Bluetooth flaw exposes countless devices to BIAS attacks – 10 minute mail

As many as 30 smartphones, laptops and other devices were tested – and all were found to be vulnerable

A team of researchers has unveiled a new vulnerability in the Bluetooth wireless communication protocol that exposes a wide range of devices, such as smartphones, laptops, and smart-home devices, to the so-called Bluetooth Impersonation AttackS (BIAS).

Since the attacks are made possible by the flaws in the Bluetooth Classics specification, any standard-compliant Bluetooth device can be expected to be vulnerable, according to Daniele Antonioli, Kasper Rasmussen, and Nils Ole Tippenhauer, who made the discovery and described their findings in a technical paper.

The researchers tested the security weakness on a variety of devices, including laptops, tablets, and smartphones from popular consumer brands that were equipped with different versions of the Bluetooth protocol. “We conducted BIAS attacks on more than 28 unique Bluetooth chips (by attacking 30 different devices). At the time of writing, we were able to test chips from Cypress, Qualcomm, Apple, Intel, Samsung and CSR. All devices that we tested were vulnerable to the BIAS attack.”

Here’s the list of the devices tested:

Source: francozappa.github.io

BIAS attacks are the first type of attacks that were successfully able to bypass Bluetooth’s authentication procedures that take place during the establishment of a secure connection, said the team. The flaws that are exploited in the attacks include lack of integrity protection, encryption, and mutual authentication.

During the pairing of two devices, a long-term key is generated which connects the devices together. Once they have done that, each time a secure connection is established it uses a different session key which is extrapolated from the long-term key and other public factors.

Using the flaw, the attacker is then able to impersonate one of the devices that has gone through the authentication process and paired with the other device, without knowing the long-term key. The attackers can then take control of or steal sensitive data from the other device.

An example of how BIAS attacks work can be viewed in the video below:

In the spirit of responsible disclosure, the researchers contacted Bluetooth Special Interest Group (Bluetooth SIG). The organization, which oversees the development of Bluetooth standards, acknowledged the flaw. If you’re unsure whether your device is vulnerable, the team offers the following clarification:

“After we disclosed our attack to industry in December 2019, some vendors might have implemented workarounds for the vulnerability on their devices. So, the short answer is: if your device was not updated after December 2019, it is likely vulnerable. Devices updated afterwards might be fixed.”

Antonioli, Tippenhauer and Rasmussen have a history with Bluetooth vulnerabilities, since they found and disclosed the Key Negotiation of Bluetooth (KNOB) attack in August 2019. The researchers theorized that a BIAS and KNOB attack used in tandem could have serious consequences. Describing the combination as novel and powerful they plotted out an example of such an attack, saying: “For example, the attacker can impersonate the recipient of a sensitive file and recover the plaintext, or impersonate an unlocker and unlock a device by sending encrypted commands.”

Earlier this year, a critical bug was discovered in Android’s Bluetooth implementation, which allowed remote code execution without user interaction. Google rolled out an update to the bug.



Amer Owaida


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Microsoft fixes vulnerability affecting all Windows versions since 1996 – 10 minute mail

Another vulnerability in the same Windows component was abused by Stuxnet a decade ago

A vulnerability in a decades-old Windows component that controls printing on machines running the operating system could be abused by malicious actors to gain elevated privileges on the targeted system, according to security researchers Yarden Shafir and Alex Ionescu.

The flaw, which they dubbed PrintDemon, resides in Windows Print Spooler and affects all Windows versions since Windows NT4.0, released in 1996. The component has remained largely unchanged since; another vulnerability affecting it was abused by the infamous Stuxnet a decade ago.

“An elevation of privilege vulnerability exists when the Windows Print Spooler service improperly allows arbitrary writing to the file system. An attacker who successfully exploited this vulnerability could run arbitrary code with elevated system privileges. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” said Microsoft. Windows 7, 8.1, 10, and Windows Server 2008, 2012, 2016, and 2019 all contained the vulnerability.

Indexed as CVE-2020-1048, the flaw cannot be abused remotely, however. Microsoft deemed its exploitation as not particularly likely and said that an attacker would need to log on to an affected system and use a specially written script or application. The vulnerability can be abused to elevate privileges, bypass endpoint detection and response rules, and gain persistence.

Peleg Hadar and Tomer Bar from SafeBreach Labs have been credited with the discovery of the flaw.

As part of this month’s Patch Tuesday, which plugged a total of 111 security holes, Microsoft changed how the Windows Print Spooler Component writes data to the file system. You’re best advised to download and apply the update. No patch is available for systems past end of life, however.



