[+] Credits: Ilia Shnaidman
[+] @0x496c on Twitter
[+] Source:
http://dojo.bullguard.com/blog/burglar-hacker-when-a-physical-security-is-compromised-by-iot-vulnerabilities/
Vendor:
=============
iSmartAlarm, inc.
Product:
=============
iSmartAlarm cube - All
iSmartAlarm is one of the leading IoT manufactures in the domain of smart alarm systems.
It provides a fully integrated alarm system with siren, smart cameras and locks.
It functions like any alarm system, but with the benefits of a connected device: alerts pop up on your phone,
offering you full remote control via mobile app wherever you are.
Vulnerability Type:
======================
Incorrect Access Control
CVE Reference:
==============
CVE-2017-7729
Security Issue:
================
On iSmartAlarm cube devices, there is
an authentication bypass.
Which can lead to remote execution of alarm's commands; setting the alarm on/off and activating the alarm siren.
Additional Information:
===============
On iSmartAlarm cube devices, there is
Insufficient Verification of Security Authenticity.
When iSmartAlarm's mobile app connected to the same network as the iSmartAlarm's cube,
they authentication and then communication is made on port tcp/12345 in PLAIN TEXT.
Attack Vectors:
===============
After obtaining the encryption key, I've been able to control the alarm.
Using the protocol from CVE-7728 an attacker can
have full control of alarm's functionality.
Network Access:
===============
Remote
Severity:
=========
High
Disclosure Timeline:
=====================================
Jan 30, 2017: Initial contact to vendor
Feb 1, 2017: Vendor replied, requesting details
Feb 2, 2017: Disclosure to vendor
Apr 12, 2017: After vendor didn't replied, I've approached CERT
Apr 13, 2017: Confirmed receipt by CERT and assigning CVEs
July 05, 2017: Public disclousre
