Two separate vulnerabilities ran the risk of compromising the security of devices developed by Cujo AI. The smart hardware, Cujo Firewall, protects personal devices from online threats. The firewall comes in a small and sleek device, managed through a mobile app.
TechRadar boasts of its capabilities to simultaneously handle up to 50 devices, with a high level of security. It is also cloud-based, consequently minimising the amount of processing the hardware does. Additionally, it instructs the mobile device on what internet traffic to allow and block. Cujo AI recently published a cybersecurity trends report of its own based on perceptions of its customers. It positively contributed to the World Economic Forum Meeting held in Davos Klosters, Switzerland, from the 22nd to 25th of January.
A threat to the threat protector
However, a vulnerability was discovered in its own APIs that connected to the hardware. An article authored by CJUFail who exploited the vulnerability found that it allowed a hacker to enumerate users, carry out DDoS attacks and change the rules and schedules. The latter can compromise security by letting in unwanted traffic and whitelisting sites that would otherwise be blocked. Cujo Fail listed the following APIs lacking sufficient authorisation checks:
- GET /schedules?profileId=xxxxxxx
- POST /schedules
- PUT /schedules/yyyyyyyy
A POC video is show below:
The video shows how for example the API allowed anyone to intervene with anybody’s schedule once exploited.
The article estimated over 7000 hardware affected by this flaw.
A further potential U-Boot vulnerability found in November last year was reported by anti-hacking online. U-boot is the bootloader used to boot the device’s operating system kernel. With the CVE vulnerability found, it was vulnerable to a buffer overflow which an attacker could use to execute arbitrary code on the system. The potential risk found was CVE-2018-18439 and CVE-2018-18440. The latter was the insufficient boundary checks in the filesystem image load. Cujo AI gave no comment at the time of the reporting.
Once the API flaw was reported Cujo confirmed it remediated the vulnerability by deploying a hotfix in PROD.