Amer Owaida


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Thunderbolt flaws open millions of PCs to physical hacking – 10 minute mail

A new attack method enables bad actors to access data on a locked computer via an evil maid attack within 5 minutes

Millions of computers sporting Intel’s Thunderbolt ports are open to hands-on hacking attempts due to vulnerabilities in this hardware interface, according to research by Björn Ruytenberg, a security researcher at Eindhoven University of Technology in The Netherlands. Dubbed Thunderspy, the attack method affects Thunderbolt-equipped machines manufactured between 2011 and 2020 and is a concern with machines running any of the three major operating systems – Windows, Linux and, to a lesser extent, macOS.

To snatch data from a PC through a so-called evil maid attack, all a bad actor would need is a few minutes, physical access to the device, and some off-the-shelf equipment. “All the evil maid needs to do is unscrew the backplate, attach a device momentarily, reprogram the firmware, reattach the backplate, and the evil maid gets full access to the laptop,” Ruytenberg told Wired, adding that the whole process could be managed within five minutes. A total of 7 vulnerabilities were found to affect Thunderbolt versions 1 through 3 and they’re all listed out in detail in the research paper.

The attack method works even if you follow cybersecurity best practices, such as locking your computer when stepping out for a moment and using strong passwords and measures such as full disk encryption. Above all, the attack leaves no traces.

As a proof of concept, Ruytenberg developed a firmware patching toolkit called Thunderbolt Controller Firmware Patcher (tcfp), which allows him to disable Thunderbolt security without accessing the machine’s BIOS or operating system. Since all of this takes place covertly and the changes aren’t reflected in BIOS, the victim remains none the wiser.

Ruytenberg also developed another tool, called SPIblock. Using it in tandem with tfcp, he managed to disable Thunderbolt security for good and block all future firmware updates, all the while remaining undetected.

Thunderbolt security was also in the limelight last year, when a team of researchers was able to uncover a collection of vulnerabilities they named Thunderclap. Fortunately, those could be mitigated by security options, called “Security Levels”, that were already available at the time.

Not so much with Thunderspy, as this attack method circumvents these security settings. On the other hand, what does guard against it is Kernel Direct Memory Access (DMA) protection that was introduced in 2019, as Intel states in its response to the published report.

Ruytenberg concludes that an update won’t be enough to fix the issue: “The Thunderspy vulnerabilities cannot be fixed in software, impact future standards such as USB 4 and Thunderbolt 4, and will require a silicon redesign.”

If you’re worried that your computer may be susceptible to an attack, you can use Spycheck, a tool specifically developed by the researcher to scan for Thunderspy vulnerabilities. To protect yourself, you shouldn’t leave your computer unattended while powered on even if you locked the screen; the same applies to your Thunderbolt peripherals. Ruytenberg also recommends disabling your Thunderbolt ports entirely in BIOS, which would render them inoperable but should keep you safe.



Amer Owaida


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Almost a million WordPress websites targeted in massive campaign – 10 minute mail

An unknown threat actor is exploiting vulnerabilities in plugins for which patches have been available for months, or even years

More than 900,000 WordPress websites have been targeted by an unidentified bad actor in a large-scale hacking campaign over the past week. Defiant, which makes Wordfence security plugins for the web publishing platform, said that it started noticing and tracking a spike in attacks targeting especially Cross-Site Scripting (XSS) vulnerabilities on April 28th. The large-scale campaign ultimately resulted in a 30-fold increase in attack traffic.

Based on the malicious payload, Defiant suspects that most of these attacks are being carried out by a single malicious actor. According to Wordfence QA engineer Ram Gall, the cybercriminal started off with a small volume of attacks and didn’t ramp up their efforts until last week, with the campaign peaking at 20 million attempted attacks against more than half a million websites on May 3rd.

“Over the course of the past month in total, we’ve detected over 24,000 distinct IP addresses sending requests matching these attacks to over 900,000 sites,” he added. The ne’er-do-well targets Cross-Site Scripting (XSS) as well as other vulnerabilities in an attempt to inject malicious code into the websites that then redirect visitors to malvertising sites.

It is worth noting that security updates are available for the flaws under exploitation, and that the patches were rolled out months and, in some cases, even years ago.

Three of the five targeted vulnerabilities are XSS related. One of them affects the Easy2Map plugin, which accounted for more than half of the attacks and is likely installed on less than 3,000 websites. The second security hole resides in Blog Designer and was patched last year; it has been targeted before and Defiant estimates that there are approximately 1,000 vulnerable installations. The third XSS vulnerability is found in the Newspaper theme, which has also been at the center of attacks in the past and has been patched since 2016

The last two are options updates vulnerabilities. One affects the WP GDPR Compliance plugin that has been patched since 2018 and we previously wrote about a campaign that attempted to seize control of websites using the plugin. The other affects the Total Donations plugin that was permanently pulled from the Envato Marketplace in 2019. Each of the vulnerabilities allow hackers to change the site’s home web address.

