Full Report
OvrC cloud is a cloud based remote management and monitoring system used by IoT devices. It's used by Control4, Wattbox and many other products. Alongside this, it can be used to integrate with third party products for management such as Roku and Sonos. In the OvrC platform, the MAC address is used as the identifier. The MAC address has two parts - device manufacturing vendor and an organizationally unique identifier (OUI). Since the first three bytes are known, the space is 2^24 or about 16 million. Using the /v1/devices/find endpoint, it's possible to find all device MAC addresses. Seeing MAC addresses isn't a big deal until you chain this knowledge to perform more damage. The /v1/devices/confirm API is used to register a device to a particular user. When doing this, they must know the serialNumber that must be on the IoT device itself. However, the serialNumber is checked - this allows people to register arbitrary devices. The above attack only works if the device is unclaimed - what about already claimed devices? A hub is a device that controls multiple IoT devices at a time. Since this can be done on already registered devices, they were curious about the permission capabilities of the hub. The hubs have the ability to unclaim arbitrary devices! So, using this, it was possible to register a device and use the previous attack from before. dsUpdateFoundDevices can be used to a similar effect as well. Using these attacks from before, it's possible to claim arbitrary devices. For instance, it's a camera, we can watch the stream. The hub has hardcoded superuser credentials. The hub has hardcoded superuser credentials that are just the mac address and ServiceTag on the account, both of which can be viewed from the cloud on a claimed device. This is accessible locally or remotely using the OvrC cloud. The superuser account has the ability to run arbitrary bash commands on the device by design. All of these vulnerabilities are fairly simple. The interesting part was having them all paired together to go from not knowing anything about the device to executing arbitrary commands on it. Good research!
Analysis Summary
# Vulnerability: OvrC Cloud Platform Device Hijacking and RCE Chain
## CVE Details
- **CVE ID**: CVE-2023-25183 (and 9 others including CVE-2023-24482)
- **CVSS Score**: 9.8 (Critical)
- **CWE**: CWE-798 (Hardcoded Credentials), CWE-306 (Missing Authentication), CWE-77 (Command Injection)
## Affected Systems
- **Products**: OvrC Pro, OvrC Connect, Hub devices (Control4, Wattbox, LUMA cameras, etc.)
- **Versions**: All versions prior to May 2023 updates.
- **Configurations**: Devices connected to and managed via the OvrC Cloud platform.
## Vulnerability Description
A chain of ten vulnerabilities allows an attacker to transition from zero knowledge to full Remote Code Execution (RCE) on cloud-connected IoT devices.
1. **Device Enumeration**: The `/v1/devices/find` endpoint allows attackers to brute-force MAC addresses (only 24-bit entropy) to identify active devices.
2. **Weak Claiming Process**: The `/v1/devices/confirm` API fails to properly validate serial numbers or allows registration of arbitrary devices.
3. **Hub Privilege Escalation**: OvrC Hubs possess the capability to "unclaim" existing devices. By claiming a hub, an attacker can unclaim any target device and re-register it to an attacker-controlled account.
4. **Hardcoded Superuser Credentials**: Hubs contain a hidden `superuser` account with credentials derived from the MAC address and ServiceTag, both of which are exposed via the cloud interface once a device is claimed.
5. **Command Injection**: The `superuser` diagnostics tool provides a web-based interface that allows for the execution of arbitrary bash commands.
## Exploitation
- **Status**: PoC available (demonstrated by Claroty Team82).
- **Complexity**: Low (vulnerabilities are "fairly simple" when chained).
- **Attack Vector**: Network (Remote via OvrC Cloud).
## Impact
- **Confidentiality**: High (Access to camera streams, router configs, and device data).
- **Integrity**: High (Ability to modify settings or execute arbitrary commands).
- **Availability**: High (Ability to unclaim/brick devices or disrupt smart power supplies).
## Remediation
### Patches
- **SnapOne/OvrC Update**: Released in May 2023. Vulnerabilities were addressed across two update cycles coordinated with CISA.
- Users should ensure their OvrC Hubs and connected devices are running the latest firmware provided by the cloud management interface.
### Workarounds
- Isolate IoT devices on dedicated VLANs to prevent lateral movement if a device is hijacked.
- Disable remote cloud management if not strictly necessary for the environment’s workflow.
## Detection
- **Indicators of Compromise**:
- Unexpected "Device Unclaimed" or "Device Registered" notifications in OvrC logs.
- Unauthorized access logs involving the hidden `superuser` account.
- Abnormal outbound traffic from OvrC Hubs to unknown IPs.
- **Detection Methods**: Monitor API traffic for MAC address enumeration (high-frequency requests to `/v1/devices/find`).
## References
- **Vendor Advisory**: hxxps://www.cisa[.]gov/news-events/ics-advisories/icsa-23-136-01
- **Research Article**: hxxps://claroty[.]com/team82/research/the-problem-with-iot-cloud-connectivity-and-how-it-exposed-all-ovrc-devices-to-hijacking
- **Vulnerability Dashboard**: hxxps://claroty[.]com/team82/disclosure-dashboard/cve-2023-25183