Multiple critical security vulnerabilities existed in the firmware of three different smart home hubs. These vulnerabilities, upon exploit, could allow remote code execution attacks.
Vulnerabilities Found In Smart Home Hubs
Researchers from ESET IoT Research discovered numerous security vulnerabilities in three different smart home hubs.
As elaborated in their blog post, they found the vulnerabilities in Homematic Central Control Unit (CCU2) firmware version 2.31.25, Fibaro Home Center Lite firmware version 4.170, and eLAN-RF-003 firmware version 2.9.079.
Briefly, all these smart home devices had multiple security bugs. Upon exploitation, these bugs could lead to various consequences. As stated by the researchers,
Potential consequences of these weaknesses include full access to the central and peripheral devices in these monitored systems, and to the sensitive data they contain, unauthenticated remote code execution, and Man-in-the-Middle (MitM) attacks.
What makes these bugs threatening is that these hubs are not only used at homes but also at small offices. Hence, the vulnerabilities pose risk to thousands of customers. Moreover, in the scenario of COVID-19 pandemic, when work-from-home is common, the vulnerabilities are even more threatening.
Partial Fixes Available
Upon finding these bugs, ESET Researchers quickly reached out to the vendors to report the flaws. Following their report, the vendors reacted differently in addressing these issues.
Briefly, eQ-3 patched all the issues within the specified disclosure period.
Fibaro patched most of the bugs within days, whereas Elko addressed some bugs within the disclosure period.
However, they could only do so for newer devices, leaving the old devices vulnerable due to compatibility issues.
While the patches are already out, users must ensure that their devices are running on the latest firmware versions to avoid any potential attacks. Whereas, the users of old devices shall upgrade to the newer ones at the earliest to prevent vulnerabilities.
Let us know your thoughts in the comments.