The researchers suspect that the attacker is skilled enough to target other vulnerabilities in the future. The best advice for WordPress site admins is as old as the hills: keep the core WordPress software and all plugins up-to-date. It’s also important to ditch any abandoned or no-longer-needed plugins, since they only increase the attack surface of a WordPress installation.



Amer Owaida


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Microsoft Teams flaw could let attackers hijack accounts – 10 minute mail

Microsoft plugs a security hole that could have enabled attackers to weaponize a GIF in order to hijack Teams accounts and steal data

Microsoft has fixed a security flaw in Microsoft Teams that, if left unattended, could have been exploited to take over user accounts. By hijacking a Teams account, the bad actors might eventually traverse through the organization and gather data from the Teams accounts ranging from confidential information, passwords and business plans, among other things, according to researchers from CyberArk.

With companies recently forced to switch to working remotely due to the COVID-19 pandemic, their IT departments were faced with a challenge on how to make the switch to home office safe. Resolving communication was a cornerstone issue, with a large number opting to use one of the premier platforms such as Zoom, Microsoft Teams, or Slack. This has, in turn, put the platforms and it users in the crosshairs of cybercriminals.

CyberArk has now described a possible attack scenario: “We found that by leveraging a sub-domain takeover vulnerability in Microsoft Teams, attackers could have used a malicious GIF to scrape user’s data and ultimately take over an organization’s entire roster of Teams accounts.” The sub-domains that were vulnerable to takeover were aadsync-test.teams.microsoft.com and data-dev.teams.microsoft.com.

“If an attacker can somehow force a user to visit the sub-domains that have been taken over, the victim’s browser will send this cookie to the attacker’s server and the attacker (after receiving the authtoken) can create a skype token. After doing all of this, the attacker can steal the victim’s Teams account data,” reads the article.

RELATED READING: Work from home: Videoconferencing with security in mind

Exploitation of the vulnerability would have involved sending the victims a malicious GIF file. Worryingly, even viewing the GIF would have been enough to be affected, and the attack could spread automatically, in a worm-like fashion. The flaw is said to have been present in both the desktop and web browser versions of Teams.

CyberArk disclosed its findings to Microsoft on March 23rd, with the tech giant acting quickly and correcting the misconfigured Domain Name System (DNS) records on the same day. On April 20th, Microsoft issued a patch for Teams. Apparently, no attacks were spotted in the wild.

Zoom, one of Teams’ key competitors in the communication and collaboration arena, has had its share of privacy and security issues of late. Also, those findings came after half a million Zoom accounts were offered for sale on the dark web, although this was not due to any kind of breach of Zoom’s defenses.



Amer Owaida


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Hackers abuse Sophos Firewall Zero Day Vulnerability – Disposable mail news


Sophos, a UK cybersecurity company famous for its anti-virus products has released an emergency security update this Saturday to combat a Zero-Day vulnerability exploited by hackers in its XG enterprise firewall product.

They became aware of the vulnerability on Wednesday after one of their customers reported “a suspicious field value visible in the management interface.” And they released an update containing the patch for the vulnerability.

The Vulnerability- SQL INJECTION BUG

“The attack used a previously unknown SQL injection vulnerability to gain access to exposed XG devices,” Sophos said.

The miscreant hackers attacked Sophos XG Firewall devices whose administration or user portal control panel were exposed on the internet.
The hackers used the SQL Injection Vulnerability in XG firewall devices and downloaded a play-load on the device to steal data like passwords and usernames for the firewall device admin, portal admins, and user accounts for remote access, the firewall’s license and serial number.

Sophos says that during its investigation, it did not find any proof that the hackers accessed anything beyond the firewall as well as no devices were accessed by the malware. They named the malware Asnarok.

 Patches already updated in user devices 

The company already pushed the patches in an automatic update in all XG Firewall devices that had the auto-update feature enabled.
“This hotfix eliminated the SQL injection vulnerability which prevented further exploitation, stopped the XG Firewall from accessing any attacker infrastructure, and cleaned up any remnants from the attack,” it said. The update also shows a message to the user if their device was compromised or not in their Firewall control panel.

Sophos recommends some steps to take for the companies who had their device hacked mainly focused on resetting passwords and reboots:

  1.   Reset portal and device administrator accounts.
  2.   Reboot the infected firewall device. 
  3.   Reset all passwords of user accounts.

“Sophos also recommends that companies disable the firewall’s administration interfaces on the internet-facing ports if they don’t need the feature”, writes zdnet.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

iOS Mail app flaws may have left iPhone users vulnerable for years – 10 minute mail

A pair of vulnerabilities in the default email app on iOS devices is believed to have been exploited against high-profile targets

Apple’s iOS Mail app, which comes pre-installed on all iOS devices, has been found to contain two severe security vulnerabilities that, if exploited, could enable hackers to steal the victims’ data.

