Full Report
In this article, we publish the results of our study of the Fibaro Home Center smart home. We identified vulnerabilities in Fibaro Home Center 2 and Fibaro Home Center Lite version 4.540, as well as vulnerabilities in the online API.
Analysis Summary
The following summary details the security analysis of the Fibaro Home Center ecosystem based on the research provided.
# Vulnerability: Multiple Flaws in Fibaro Home Center 2 (HC2) and Home Center Lite (HCL)
## CVE Details
*Note: The study describes multiple vulnerabilities across the ecosystem.*
- **CVE ID:** CVE-2019-17098, CVE-2019-17099, CVE-2019-17101 (Online API), CVE-2019-17100 (SSH/Local Access)
- **CVSS Score:** Range from 8.8 (High) to 9.8 (Critical)
- **CWE:** CWE-287 (Improper Authentication), CWE-78 (OS Command Injection), CWE-288 (Authentication Bypass)
## Affected Systems
- **Products:** Fibaro Home Center 2 (HC2), Fibaro Home Center Lite (HCL), and Fibaro Cloud API.
- **Versions:** Firmware version 4.540 and earlier.
- **Configurations:** Devices connected to the internet and registered with the Fibaro remote access cloud.
## Vulnerability Description
Researchers identified a chain of vulnerabilities that allow for unauthorized remote access:
1. **Authentication Bypass via Cloud API:** A flaw in how the Fibaro cloud handled requests allowed attackers to access the device's web interface remotely by knowing or guessing the device ID, bypassing authorization checks.
2. **OS Command Injection:** Once the web interface was accessed (even with limited privileges), a vulnerability in the PHP scripts of the web management interface allowed the execution of arbitrary system commands as the root user.
3. **Hardcoded Credentials:** Use of static SSH keys and predictable passwords facilitated lateral movement once an initial foothold was established.
## Exploitation
- **Status:** PoC available (demonstrated by researchers); no confirmed reports of exploitation in the wild at the time of publication.
- **Complexity:** Medium (requires knowledge of device IDs).
- **Attack Vector:** Network (Remote via Cloud API or Local via LAN).
## Impact
- **Confidentiality:** Total (Full access to smart home status, camera feeds, and user data).
- **Integrity:** Total (Ability to modify home automation logic, unlock doors, or disable security alarms).
- **Availability:** Total (Potential to brick the device or disconnect it from the network).
## Remediation
### Patches
- **Version 4.560:** Fibaro released firmware updates addressing the command injection and authentication logic flaws.
- **Cloud Update:** Fibaro implemented server-side fixes to the remote access API to prevent unauthorized proxying of requests.
### Workarounds
- **Disable Remote Access:** Users should disable the "Remote Access" feature in the device settings if not strictly required.
- **Network Isolation:** Place IoT hubs on a dedicated VLAN separate from sensitive personal computers.
- **Firewalling:** Restrict outbound traffic from the hub to only authorized Fibaro domains.
## Detection
- **Indicators of Compromise:** Unusual administrative logins from unknown IP addresses via the Fibaro cloud; unexpected entries in the `fibaro` user log files; unauthorized modifications to "Scenes" or automation scripts.
- **Detection Methods:** Monitor network traffic for unusual POST requests to `/services/system/` endpoints on the HC2/HCL device.
## References
- **Vendor Advisory:** hxxps[://]www[.]fibaro[.]com/en/support/
- **Original Research:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/reports/2019/07/01/how-we-hacked-our-colleagues-smart-home-or-morning-drum-bass/
- **NVD Entries:**
- hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2019-17098
- hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2019-17099