Vulnerabilities in HDL Automation smart products could be abused to take over user accounts and remotely control devices deployed in homes, commercial buildings or hotels, SentinelOne reports.
The issues, SentinelOne researcher Barak Sternberg explained at the DEF CON conference last week, were identified in an HDL automation system that allows users to control various smart devices within residential, commercial and hospitality environments. HDL Automation has already addressed the reported vulnerabilities.
In addition to relay modules, the HDL system includes an IP-Serial Adapter and a core-server, and is accompanied by HDL BusPro, a desktop application for configuration purposes, and HDL On, an Android app for controlling the smart devices and for additional options.
When creating a new account on the Android application, an additional ‘debug’ user is automatically added, for the extra configuration options, yet users only need to log in with the original username to control their smart devices.
However, an attacker could take over the debug user account — this account’s username has the format username-debug(at)myemail.com — and gain control of the automation system, thus essentially controlling the entire smart home, Sternberg says. For that, the “Forgot password” option can be abused, as it sends a password reset URL that contains the user email, and an attacker can substitute it with an email address of their choice.
Furthermore, if the debug email address does not exist, the attacker can register it and then use the forgot password feature to receive the password reset URL.
The attacker can abuse the technique to take over the debug account, which provides them with control of all smart devices and configurations inside the targeted home or building. Furthermore, because the debug account is typically used only for the initial configuration operations, the compromise could go unnoticed.
In addition to the account takeover issues, the security researcher identified SQL Injection vulnerabilities in the HDL server, and says that one of the bugs could be exploited to easily extract a great deal of sensitive information from the automation system, including emails, user lists, and likely passwords.
An attacker could perform SQL Injection to extract all user emails from the database, and then perform password resets for the identified accounts, or only for the debug ones, to ensure stealth.
By hacking a remote server used for configuring office, home or airport smart devices, an attacker could cause serious harm by extracting internal secrets and network configuration, emails and company names, and by gaining control of the smart devices, such as cameras and sensors.
Furthermore, they could add new devices, learn about the Internet of Things (IoT) devices that a company uses, and even gain insight into the firmware versions and other configuration data.
Other possible attacks include denial of service (through removing or encrypting configurations), changing all passwords, controlling AC units to increase the temperature in server rooms and potentially damage the servers, and disabling security cameras and other sensors.
“In some organization an attacker can utilize the hacked credentials, change the configuration of these devices using account takeover over the ‘debug’ user, and then whenever the user updates the system configuration (for the HDL ON app) it will be given new malicious configuration which can be very helpful to an attacker trying to change internal config or gain more private data,” Sternberg notes.
Related: ‘Find My Mobile’ Vulnerabilities Exposed Samsung Galaxy Phones to Attacks
Related: Vulnerabilities in Qualcomm Chips Expose Billions of Devices to Attacks
Related: Qualcomm, MediaTek Wi-Fi Chips Vulnerable to Kr00k-Like Attacks