Researchers at FireEye's Mandiant Red team recently
detected four vulnerabilities in the Logitech Harmony Hub as improper
certificate validation, an unreliable update process, leaving developer
debugger symbols and images in the production firmware and having a blank root
user password.
These vulnerabilities are found to give the
oppugners root access to the device– enabling attackers to control other smart
home devices connected to it, for instance, smart locks and connected
surveillance cameras.
Joel Hopwood, in a report about the vulnerabilities
posted on Friday said that the exploitation of these vulnerabilities from the
local system could enable an aggressor to control the devices connected to the
Hub and in addition utilize it as an execution space to attack various other
devices on the local network.
Fire Eye analysts revealed the vulnerabilities to
Logitech in January 2018. Logitech discharged a firmware update (4.15.96),
April 10, to address the discoveries made and public disclosure was on May 4.
Researchers first found that the Harmony Hub
disregards invalid SSL declarations and certifications by testing out using
their own particular self-signed certificate to block the HTTPS traffic sent by
the Harmony Hub.
“The Harmony Hub sends its current firmware
version to a Logitech server to determine if an update is available. If an
update is available, the Logitech server sends a response containing a URL for
the new firmware version. Despite using a self-signed certificate to intercept
the HTTPS traffic sent by the Harmony Hub, we were able to observe this process
– demonstrating that the Harmony Hub ignores invalid SSL certificates,” the
researchers wrote.
They were additionally ready to confirm that the
root password of the IoT device was blank which thusly assumed a major part in
granting them complete control over the device after they additionally looked
more about firmware of the Hub's SquashFS file system.
It was a direct result of these two vulnerabilities
that Hopwood later said made it quite easy for him to hijack the Harmony Hub by
means of its update procedure.
“Since we were able to previously observe what
a real update process looked like, we could just simulate a false update to
tell the Hub it has an update and tell it where to download the update from,”
Hopwood told Threatpost. “Then we would download that resource onto the Hub
with our own controlled web server that had a malicious update posted on it.”
Logitech's Harmony Hub is one of numerous unreliable
and insecure IoT devices – from smart thermostats to connected surveillance
cameras. Smart hubs, specifically, extend the potential attack vector since
they go about as a hub for different associated devices across the home.
What's more, because of the way that the Harmony
Hub, in the same way as other IoT gadgets, utilizes a typical processor design,
malevolent devices could without much of a stretch be added to a compromised
Harmony Hub, expanding the general effect of a targeted attack, Hopwood later
included in his post Fire Eye’s Official website.