In fact, the attackers have leveraged these flaws for attacks against various targets, including a European journalist, a Japanese executive, and individuals from an undisclosed Fortune 500 company among others, said ZecOps researchers, who uncovered the flaws. Some of the attacks are thought to go back all the way to January 2018.

“Successful exploitation of this vulnerability would allow the attacker to leak, modify, and delete emails. Additional kernel vulnerability would provide full device access – we suspect that these attackers had another vulnerability,” said the company.

The security flaws allow attackers to remotely compromise a device by sending an email that will consume high amounts of the device’s memory – without actually requiring a large email to do so. The vulnerability can be triggered before the whole email is downloaded, although the trigger varies depending on the iOS version the device is running.

On devices running iOS 13, the vulnerability is triggered by an unassisted attack, also known as a ‘zero-click’ attack, which means the Mail app has to be running in the background. On iOS 12, meanwhile, the victim would have to click on the email. These aren’t the only two iOS versions vulnerable; devices running iOS 6 and above are all susceptible to the attack, while older versions haven’t been checked.

Once the vulnerability has been exploited, on iOS 12 the email app would appear to be sluggish and sometimes even crash. On iOS 13, it would manifest as a temporary slowdown of the mail app. In case of a failed attack, the emails send by the hacker would show “This message has no content.”

ESET Security Specialist Jake Moore said that the flaw is unlikely to have been used to target people en masse: “For complete remote access to occur under the radar it will have most likely been used for highly-targeted attacks on high-profile victims. Although this is a very professionally designed secret hack, it would be very unlikely that it was used on mass. Some flaws are kept even further underground amongst cybercriminals and keep certain exclusive vulnerabilities to themselves, so law enforcement and developers are kept in the dark – hence this particular defect has not been spotted for years. This particular flaw will be patched in the next update, so make sure you have your phone set to auto-update to the next version.”

The researchers alerted Apple to the two vulnerabilities and it has developed a fix that is currently available as iOS 13.4.5 beta. As a result, the patch is not readily available yet, since beta versions are mainly aimed at developers. For the time being, you can mitigate the issue by using other email clients.

Last year, Apple had to rush a fix for a FaceTime spying bug.



Amer Owaida


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Serious flaws found in multiple smart home hubs: Is your device among them? – 10 minute mail

In worst-case scenarios, some vulnerabilities could even allow attackers to take control over the central units and all peripheral devices connected to them

ESET IoT Research has found numerous serious security vulnerabilities in three different home hubs – Fibaro Home Center Lite, Homematic Central Control Unit (CCU2) and eLAN-RF-003. These devices are used to monitor and control smart homes and other environments in thousands of households and companies across Europe and beyond. Potential consequences of these weaknesses include full access to the central and peripheral devices in these monitored systems, and to the sensitive data they contain, unauthenticated remote code execution, and Man-in-the-Middle (MitM) attacks. While these hubs are predominantly used in home and small office environments, they also open a potential attack vector for enterprises. This trend is even more worrisome as more employees are working from home these days.

We have reported our findings described in this blogpost to the respective manufacturers. Fibaro has proven to be extraordinarily cooperative, fixing most of the reported issues within days. eQ‑3 followed the standard disclosure procedure and patched its devices within the standard 90-day period. Elko has patched some of the reported vulnerabilities of their device within the standard 90-day period. Other issues may have been fixed in newer generations of the devices but remain in the older ones, with the vendor claiming hardware and compatibility limitations.

The issues described in this article have been reported to the vendors – who have then released patches for most of them – in 2018. The publication has been delayed due to our focus on research into other vulnerabilities that were still active. Nonetheless, with the current heightened requirement for IoT security, we are releasing this compilation of older findings to further advise all owners of the affected devices to apply the latest updates to their devices to increase their security and reduce exposure to outside attacks.

Fibaro Home Center (HC) Lite

Figure 1. Fibaro Home Center (HC) Lite tested by ESET IoT Research team

Fibaro Home Center Lite is a home automation controller, designed to control a wide variety of peripheral devices in a smart home. Among other things, the manufacturer’s website promises simple setup and configuration, a user-friendly web interface, and compatibility with a range of sensors, actors, remotes, IP cameras, and popular home assistants Google Home and Amazon Alexa.

However, a thorough inspection of the device (firmware version 4.170) by the ESET IoT Research team uncovered a mixture of serious vulnerabilities that could have opened the door for outside attackers.

One combination of the flaws we found even allowed an attacker to create an SSH backdoor and gain full control over the targeted device.

Other issues we uncovered included:

  • TLS connections were vulnerable to MitM attacks (due to missing certificate validation), allowing the attackers to:
    • Use command injection
    • Gain root access by brute forcing a very short, hardcoded password stored in the file /etc/shadow in the device’s firmware.
  • Hardcoded password salt (used by the SQLite database, which stores usernames and passwords) were easily accessible via Fibaro’s web interface scripts, allowing the attacker to replace user passwords and create new passwords.
  • Requests to the device’s weather service (API) leaked the exact GPS coordinates of the device, since they were sent as part of unencrypted HTTP communications.

