-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID: SYSS-2020-027 
Product: homee Brain Cube (Core) v2
Manufacturer: homee GmbH
Affected Version(s): 2.28.*
Tested Version(s): 2.28.4, 2.28.2
Vulnerability Type: Missing Encryption of Sensitive Data (CWE-311)
Risk Level: Medium
Solution Status: Fixed
Manufacturer Notification: 2020-07-22
Solution Date: 2020-08-11
Public Disclosure: 2020-09-25
CVE Reference: CVE-2020-24396
Author of Advisory: Tobias Jäger, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

homee Brain Cube (Core) v2 is a controller for smart home environments.

The manufacturer describes the product as follows (see [1]):

"The Brain Cube is the central control unit and forms the basis of
your home. It allows you to control many of your AVM FRITZ! devices
as well as Belkin WeMo, Netatmo, Nuki and more. Thanks to homeegrammes,
all devices integrated in homee can be linked to each other - for the
perfect smart home experience across manufacturer boundaries. By
stacking other cubes on the Brain Cube, the system is extendable to
support standards like Z-Wave, ZigBee and/or EnOcean."

Due to the lack of encryption, a private SSH key to a support server is
downloadable with any firmware update. With access to this SSH key, the
support server can be used as a proxy system.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The firmware of the homee Brain Cube can be downloaded at [1].

This is an archive including the root file system of the homee Brain
Cube as UBIFS image. A private SSH key for the root user of the server
support.codeatelier.com is included as a file (/etc/ssh_homeesupport).

This server does not allow any shell access via SSH using this key, but
it can be used as a SOCKS proxy.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

SySS GmbH downloaded a valid firmware update and extracted the archive.

By using the ubi_reader tools [3], the UBIFS image update.img can be
unpacked. The described SSH key can be found at /etc/ssh_homeesupport.

With the following command, a SOCKS proxy can be opened and bound to
the local port 8088:

ssh -N -p 5022 -i ssh_homeesupport -D 8088 root@support.codeatelier.com

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The problem was fixed in version 2.29. Update to homee Core 2.29 or later. 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2020-06-15: Vulnerability discovered
2020-07-22: Vulnerability reported to manufacturer
2020-08-11: Patch released by manufacturer
2020-10-09: Public disclosure of vulnerability

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product Website for homee Brain Cube
    https://store.hom.ee/collections/all/products/homee-brain-cube
[2] homee Brain Cube firmware download
    https://hom.ee/category/release-notes/homee-core/
[3] ubi_reader tools
    https://github.com/jrspruitt/ubi_reader
[4] SySS Security Advisory SYSS-2020-027
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-027.txt
[5] SySS Responsible Disclosure Policy
    https://www.syss.de/en/news/responsible-disclosure-policy/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Tobias Jäger of SySS GmbH.

E-Mail: tobias.jaeger@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Tobias_Jaeger.asc
Key ID: 0xABF0CF2F4D0220F9
Key Fingerprint: 5C9F 5312 F37E B9AB E87B 1212 ABF0 CF2F 4D02 20F9

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEXJ9TEvN+uavoexISq/DPL00CIPkFAl9/HfQACgkQq/DPL00C
IPkufw/6AshHWj6v1pbaB5638cuShUy8D9KPY2MLgeSPsBIbS+rA3Hkg5wlEsuZ7
cQlxfvh5ooGrEn1Dy4rElHLrgzpD7miR8DI6FMYsshUqzLemLlP//U1pzuFrAD7L
PTy5/4ar/rTTd254iOaNFiBv9pPrUjbuscO2Vp/wjbVzmKig4QRvXB8SljNSsKec
Ih/dIWP1jPUqZ0jub4oLlWQFyqUwLa6JjUu0Ovbwr7dGj+tc/kKQEOk8oE4JMw5e
ei2PMuCPoG9GXElI1px0mAnUIBlIjz0fBU7kqX6TcnsjNc5+Ibd+sSL8pVwHjcCB
Lxc9+6Hsn0uk+epvmd0euIhFSNo8fbg9vjPB0shMybnZJlo/xyldKXgWEuKLaF9Z
DhO844bCxKn+BCIU5rsykUg8ZmpvDqHddSLG0hWVN/tBjjUdi77rLkNpWcsRd7bj
TEvJVaNufWjDHjkm3QhfPN796bEtf6a6bVuELmRgOfmq7xSKorO3vPCGilUE4ZdT
JlN/HBOoQqp3plPvssalRdBrDXkz19XSUM/VaOkQoTIdFhSPQPI4xs2q63ZVlE1m
VCI4SNz7aQMKb3k9MaWAv+qjdhTY03y5I6AwXj/ndvqV2Rly+0KFfR6oeldhWSmS
3p/gS2EU3dZ7i5HPXoUfYYuh14ylGGxTjyvUYqAA4pk6emvyd0M=
=I6tL
-----END PGP SIGNATURE-----