Search This Blog

Powered by Blogger.

Blog Archive

Labels

ThingsBoard: Default Static Key in IoT Platform Gives Attackers Admin Access

ThingsBoard developers patch a flaw that could apparently enable attackers to acquire administrative access to a server and send requests.


The developers of ThingsBoard, an open-source platform used for managing IoT devices for various industry sectors have recently patched a flaw that could apparently enable attackers to acquire administrative access to a server and send requests. 

The vulnerability, identified as CVE-2023-26462, was detected and reported by IBM Security X-Force researchers. Attackers could fake valid requests that would allow them to appear to the system as higher privileged users, with knowledge of that key, which is much easier to obtain. 

"Because ThingsBoard allowed the default key to be used without requiring administrators to change it, and because that default key was also exposed publicly in the configuration files, the door was opened for attackers to gain unauthorized access in excess of what is intended," stated the X-Force researchers in a report. 

The flaw was later patched in ThingsBoard version 3.4.2 by establishing a random key for each new installation or by upgrading to version 3.4.2 or later. If administrators are unable to upgrade immediately, they can manually alter the earlier versions' default signing key in the configuration file or via the admin dashboard. 

Insecure Implementation of JSON Web Tokens 

JSON Web Token is an internet standard for stateless authentication. It is widely used in mobile and web applications, significantly used if the interactive authentication is impractical, like machine-to-machine or service-to-service communication. Stateless authentications do not require users’ passwords or usernames to be imputed and store the state of a user's session on the server. Instead, it makes use of tokens or tickets that include statements or claims about a user that the server is confident are accurate. 

With the help of JWT, the server generates a token for clients and signs it with its secret key. The payload of that token contains information about the user's identity and permissions. The user or client must provide their signed token along with every request they make in order to execute an operation on the server. 

Through this approach, it is simple to understand the significance of securing the signing key. If not, someone who has access to the server's key might take a payload that is already signed and modify its contents before re-signing it with the server's key and getting it to be recognized as genuine. 

In ThingsBoard’s case, a hacker has the ability to alter the scope value from the JWT, which indicates the user's position on the server and, consequently, the capabilities they are granted. The high-privileged scopes include ones like SYS ADMIN and TENANT ADMIN. On the platform, tenants are subsets of an organization, and a tenant's admin can control all of their devices. Yet, system administrators are in charge of the entire system and can manage every tenant. 

"By editing this role value and generating a new, valid signature for the payload, a user can escalate privileges within the platform to the highest level[…]This grants access throughout the entirety of the platform, including other tenants, users, and devices not affiliated with the original account," the researchers said. "ThingsBoard is just one among many IoT platforms which, much like the devices that connect to them, all deserve further research and scrutiny[…]Adoption of IoT devices in all industries will only continue to grow, and with it the need to ensure security in the platforms managing devices and collecting data."

Share it:

IBM Security X-Force

IoT devices

JSON Web Token

Signing key

ThingsBoard

ThingsBoard version 3.4.2

Vulnerabilities and Exploits