[CVE-2018-16222 to 16225] Multiple Vulnerabilities in QBee and iSmartAlarm Products

The preface of the disclosure of CVE-2018-16225 (https://blog.francescoservida.ch/2018/09/16/cve-2018-16225-public-disclosure-qbee-camera-vulnerability/) contained a little lie: I did not find one vulnerability during the research for my master thesis, but four, three of which were still being patched by the vendor/under the 90 days disclosure timeframe given to the vendor.

In total four vulnerabilities were discovered, concerning the QBee Multisensor Camera (CVE-2018-16223 & CVE-2018-16225) and the iSmartAlarm security device (CVE-2018-16222 & CVE-2018-16224).

[CVE-2018-16222] Cleartext Storage of credentials in iSmartAlarm Android Application

This first vulnerability is pretty simple; the Android application for iSmartAlarm stores the user credentials in cleartext the xml configuration file: iSmartAlermData.xml.

While it is true that an application need to store cloud credentials in order to maintain access to the cloud services, this credentials do not need to be the username and password of the user, but should instead be a revokable access token (Eg. via OAuth).

iSmartAlarm user credentials in settings file (username -> phoneNum)
  • CVSS
    • Base Score: 6.4
    • Vector: AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Impact Score: 5.9
    • Exploitability Score: 0.5

Report – CVE-2018-16222

Timeline

08.06.2018 – Vendor contacted
28.06.2018 – Established contact and disclosure to vendor
30.08.2018 – CVE-ID obtained from MITRE
14.09.2018 – iSmartalarm confirms the application is fixed and publication is set for week following
31.10.2018 – Public disclosure

[CVE-2018-16223] Insecure Cryptographic Storage of credentials – QBee Camera Application (Android)

This second vulnerability also concerns the storage of user cloud credentials in the XML settings of the application, in this case of the QBee Camera Application.

Although the QBee Cam credentials were encrypted, the encrypted settings were in a format suggesting the use of the common “Secure Preferences” library. By default, this library stores the AES key alongside the encrypted data in the XML file. However, none of the values was a valid AES key for the decryption. Analysis of the android application revealed that the function handling the encryption/decryption was a slightly modified version of the “Secure Preferences” one. The AES key is in fact derived from the value in the file, by inserting a hardcoded string and hashing it with SHA 256. With that knowledge it was possible to implement a decryption function in python.

An attacker with physical access to the user device can extract the configuration file from the QBee Camera application.

Using the derived key, the attacker is able to decrypt the configuration file and extract the username and password.

QBee settings encrypted & decrypted
  • CVSS
    • Base Score: 6.4
    • Vector: AV:P/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    • Impact Score: 5.9
    • Exploitability Score: 0.5

Report – CVE-2018-16223

PoC – CVE-2018-16223

Timeline

08.06.2018 – Vendor contacted (QBee)
03.07.2018 – Received response from Vestiacom (QBee) CEO, following communication problems & disclosure to Vestiacom
30.08.2018 – CVE-ID obtained from MITRE
30.08.2018 – Vulnerability disclosure date postponed from 9th September to 16th September following Swisscom request
18.09.2018 – Vestiacom confirms the patched version of QBee Cam has been submitted by Askey to Android’s Google Play.
31.10.2018 – Public disclosure

[CVE-2018-16224] Incorrect access control for the diagnostic files of the iSmartAlarm Cube One

It was possible to intercept the diagnostic logs sent from the base station to the smartphone application.

iSmartAlarm diagnostic log collection, first packets.

As the diagnostic endpoint was not authenticated the collection process was later integrated in a Python script in order to directly receive the data instead of having to intercept the stream to the smartphone application.

The vulnerability requires the attacker to have access to the local network on which the device resides.

The attacker is able to obtain a copy of the diagnostics logs from the CubeOne device without authentication needed.

The logs contain sensible information such as the interaction the user had with the cube one or the sensor logs. Other sensible information could be present but has not been studied.

  • CVSS
    • Base Score: 4.3
    • Vector: AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
    • Impact Score: 1.4
    • Exploitability Score: 2.8 

Report – CVE-2018-16224

PoC – CVE-2018-16224

Timeline

08.06.2018 – Vendor contacted
28.06.2018 – Established contact and disclosure to vendor
30.08.2018 – CVE-ID obtained from MITRE
24.09.2018 – iSmartalarm requests to postpone publication
31.10.2018 – Public disclosure

[CVE-2018-16225] Incorrect access control for the diagnostic files of the iSmartAlarm Cube One

Cf. https://blog.francescoservida.ch/2018/09/16/cve-2018-16225-public-disclosure-qbee-camera-vulnerability/

  • CVSS
    • Base Score: 6.4
    • Vector: AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:H
    • Impact Score: 4.7
    • Exploitability Score: 1.6

Lascia un commento

Il tuo indirizzo email non sarà pubblicato. I campi obbligatori sono contrassegnati *

Questo sito usa Akismet per ridurre lo spam. Scopri come i tuoi dati vengono elaborati.