Fibaro Home Center Lite vulnerability

As designed, the remote management connection between Fibaro Home Center Lite and its cloud server is secured via a standard SSH tunnel, created in two steps:

  1. Fibaro Home Center Lite sends two separate TLS-encrypted requests asking for the SSH server’s hostname and listening port, as seen in Figure 1.
  2. Based on the information returned, Fibaro Home Center Lite creates a secured connection via an SSH tunnel to the specified SSH server.

Figure 2. TLS-encrypted requests sent by Fibaro Home Center Lite, vulnerable to MitM attack.

The full command from the device’s initialization shell script that is responsible for processing the data returned from these requests is as follows:

screen -d -m -S RemoteAccess ssh -y -K 30 -i /etc/dropbear/dropbear_rsa_host_key -R $PORT_Response:localhost:80 [email protected]$IP_Response

The response values are passed to the command via the $IP_Response and $PORT_Response variables. Normally, this would allow the device to create an SSH tunnel through which it would forward its HTTP port 80 to the specified port on the remote SSH server.

Figure 3. TLS-encrypted requests sent by Fibaro Home Center Lite, vulnerable to MitM attack.

Gaining access to Fibaro Home Center Lite

To successfully infiltrate the process described above, ESET researchers created their own server that would accept the public key of the targeted device, to mimic the original Fibaro server (lb-1.eu.ra.fibaro.com). This MitM server (subsequently referred to as ) uses port 666 for the attack and is set to accept the public key sent by Fibaro Home Center Lite – which we obtained from previous communication with the device.

Connection between Fibaro Home Center Lite and the MitM server is established due to Fibaro Home Center Lite failing to perform certificate verification on some TLS connections with the server, allowing any attacker to use fake certificates signed by their proxy server.

To make matters worse, intercepted TLS requests – intended to create the SSH tunnel between the device and the legitimate server – are vulnerable to command injection. By using the MitM server, attackers can replace the address of the original server lb-1.eu.ra.fibaro.com with whatever they wish. For example, the attacker can generate a malicious response with a command injection of the form 0n-Jn/usr/sbin/dropbear${IFS}-p${IFS}666, which causes the respective command from the initialization shell script to fail and subsequently to open an SSH backdoor to Fibaro Home Center Lite.

After a while, Fibaro Home Center Lite requests the server’s IP address once again. Again, the request can be intercepted by the attacker and answered with the following: n-R 6666:localhost:666.

On Fibaro Home Center Lite, this response is passed to the initialization shell script command, which results in creation of the intended SSH tunnel originally meant for the forwarding of port 80. Also, another tunnel is created, through which the attacker’s SSH backdoor port is forwarded. This reroutes the communication from both ports (SSH 666, HTTP 80) to the attacker’s MitM server. From this point on, the attacker has root access to Fibaro Home Center Lite. The next section mentions how to get the root password.

Exploitation of Fibaro Home Center Lite

Another issue found by ESET researchers was that firmware updates were downloaded over HTTP, also containing a direct link to the firmware file. If the attackers downloaded that file and inspected the file /etc/shadow (from the firmware image), they would find the hardcoded root password, valid for all Fibaro Home Center Lite devices. Apart from the password being hashed using the long-deprecated MD5 algorithm, it was also only a few characters long and thus trivially brute forced.

Another option for the attacker is to manipulate user credentials for the web interface, stored in an SQLite database on Fibaro Home Center Lite. These passwords are stored SHA-1 hashed, created from the supplied password salted with a hardcoded string that can easily be extracted from a script in the firmware image file. Using the salt, an attacker can rewrite existing credentials in the appropriate row of the Home Center Lite’s SQLite database located at /mnt/user_data/db, rendering the legitimate password invalid.

ESET researchers reported all these issues and vulnerabilities to the manufacturer. Patches were released in August 2018. The patched home controllers now verify server certificates and disallow command injections. The easily brute-forceable root password has also been replaced with a longer and more secure alternative.

The only remaining issue at the time of this writing is the hardcoded salt string used to create the SHA-1 hash of the password. For the full timeline please refer to the table at the end of the blogpost.

Homematic Central Control Unit (CCU2)

Figure 4. Homematic Central Control Unit (CCU2) tested by ESET IoT Research team

Homematic CCU2 is advertised by eQ‑3 as the central element of the user’s smart home system, “offering a whole range of control, monitoring and configuration options for all the Homematic devices in the installation”. According to a Shodan search (see Figure 5), thousands of these home hubs are deployed and accessible from the internet, mainly in European households and companies.

