A researcher has identified two vulnerabilities affecting Honeywell’s Tuxedo Touch automation controllers. The vendor has released a firmware update to patch the security holes.
Honeywell Tuxedo Touch is designed to allow users to control cameras, thermostats, lights, shades, and locks via a touchscreen or voice commands.
Security researcher Maxim Rupp discovered that the Tuxedo Touch controller is plagued by flaws that can be exploited by an attacker to bypass authentication mechanisms and access restricted pages, and trick legitimate users into issuing various commands.
The authentication bypass flaw (CVE-2015-2847) can be leveraged to defeat the JavaScript checks used by the controller’s web interface to ensure that only authorized users can access restricted pages. The checks can be bypassed simply by ignoring authentication requests from the device.
The second issue (CVE-2015-2848) is a cross-site request forgery (CSRF) vulnerability that can be exploited to issue commands to home automation devices controlled by Tuxedo Touch (e.g. lock or unlock doors). The attack only works if the attacker can trick an authenticated user into executing a malicious request. The attacker’s commands are executed with the privileges of the victim user.
Rupp told SecurityWeek that even an attacker with low skill would be able to exploit the vulnerabilities remotely.
The researcher says he has identified roughly 500 vulnerable devices, most of which are located in the United States, with the aid of the Shodan search engine. The expert believes a more thorough search might reveal approximately 1,000 vulnerable systems.
The security bugs have been patched by Honeywell with the release of firmware version TUXW_V5.2.19.0_VA. The flaws affect all prior firmware versions.
These are not the only vulnerabilities identified by Rupp. Advisories published earlier this year by ICS-CERT credit the expert for finding security holes in XZERES wind turbines.