Dubai, UAE - ESET IoT Research team found numerous serious security vulnerabilities in three different home hubs – Fibaro Home Center Lite, HomeMatic Central Control Unit (CCU2) and eLAN-RF-003.

Some of the flaws could be misused by an attacker to perform MitM attacks, eavesdrop on the victim, create backdoors, or gain root access to some of the devices and their contents. In worst case scenarios, these issues could even allow attackers to take control over the central units and all peripheral devices connected to them.

The issues described in this article have been reported to the vendors – who have then released patches for most of them – in 2018. The publication has been delayed due to our focus on research into other vulnerabilities that were still active. Nonetheless, with the current heightened requirement for IoT security, we are releasing this compilation of older findings to further advise all owners of the affected devices to apply the latest updates to their devices to increase their security and reduce exposure to outside attacks.

“We found that security vulnerabilities in IoT devices are a prevalent issue. Our research also proves that flaws in settings, missing encryption or authentication are not exclusive to low-end cheap devices but are often present in high-end hardware too,” says ESET Security and Awareness specialist Ondrej Kubovi?.

One of the vulnerable devices was Fibaro Home Center Lite: a home automation controller, designed to control a wide variety of peripheral devices in a smart home.  A thorough inspection of the device by the ESET IoT Research team uncovered a mixture of serious vulnerabilities that could open the door for outside attackers. One combination of the flaws we found even allowed an attacker to create an SSH backdoor and gain full control over the targeted device. After being reported, the issue has promptly been fixed by the manufacturer.

Another device - Homematic CCU2 a central unit of user’s smart home system by eQ-3 - also displayed a serious security flaw during our testing, namely the ability of an attacker to perform unauthenticated remote code execution (RCE) as root user. The flaw had serious security implications, allowing attackers to gain full access to Homematic CCU2 devices and potentially also to connected peripheral devices via numerous shell commands misusing the RCE vulnerability. After being reported, the issue has been fixed by the manufacturer.

The third vulnerable device was smart RF box eLAN-RF-003 designed as a central unit in a smart home, allowing the user to control a variety of home systems via an application installed on the customer’s devices such as a smartphone, smartwatch, tablet or smart TV. ESET IoT Research tested the device together with two peripheral devices from the same manufacturer – wireless dimmable LED bulb and dimmable socket.

The test results showed that connecting the device to the internet or even operating it on one’s LAN could be potentially dangerous for the user due to a number of critical vulnerabilities. These included inadequate command authentication, which allowed all commands to be executed without a login, or radio communication with peripheral devices being vulnerable to record and replay attacks. The vendor fixed some of the reported vulnerabilities and then focused on development of newer generations of the device.

For more details about the tested devices, their vulnerabilities and possible attacks, read the blogpost “Serious flaws found in multiple smart home hubs: Is your device among them?” on WeLiveSecurity.com. Make sure to follow ESET research on Twitter for the latest news from ESET Research.

Send us your press releases to pressrelease.zawya@refinitiv.com

© Press Release 2020

Disclaimer: The contents of this press release was provided from an external third party provider. This website is not responsible for, and does not control, such external content. This content is provided on an “as is” and “as available” basis and has not been edited in any way. Neither this website nor our affiliates guarantee the accuracy of or endorse the views or opinions expressed in this press release.

The press release is provided for informational purposes only. The content does not provide tax, legal or investment advice or opinion regarding the suitability, value or profitability of any particular security, portfolio or investment strategy. Neither this website nor our affiliates shall be liable for any errors or inaccuracies in the content, or for any actions taken by you in reliance thereon. You expressly agree that your use of the information within this article is at your sole risk.

To the fullest extent permitted by applicable law, this website, its parent company, its subsidiaries, its affiliates and the respective shareholders, directors, officers, employees, agents, advertisers, content providers and licensors will not be liable (jointly or severally) to you for any direct, indirect, consequential, special, incidental, punitive or exemplary damages, including without limitation, lost profits, lost savings and lost revenues, whether in negligence, tort, contract or any other theory of liability, even if the parties have been advised of the possibility or could have foreseen any such damages.