, knowing set the manufacturer password and the MAC address of the device, an attacker is able to remember proekspluatirovat vulnerability to intercept the data and change configuration settings (schedule on and off power).

Many may argue that "smart" outlets don't store any sensitive information. However, the study experts product is equipped with a function of sending notifications via email, requiring the user to provide credentials for authorization in the postal service. Proekspluatirovat vulnerability in smart power outlet, an attacker could intercept this data and hack to your account.

The researchers also found a vulnerability that allows to inject arbitrary commands into the new password requests. Thus the attacker can not only rewrite the root password, but also open the built-in Telnet service and remote hack the device.
sigismund
moderators
Сообщений: 788
Депозит: 0 BTC

Rating: 5