-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2019-026
Product: homee Brain Cube (Core) v2
Manufacturer: homee GmbH
Affected Version(s): <= 2.23.0
Tested Version(s): 2.15.0, 2.23.0
Vulnerability Type: Missing Authentication for Critical Function
                    (CWE-306)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2019-05-20
Solution Date: None
Public Disclosure: 2019-09-20
CVE Reference: CVE-2019-16258
Author of Advisory: Gerhard Klostermeier

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

homee Brain Cube (Core) v2 is a controller for smart home environments.

The manufacturer describes the product as follows (see [1]):
The Brain Cube is the central control unit and forms the basis of
your home. It allows you to control many of your AVM FRITZ! devices
as well as Belkin WeMo, Netatmo, Nuki and more. Thanks to homeegrammes,
all devices integrated in homee can be linked to each other - for the
perfect smart home experience across manufacturer boundaries. By
stacking other cubes on the Brain Cube, the system is extendable to
support standards like Z-Wave-, ZigBee and/or EnOcean.

Due to a missing authentication for bootloader access, an attacker with
physical access can gain full control over the device.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The printed circuit board (PCB) of the homee Brain Cube (Core) v2
exposes connections of a serial interface. This UART interface can be
used to get terminal-based access the U-Boot bootloader, which is
responsible for booting the Linux kernel.

Since the bootloader is not locked and does not require any kind of
authentication, an attacker can manipulate kernel parameters in order to
gain root access to the operating system. With root privileges,
everything on the device can be read and manipulated. This includes
sensible data like password hashes or the WiFi credentials.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

SySS GmbH connected an UART-to-USB interface to the pads on the PCB.
This connection was used to modify the "init" parameter of the Linux
kernel to "/bin/sh" via the unlocked U-Boot bootloader. By changing the
parameter in this way, the kernel starts a shell with root privileges
where no login is required.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

None. Until the public disclosure of the vulnerability, no update has
been released which locks down the bootloader.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2019-05-15: Vulnerability discovered
2019-05-20: Vulnerability reported to manufacturer
2019-09-09: Clearance from manufacturer to publish the vulnerability
2019-09-20: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for homee Brain Cube
    https://store.hom.ee/collections/all/products/homee-brain-cube
[2] SySS Security Advisory SYSS-2019-026
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-026.txt
[3] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Gerhard Klostermeier of SySS
GmbH and Cem Onganer.

E-Mail: gerhard.klostermeier@syss.de
Key ID: 0x38023AAB573EB2E7
Key Fingerprint: 8A9E 75CC D510 4FF6 8DB5 CC30 3802 3AAB 573E B2E7

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS Web
site.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEip51zNUQT/aNtcwwOAI6q1c+sucFAl1/dpEACgkQOAI6q1c+
sucfKxAAjTsWhDGLGZHLUXmo/SS5Y3xAXKiqVkfMGlH3GIYPcR37EtXbaRTIJFIT
SK6ayjzqdtaHr1Dgan4Uq+v0wpD+1OGoCNRc2u4H/gfvnH/+xMlEJdBmKeRpq2zg
ojsSpOtWMZL3uq8ECITkeV4hv5qla2qfFesNA+Uf+tgF/WChUpsb7CfAPqYpAKsY
lHqbTgUhhHi5YlBV7tOjsUZ9drSvCS96/pCmYeKUsvCp6wQPEuiGnnZjjrdBXmZD
md4nl7uPqOBGaCjDefTp0flVfpMmmaiy3WO9O6pyhQUwCtwlaMd3VgVlozDv2wGG
J7ZwlUY/eoLrjXfzEQWuGRoKBihpO0XJiixM1SWHl1yGECNzSWZpWENMpN1Wwlkh
eg8SUk+G14hXYBK1/h65iLfXbzyeaTulTU32iCbueI/u50y3vjaSp5WYANNBJLpy
bNiRZV2PAme+TVqWQkmT8PTXSwP7XN82RahA+KNK58A6xpjzeLVZ5k5UJRoQ4UCk
6PbnEYEJpfrLyOAVjePe4402nJmeS6k2707+GsevaAG77mGSYLGSSumpd4RSwjkp
5nQZcp3KKayBbuzX38K64y7+sbn3Yuhu3JScqrr74fkOJmChoizo6NKePUa9tfjN
Jld6kmGUhYVNk8XYl2OKPEBtSZqEcrQIyTvT68PboQACsr1mpyM=
=THmx
-----END PGP SIGNATURE-----