Feedback Friday: Industry Experts Comment on Hive Ransomware Takedown

Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Honeywell Patches Flaws in Tuxedo Touch Home Automation Controller

A researcher has identified two vulnerabilities affecting Honeywell’s Tuxedo Touch automation controllers. The vendor has released a firmware update to patch the security holes.

Honeywell Tuxedo Touch is designed to allow users to control cameras, thermostats, lights, shades, and locks via a touchscreen or voice commands.

A researcher has identified two vulnerabilities affecting Honeywell’s Tuxedo Touch automation controllers. The vendor has released a firmware update to patch the security holes.

Honeywell Tuxedo Touch is designed to allow users to control cameras, thermostats, lights, shades, and locks via a touchscreen or voice commands.

Honeywell Tuxedo Touch

Security researcher Maxim Rupp discovered that the Tuxedo Touch controller is plagued by flaws that can be exploited by an attacker to bypass authentication mechanisms and access restricted pages, and trick legitimate users into issuing various commands.

The authentication bypass flaw (CVE-2015-2847) can be leveraged to defeat the JavaScript checks used by the controller’s web interface to ensure that only authorized users can access restricted pages. The checks can be bypassed simply by ignoring authentication requests from the device.

The second issue (CVE-2015-2848) is a cross-site request forgery (CSRF) vulnerability that can be exploited to issue commands to home automation devices controlled by Tuxedo Touch (e.g. lock or unlock doors). The attack only works if the attacker can trick an authenticated user into executing a malicious request. The attacker’s commands are executed with the privileges of the victim user.

Rupp told SecurityWeek that even an attacker with low skill would be able to exploit the vulnerabilities remotely.

The researcher says he has identified roughly 500 vulnerable devices, most of which are located in the United States, with the aid of the Shodan search engine. The expert believes a more thorough search might reveal approximately 1,000 vulnerable systems.

The security bugs have been patched by Honeywell with the release of firmware version TUXW_V5.2.19.0_VA. The flaws affect all prior firmware versions.

These are not the only vulnerabilities identified by Rupp. Advisories published earlier this year by ICS-CERT credit the expert for finding security holes in XZERES wind turbines.

Related: Learn more at the ICS Cyber Security Conference

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.