Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

HDL Smart Devices in Homes and Buildings Exposed to Hacker Attacks

Vulnerabilities in HDL Automation smart products could be abused to take over user accounts and remotely control devices deployed in homes, commercial buildings or hotels, SentinelOne reports.

Vulnerabilities in HDL Automation smart products could be abused to take over user accounts and remotely control devices deployed in homes, commercial buildings or hotels, SentinelOne reports.

The issues, SentinelOne researcher Barak Sternberg explained at the DEF CON conference last week, were identified in an HDL automation system that allows users to control various smart devices within residential, commercial and hospitality environments. HDL Automation has already addressed the reported vulnerabilities.

In addition to relay modules, the HDL system includes an IP-Serial Adapter and a core-server, and is accompanied by HDL BusPro, a desktop application for configuration purposes, and HDL On, an Android app for controlling the smart devices and for additional options.

When creating a new account on the Android application, an additional ‘debug’ user is automatically added, for the extra configuration options, yet users only need to log in with the original username to control their smart devices.

However, an attacker could take over the debug user account — this account’s username has the format username-debug(at) — and gain control of the automation system, thus essentially controlling the entire smart home, Sternberg says. For that, the “Forgot password” option can be abused, as it sends a password reset URL that contains the user email, and an attacker can substitute it with an email address of their choice.

Furthermore, if the debug email address does not exist, the attacker can register it and then use the forgot password feature to receive the password reset URL.

The attacker can abuse the technique to take over the debug account, which provides them with control of all smart devices and configurations inside the targeted home or building. Furthermore, because the debug account is typically used only for the initial configuration operations, the compromise could go unnoticed.

In addition to the account takeover issues, the security researcher identified SQL Injection vulnerabilities in the HDL server, and says that one of the bugs could be exploited to easily extract a great deal of sensitive information from the automation system, including emails, user lists, and likely passwords.

An attacker could perform SQL Injection to extract all user emails from the database, and then perform password resets for the identified accounts, or only for the debug ones, to ensure stealth.

By hacking a remote server used for configuring office, home or airport smart devices, an attacker could cause serious harm by extracting internal secrets and network configuration, emails and company names, and by gaining control of the smart devices, such as cameras and sensors.

Furthermore, they could add new devices, learn about the Internet of Things (IoT) devices that a company uses, and even gain insight into the firmware versions and other configuration data.

Other possible attacks include denial of service (through removing or encrypting configurations), changing all passwords, controlling AC units to increase the temperature in server rooms and potentially damage the servers, and disabling security cameras and other sensors.

“In some organization an attacker can utilize the hacked credentials, change the configuration of these devices using account takeover over the ‘debug’ user, and then whenever the user updates the system configuration (for the HDL ON app) it will be given new malicious configuration which can be very helpful to an attacker trying to change internal config or gain more private data,” Sternberg notes.

Related: ‘Find My Mobile’ Vulnerabilities Exposed Samsung Galaxy Phones to Attacks

Related: Vulnerabilities in Qualcomm Chips Expose Billions of Devices to Attacks

Related: Qualcomm, MediaTek Wi-Fi Chips Vulnerable to Kr00k-Like Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.