BSides SF 2019: Remote-Root Bug in Logitech Harmony Hub Patched and Explained | Threatpost

SAN FRANCISCO – Users of Logitech’s Harmony Hub have been wide open to an attack for years because of four unpatched vulnerabilities that left any IoT device connected at risk to remote takeover. The bugs were patched by Logitech in November, but for the first time the researchers that discovered the security holes shed light on just how exposed millions of users of the smart-hub device were.

Here at the BSides SF 2019 security conference, Tenable Network Security’s reverse engineer Joseph Bingham shared his research on the four devastating Harmony Hub vulnerabilities. Harmony Hub is a smart-home device that acts as a command center for a home’s ecosystem of connected devices — such as security cameras, lighting, heating, streaming hardware, door locks and more.

This illustrates how Tenable’s Joseph Bingham was able to root the Harmony Hub to open a smart door lock.

“It’s shocking that you would be able to buy one of these devices on Amazon or at Best Buy and be able to remote-root it out of the box,” Bingham told Threatpost in an interview Monday. “These are worst-case scenario vulnerabilities.”

Bingham said that two of the vulnerabilities could have been exploited by a remote unauthenticated user to gain full control of the Logitech devices. One  is a default credential bug (CVE-2018-15720); the second was an authentication-bypass vulnerability (CVE-2018-15721) .

The two other bugs, a  remote-server OS command-injection bug (CVE-2018-15722), and a  crafted HTTP request application command injection flaw (CVE-2018-15722), can be chained together to similarly allow a remote unauthenticated hacker to take over the smart hub and control all of the devices it manages.

The chained attack begins with sending instructions to an unprotected application command port tied to Harmony Hub’s time-synchronization service.

“The hub processes all network requests from remote hosts, but attempts to verify the origin before actually handling the request. This is a great security mechanism in theory; however, the attacker can easily forge the origin with a single line in the HTTP header. This allows any remote attacker to bypass the origin-validation check, giving them access to all of the protected message-handling functionality,” according a technical breakdown of the research posted Sunday.

The short version is this: Attackers can perform their own HTTP request to the Harmony Hub and switch the sync server to one they control. Next, the attacker uses the application bug to take advantage of the remote server OS bug, which allows a hacker to send a command injection payload to root the hub.

“One of the hub’s critical message handlers implements clock synchronization functionality. The hub sets its internal clock with a Linux shell command using the input from a trusted synchronization server. The input is passed directly to the operating system without sanitization,” Tenable wrote.

Logitech issued patches for the bug in November, but not without some backlash over collateral damage to a beloved user feature.

Disgruntled Harmony Users Get Answers Over Disabled XMPP

For some disgruntled Harmony Hub users, the November fix irked them because the mitigation required cutting off access to the Harmony Hub via the third-party API protocol known as Extensible Messaging and Presence Protocol (XMPP) , in order to mitigate the flaw. The XMPP protocol “enables the near-real-time exchange of structured yet extensible data between any two or more network entities,” according to a technical description.

At the time, Logitech’s message boards and Reddit lit up with grumpy users that had tweaked the platform using XMPP to support their otherwise unsupported devices. In November, Logitech responded vaguely, alluding to “some security vulnerabilities brought to our attention by a third-party cybersecurity firm” that required it to discontinue support. That security firm was Tenable.

Last month, Logitech said it would reinstate XMPP access for some Android and iOS users.  “This version allowed access to XMPP only for those that wanted it and who understood the potential risks of the use of the option,” Logitech wrote.

Latest Bug in a String

These most recent bugs discovered by Tenable are not to be confused with four separate vulnerabilities in the Logitech Harmony Hub found by FireEye’s Mandiant Red team in May 2018. Those were improper certificate validation, an insecure update process, leaving developer debugger symbols behind in the production firmware and having a blank root user password.

Those vulnerabilities can give adversaries root access to the device – allowing attackers to control other smart-home devices linked to it, such as smart locks and connected surveillance cameras. FireEye researchers disclosed the vulnerabilities to Logitech in January 2018, and Logitech released a firmware update (4.15.96) on April 10 of last year to address the findings. Public disclosure was May 4.