-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2020-026 Product: homee Brain Cube (Core) v2 Manufacturer: homee GmbH Affected Version(s): 2.28.* Tested Version(s): 2.28.4, 2.28.2 Vulnerability Type: Insufficient Verification of Data Authenticity (CWE-345) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2020-07-22 Solution Date: 2020-08-11 Public Disclosure: 2020-09-25 CVE Reference: CVE-2020-24395 Author of Advisory: Tobias Jäger, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: homee Brain Cube (Core) v2 is a controller for smart home environments. The manufacturer describes the product as follows (see [1]): "The Brain Cube is the central control unit and forms the basis of your home. It allows you to control many of your AVM FRITZ! devices as well as Belkin WeMo, Netatmo, Nuki and more. Thanks to homeegrammes, all devices integrated in homee can be linked to each other - for the perfect smart home experience across manufacturer boundaries. By stacking other cubes on the Brain Cube, the system is extendable to support standards like Z-Wave, ZigBee and/or EnOcean." Due to a missing signature check, an attacker with physical access to the device can flash a modified firmware on the device and therefore gain full control over the device. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The firmware of the homee Brain Cube can be updated via the web interface and via a USB connection. When connecting the homee to a computer via USB, the "export" partition of the device is mounted on the computer system. When a new firmware (https://hom.ee/updates/platform:core#update-anchor) is uploaded to the export partition, the update routine is triggered after a reboot. This routine consists of two scripts. In a first step (/etc/init.d/05Update), the firmware archive is unpacked and a script file out of the unpacked firmware update is copied to /data/update.scr. After this, another reboot is triggered. In a second step, the script file /data/update.scr is executed and overwrites the partition "rootfs" with the new "rootfs" provided by the update. It also checks whether the update contains a newer version than the one installed on the partition named "recovery". If it is newer, the "recovery" partition will also be overwritten with the "rootfs" provided by the update. The first script (/etc/init.d/05Update) neither checks the signature of the new "rootfs" nor the signature of the provided update script. Therefore, SySS GmbH was able to upload a modified version of the update script and the "rootfs", which was then successfully installed on the homee Brain Cube. The modification allowed complete access to the device. The update procedure has been changed with version 2.28. Therefore, older updates can no longer be installed. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): SySS GmbH downloaded a valid firmware update and extracted the archive. Using a hex editor, the update.img file was modified and placed in the mounted export folder via USB. Alternatively, the firmware can be unpacked, modified, and repacked to a valid UBIFS image. After reboot, the modified image is successfully flashed on the homee Brain Cube. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The problem was fixed in version 2.29. Update to homee Core 2.29 or later. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2020-06-15: Vulnerability discovered 2020-07-22: Vulnerability reported to manufacturer 2020-08-11: Patch released by manufacturer 2020-10-09: Public disclosure of vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Website for homee Brain Cube https://store.hom.ee/collections/all/products/homee-brain-cube [2] SySS Security Advisory SYSS-2020-026 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-026.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Tobias Jäger of SySS GmbH. E-Mail: tobias.jaeger@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Tobias_Jaeger.asc Key ID: 0xABF0CF2F4D0220F9 Key Fingerprint: 5C9F 5312 F37E B9AB E87B 1212 ABF0 CF2F 4D02 20F9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEXJ9TEvN+uavoexISq/DPL00CIPkFAl9/HdMACgkQq/DPL00C IPl+Mw//Qn+6TFE92ApzL9cZv8P9Bl4m39sE2sHpVFnb9+9xdaRX2rejKbUkwVuO SBa8TwUkw60yMZY0Q/2UXtys8jYsNxd0fh9tOiMdAIHvtALUKEo0FrZeHahM0Bzv lVWl6c0450ZbaJs76h0jthmmmAOJmN35+flxB1ifF1MK6/lmrLhAHYRe1xJsfGzQ YMWZWbuH3G1/9cjdTFGOx9IXWOzPrCuLdvOEl0S0z7MaFwsFJbkeECyU0I4E9Ucu SkkfZud+zE2kJJ/gBtLrbqKhZdsiwTRhQFB7tLfwcWm0isbhaHWxhmNtbPZh8E8p fNsbmzHoPGNBHu2kJrs/aruTc/bjBC8YCU1gL26IopUdpwF7yGRDDC/P08cLQYUf 1gueYiretw/I/VDt+byvV+NRQeCVMJII0RWV8/iAjIeYLysaS8X5kPMYZ8TywCXd J/zryPPLdRBe6SYmcaOYreBDVeQ74UOeSJN73OQln5wrJrXzCFjd6A+VLRvrbsb1 DLhLrOAUTvghspyK4rk1lmCny9vpljJaaFWSoslHzhMkTdYugw446RwF4tuU++W7 c6360uo3u2bNpOwBu/O4riXkH6r340KE0DkAC1baslmUkN1edA0HD0gMQbSfBSkJ thz6tLEXiyE2c6JOX7XjtcqO4+b66murjhsHQ+RcE6rJLpFJeiM= =O9Qb -----END PGP SIGNATURE-----