Figure 5. Shodan data showing the publicly accessible Homematic CCU2 devices (April 21, 2020)

Homematic CCU2 (firmware version 2.31.25) displayed serious security flaws during our testing. The most severe one was the ability of an attacker to perform unauthenticated remote code execution (RCE) as root user.

This flaw had serious security implications, allowing attackers to gain full access to Homematic CCU2 devices and potentially also to connected peripheral devices. This was possible via numerous shell commands misusing the RCE vulnerability

The vulnerability originated in a Common Gateway Interface (CGI) script that handles the logout procedure of the Homematic CCU2’s web-based administration interface. The $sid (session ID) parameter was not properly escaped, enabling an attacker to inject malicious code and run arbitrary shell commands as the root (administrator) user. As the logout script did not check that it is processing a request from a currently logged-in session, an unlimited number of these requests could be made by an attacker without ever having to log into the device.

Figure 6. The code snippet where the logout RCE issue originates.

Figure 7. Code snippet where the $sid value is not escaped properly.

The code could be injected in a simple request through the $sid parameter:

http://device_ip/api/backup/logout.cgi?sid=aa”);system.Exec(“”);system.ClearSessionID(“bb

This resulted in the following interpretation and execution of the code: system.ClearSessionID(“aa”);system.Exec(“”);system.ClearSessionID(“bb”);

Using this, an attacker could create a working exploit that:

  1. Sets a new root password.
  2. Enables SSH, if disabled.
  3. Starts the SSH daemon.

ESET reported its findings regarding the unauthenticated RCE vulnerability to eQ‑3 at the beginning of 2018. Patched firmware was released in July 2018. For the full timeline, please refer to the table at the end of the blogpost.

eLAN-RF-003

This smart RF box is manufactured by Czech company ELKO EP. It has been designed as a central unit in a smart home, allowing the user to control a variety of systems such as lighting, hot-water temperature, heating, smart locks, shutters, blinds, fans, power outlets, etc. Everything is controlled via an application installed on the customer’s devices such as a smartphone, smartwatch, tablet or smart TV.

ESET IoT Research tested the device (firmware version 2.9.079) together with two peripheral devices from the same manufacturer – wireless dimmable LED bulb RF-White-LED-675 and dimmable socket RFDSC-71 – as seen in Figure 8.

Figure 8. From left: Smart RF box and associated ELKO equipment we tested

The test results showed that connecting the device to the internet or even operating it on one’s LAN could be potentially dangerous for the user due to a number of critical vulnerabilities:

  • Web GUI communication for the smart RF box uses HTTP protocol only, with HTTPS implementation missing.
  • The Smart RF box used inadequate authentication, allowing all commands to be executed without requesting a login. The device also did not use session cookies, thus lacking any mechanism that could verify that the user was correctly logged in.
  • The Smart RF box could be forced to leak sensitive data, such as passwords or configuration information.
  • Peripheral devices connected to the Smart RF box were vulnerable to record and replay attacks.

Issue-ridden web interface

Our testing showed that the web interface uses HTTP only, with no option to use HTTPS at all as the device had no code for handling the protocol. This means all user communication – including sensitive data such as usernames and passwords – was sent over the network without encryption or any other form of protection. This allowed any attacker with access to the network (or being able to MitM the traffic) to intercept the information in the clear.

Second, despite the web service requesting a username and password for the login, it didn’t provide session cookies or other mechanisms ensuring that the user was correctly logged in and is authorized to request the device’s resources.

Insufficient authentication

These issues in the web interface led us to another area of security issues, namely the lack of user authentication.

Smart RF box uses HTTP GET requests to obtain information and HTTP POST or PUT requests to execute commands. However, the device did not require a user login or any other form of verification for these commands. This allowed attackers to capture, modify or craft their own packets and let the device execute them.

There was only one exception to this approach, namely the change of web interface password. This command was partially protected and can only be executed when two conditions are met: Admin is logged in and uses the same IP address that was previously used to log in. This minimalist protective mechanism is admittedly better than no restriction, but not strong enough to prevent potential misuse.

Unauthenticated access to the web interface is a severe issue, as it gives anyone with access to the local network the ability to take control over the smart RF box and subsequently all the devices connected to it. This is especially worrying due to possible combination with other vulnerabilities that allow the attacker to gain a foothold in the local Wi-Fi network.

Leakage of sensitive information

The Smart RF box also had HTTP API functions implemented. This allowed for easy access via a browser, but – again – with no authentication whatsoever.

To illustrate the depth of this problem, we devised a simple attack scenario viable even for a less-skilled attacker:

  • Obtain configuration file – which contains admin password – by using the following HTTP GET request: http://{IPAddress}/api/configuration/data.
  • Use the stolen credentials to log into the device’s GUI at http://{IPAddress}/ and take over the device.
  • Alternatively, the attacker can download the configuration file, modify it and upload it to the device using a POST Again, no authentication was required for this process.

