Ever wanted to lock and unlock your front or garage doors remotely?
Zipato’s ZipaMicro Z-Wave smart hub controller offers a simple and relatively cheap way of doing that with the added benefit that it works with all sorts of smart home products – security cameras, sensors, heating controls, light bulbs, and IoT-enabled locks – from third parties.
Unfortunately, according to Black Marble researchers Chase Dardaman and Jason Wheeler, there’s a catch – the Zipato controller has three critical security flaws which could be used together by hackers to open your home’s doors for you.
Security flaws in IoT sounds like a routine story until you read that the headline vulnerability uncovered by Black Marble during a February 0DAYALLDAY Research Event (CVE-2019-9560) allowed the researchers to recover the device’s private Secure Shell (SSH) key from the Zipato’s onboard SD Card.
That’s bad news because SSH is a security protocol making possible secure communications between the device and the local or remote user (i.e. you, when you’re instructing the hub to unlock a door).
According to the researchers, an attacker armed with this private key – stored in a password-protected sub-directory called ‘/etc/dropbear/’, cracked without much difficulty, and with the hard-to-guess name dropbear_rsa_host_key’ – would be able to login to the hub as ‘root’ to poke around in its inner workings.
(Almost incidentally, the researchers say they discovered that every Zipato hub had been hard-coded with the same private key, a bizarre security oversight.)
After using this to attempt to find and unscramble the device’s access password, the researchers discovered the hub was using a ‘pass-the-hash’ design that allowed them to log in simply by passing the Zipato API the object.json file – in other words, without knowing the plaintext password, only its hash (CVE-2019-9561).
With that, the researchers could log in posing as the homeowner, complete with the power to control any devices connected to it after running up a proof-of-concept script that demonstrated that this was possible.
It gets worse
In a private home, this would be bad enough, but Zipato’s hub might also be used to secure numerous apartment addresses under one account. Cracking the Zipato using a second remote pass-the-hash authentication API vulnerability (CVE-2019-9562) would give local attackers the ability to open all of their front doors.
The one barrier to exploiting these flaws is that attackers would need to be on the same Wi-Fi network as the Zipato, which might not be hard in a setting where the same security password was being handed out to large numbers of people.
A remote hack would only be possible if the hub is directly connected to the internet – which barely any of the 100,000+ hubs sold appear to be judging from the tiny number found through the Shodan search engine.
Nevertheless, one concerning part of this story is how smart hubs such as the Zipato seem to be spreading to apartment complexes. That’s not an issue when they work as advertised but means that one unpatched hub could potentially be used to expose numerous homes as a single point of security failure.
Zipato claims it has issued patches for the three CVEs mentioned above, which as far as we can tell means applying v1.3.60 or later, which appeared in March after the company was told of the issues.
The company’s advice on the updating process can be found here.