Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

HDL Smart Devices in Homes and Buildings Exposed to Hacker Attacks

Vulnerabilities in HDL Automation smart products could be abused to take over user accounts and remotely control devices deployed in homes, commercial buildings or hotels, SentinelOne reports.

Vulnerabilities in HDL Automation smart products could be abused to take over user accounts and remotely control devices deployed in homes, commercial buildings or hotels, SentinelOne reports.

The issues, SentinelOne researcher Barak Sternberg explained at the DEF CON conference last week, were identified in an HDL automation system that allows users to control various smart devices within residential, commercial and hospitality environments. HDL Automation has already addressed the reported vulnerabilities.

In addition to relay modules, the HDL system includes an IP-Serial Adapter and a core-server, and is accompanied by HDL BusPro, a desktop application for configuration purposes, and HDL On, an Android app for controlling the smart devices and for additional options.

When creating a new account on the Android application, an additional ‘debug’ user is automatically added, for the extra configuration options, yet users only need to log in with the original username to control their smart devices.

However, an attacker could take over the debug user account — this account’s username has the format username-debug(at)myemail.com — and gain control of the automation system, thus essentially controlling the entire smart home, Sternberg says. For that, the “Forgot password” option can be abused, as it sends a password reset URL that contains the user email, and an attacker can substitute it with an email address of their choice.

Furthermore, if the debug email address does not exist, the attacker can register it and then use the forgot password feature to receive the password reset URL.

The attacker can abuse the technique to take over the debug account, which provides them with control of all smart devices and configurations inside the targeted home or building. Furthermore, because the debug account is typically used only for the initial configuration operations, the compromise could go unnoticed.

In addition to the account takeover issues, the security researcher identified SQL Injection vulnerabilities in the HDL server, and says that one of the bugs could be exploited to easily extract a great deal of sensitive information from the automation system, including emails, user lists, and likely passwords.

Advertisement. Scroll to continue reading.

An attacker could perform SQL Injection to extract all user emails from the database, and then perform password resets for the identified accounts, or only for the debug ones, to ensure stealth.

By hacking a remote server used for configuring office, home or airport smart devices, an attacker could cause serious harm by extracting internal secrets and network configuration, emails and company names, and by gaining control of the smart devices, such as cameras and sensors.

Furthermore, they could add new devices, learn about the Internet of Things (IoT) devices that a company uses, and even gain insight into the firmware versions and other configuration data.

Other possible attacks include denial of service (through removing or encrypting configurations), changing all passwords, controlling AC units to increase the temperature in server rooms and potentially damage the servers, and disabling security cameras and other sensors.

“In some organization an attacker can utilize the hacked credentials, change the configuration of these devices using account takeover over the ‘debug’ user, and then whenever the user updates the system configuration (for the HDL ON app) it will be given new malicious configuration which can be very helpful to an attacker trying to change internal config or gain more private data,” Sternberg notes.

Related: ‘Find My Mobile’ Vulnerabilities Exposed Samsung Galaxy Phones to Attacks

Related: Vulnerabilities in Qualcomm Chips Expose Billions of Devices to Attacks

Related: Qualcomm, MediaTek Wi-Fi Chips Vulnerable to Kr00k-Like Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.