However, this vulnerability gave the attackers a much broader range of options. As shown in Figure 9, by using the same attack technique, attackers were able to extract information about peripheral devices, floor plans, errors, attributes of the managed smart home, the device’s firmware version, etc.

Figure 9. The Smart RF box can be forced to leak a variety of sensitive information.

Possible record and replay attack

By using additional hardware and software, attackers could also intercept commands sent from the central unit (eLAN-RF-003) to peripheral devices (in our case a dimmable LED bulb and dimmable socket). The recorded data could then easily be replayed by a device under control of the attackers placed within range of the radio signal. This would give the attackers control over the peripheral devices or even the whole smart home.

What made this vulnerability especially severe is the fact that – compared to Wi-Fi-enabled devices that are usually protected by WPA standards – there were no protective mechanisms that would stop such record and replay attacks.

To achieve this, the attackers must tune their receiver to the 868.5 MHz radio frequency and record the communication. These stored data can subsequently be replayed as a new command to the peripheral device.

In our experiment, peripheral devices behaved identically regardless of whether the commands came from an eLAN-RF-003 box or were replayed by another software-defined radio device. This type of attack could also be performed while the central unit is disconnected or offline.

Making matters worse, some users have configured their NATs and eLAN-RF-003 units for remote access across the internet, using the default passwords. This exposed the devices, which are also readily searchable, to outside attacks and presented open doors to the respective smart homes, increasing the risk of malicious takeover.

All these documented vulnerabilities were reported to the vendor, who issued partial patches within the responsible disclosure period. However, two of reported vulnerabilities (the unencrypted web interface communication and insecure radio frequency (RF) communication) appear to have remained unpatched – at least for the tested older generations of devices.

In addition to the complexity of changing the protocols and inherent hardware compatibility issues, the manufacturer also argues that the eLAN-RF-003 radio communication cannot be easily intercepted by unskilled users, who lack necessary knowledge about the communication protocol on the ISM band. That’s true, but if vulnerabilities similar to those ESET discovered are found in the infrastructure of a valuable target, determined attackers – such as professional penetration testers or nation state actors – can and will exploit them.

The vendor may have addressed the remaining vulnerabilities in newer generations which ESET has not tested.

Conclusion

ESET tested popular or otherwise interesting home hubs available in local e-shops. Testing showed that three IoT central units had several serious security vulnerabilities. Some of the flaws were so severe that an attacker could misuse them to perform MitM attacks, eavesdrop on the victim, create backdoors, or gain root access to some of the devices and their contents. In worst-case scenarios, these issues could even allow attackers to take control over the central units and all peripheral devices connected to them.

Most of the flaws disclosed by ESET have been fixed by the vendors of these particular devices. Notably, Fibaro patched all but one of the reported issues within days after the initial report. eQ‑3, the manufacturer of Homematic CCU2, fixed the reported RCE vulnerability within the 90 days of the responsible disclosure. Elko also proved their desire to keep their devices protected. The manufacturer has released patches for part of the reported problems and continued to work on newer protocols.

However, some of the issues appear to have been left unresolved, at least on older generations of devices. Even if newer, more secure generations are available, though, the older ones are still in operation. The manufacturer also argued that part of the security responsibility (regarding exposure of the devices to the Internet) lies on the shoulders of their customers. And with little incentive for users of older-but-functional devices to upgrade them, they need to be cautious, as they could still be exposed.

The findings of this – as well as previous – ESET research shows that security vulnerabilities in IoT devices are a prevalent issue for households, small office environments, and enterprises[1]. Our results also show that flaws in default settings, encryption or authentication are not exclusive to low-end, cheap devices but are often present in high-end hardware too.

The main difference is the desire of the established and reliable manufacturers to react, communicate, cooperate and be willing to fix the reported problems. A vendor’s responsible approach to vulnerabilities and patching should form the basis for customers’ decisions when choosing a hardware vendor for their future smart office/smart home devices.

Kudos to our fellow researchers and colleagues, who helped us in the course of this research, namely Juraj Bartko, Kacper Szurek, Peter Košinár, Ivan Bešina and Ondrej Kubovič

Full timeline for all devices

Date Action
2017 ESET started its research into three IoT home hubs: Fibaro Home Center Lite, Homematic CCU2 and eLAN-RF-003.
6 Feb 2018 ESET reported all vulnerabilities found to ELKO EP, manufacturer of eLAN-RF-003
firmware version 2.9.079
2 Mar 2018 ESET reported RCE vulnerability found to eQ-3, manufacturer of Homematic CCU2
firmware version 2.31.25
4 May 2018 ELKO EP released a patch fixing some of the reported vulnerabilities, yet two issues remain: unencrypted web GUI communication and vulnerable RF communication
firmware version 3.0.038
3 Jul 2018 eQ-3 released a patch fixing the reported RCE vulnerability in Homematic CCU2
firmware version 2.35.16
21 Aug 2018 ESET reported all vulnerabilities found to Fibaro, manufacturer of Fibaro Home Center Lite
firmware version 4.170
30 Aug 2018 Fibaro released a patch fixing most of the reported vulnerabilities in Fibaro Home Center Lite, with the exception of the hardcoded salt string, which didn’t change and is still being used to create the SHA-1 hash of the password
firmware beta version 4.504

[1] In case you are interested in learning more about IoT devices vulnerabilities & exploited attack vectors, and how they impact enterprise assets’ risk posture, we encourage you to also read this recent Forrester research paper, where ESET was one of the contributing vendors to this comprehensive research study.



Milan Fránik and Miloš Čermák


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Flaw in popular VPN service may have exposed customer data – 10 minute mail

NordVPN praised its bug bounty program and said that a fix had been shipped within two days

NordVPN, one of the most popular virtual private network (VPN) services, has fixed a security flaw that is said to have exposed customers’ email addresses and other information.

The security hole was linked to three payment platforms used by NordVPN – Momo, Gocardless, and Coinpayments. According to The Register, which was the first to report on the issue, the flaw was uncovered by a researcher going by the moniker ‘dakitu’ and was disclosed via popular bug bounty platform HackerOne.

The researcher found that anyone who sent an HTTP POST request without authentication to join.nordvpn.com could see users’ email addresses, payment method and URL, the product they purchased, the amount they paid for it and even the currency used in the transaction.

There is actually some unclarity as to the severity of the bug, as NordVPN said in a statement today that only a handful of random email addresses – and no other customer data – might have been at risk.

Nevertheless, the vulnerability was uncovered on December 4th, 2019, before being fixed by NordVPN two days later. The flaw and its patch were made public on the website in February and ‘dakitu’ received a bounty reward of US$1,000 for his efforts.

NordVPN didn’t say whether it had notified its customers about the vulnerability or not. At any rate, The company was satisfied with the outcome, stating that it is one of the reasons that they launched their bug bounty program and that they hope to reap more benefits in the future: “We are extremely happy with its results and encourage even more researchers to analyze our product.”

In October of last year, NordVPN was criticized for taking too long to fess up to a security breach that may have lasted from March of 2018. The company argued that the long disclosure period was needed because of the size of its infrastructure audit and the number of servers the company runs to host its service.



Amer Owaida


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Microsoft warns of two Windows zero‑day flaws – 10 minute mail

Updates for the critical-rated vulnerabilities, which are being actively exploited in the wild, are still weeks away

Attackers are actively exploiting two previously undisclosed security vulnerabilities that affect all supported as well as some of the no-longer-supported versions of the Windows operating system, Microsoft announced in an out‑of‑band advisory on Monday.

The security flaws, rated as critical, are being abused for limited targeted attacks. This would imply campaigns by advanced threat actors compromising carefully chosen targets. That said, citing the need to “help reduce customer risk until the security update is released”, the tech giant disclosed the flaws publicly.

“Two remote code execution vulnerabilities exist in Microsoft Windows when the Windows Adobe Type Manager Library improperly handles a specially-crafted multi-master font – Adobe Type 1 PostScript format,” said the tech giant. Adobe Type Manager is a font management tool that helps Windows handle and render fonts.

There are several ways how bad actors can leverage the flaws, including by tricking their targets into opening a booby-trapped file or into viewing it in the Windows Preview pane, said Microsoft.

Patch?

The flaws affect all supported versions of Windows, including Windows 10, as well as systems that are past end‑of‑life, notably Windows 7. Importantly, no patch is available for any of them, and Microsoft hinted that the fix wouldn’t arrive until the forthcoming Patch Tuesday rollout of security updates on April 14th. Even so, machines running the retired operating systems won’t receive the update even after it’s shipped – unless their owners are enrolled in Microsoft’s Extended Security Updates (ESU) program.

While the flaws are rated as critical for all affected systems, the company noted that on Windows 10 the potential for exploitation is limited. “For systems running supported versions of Windows 10 a successful attack could only result in code execution within an AppContainer sandbox context with limited privileges and capabilities,” said the tech giant. As of the time of writing, the vulnerabilities have yet to be assigned CVE identifiers.

Microsoft suggested a slew of temporary mitigations and workarounds to counter the risk while the patch is in the works. These include disabling the Preview Pane and Details Pane in Windows Explorer and renaming the library (atmfd.dll). Step-by-step guidance is available in the company’s advisory.

Weeks ago, Microsoft released patches for a critical cryptographic flaw in Windows and a zero-day in Internet Explorer. ESET researchers uncovered an exploit in 2018 that leveraged a pair of two zero-days in Adobe Reader and Windows, while last year they found an exploit that abused another Windows zero-day vulnerability (CVE‑2019‑1132).



Tomáš Foltýn


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.