Vulnerabilities found in the Logitech Harmony Hub can give adversaries root access to the device – allowing attackers to control other smart home devices linked to it, such as smart locks and connected surveillance cameras.

Researchers at FireEye’s Mandiant Red team identified four vulnerabilities in the Logitech Harmony Hub as improper certificate validation, an insecure update process, leaving developer debugger symbols behind in the production firmware and having a blank root user password.

“Exploitation of these vulnerabilities from the local network could allow an attacker to control the devices linked to the Hub as well as use the Hub as an execution space to attack other devices on the local network,” said Joel Hopwood, in a report about the vulnerabilities posted on Friday.

Hopwood said the flaws in the IoT device “present a very high risk to the users”; particularly those who rely on the hub for security such as smart locks, alarm systems and surveillance cameras.

FireEye researchers disclosed the vulnerabilities to Logitech in January 2018. Logitech released a firmware update (4.15.96), April 10, to address the findings. Public disclosure was May 4.

The Harmony Hub, a home control system, which can be used to control a variety of compatible devices in the user’s home, is designed to pair with a companion Android or iOS application over Bluetooth for its initial configuration. “Once initial pairing is complete, the Harmony application searches for Harmony Hubs on the local network and communicates with the Harmony Hub over an HTTP-based API,” Hopwood wrote.

Researchers first found that the Harmony Hub ignores invalid SSL certificates by testing out using their own self-signed certificate to intercept the HTTPS traffic sent by the Harmony Hub.

“The Harmony Hub sends its current firmware version to a Logitech server to determine if an update is available. If an update is available, the Logitech server sends a response containing a URL for the new firmware version. Despite using a self-signed certificate to intercept the HTTPS traffic sent by the Harmony Hub, we were able to observe this process – demonstrating that the Harmony Hub ignores invalid SSL certificates,” researchers wrote.

After further digging into the firmware of the Hub’s SquashFS filesystem, researchers were also able to determine that the root password of the IoT device was blank, granting complete control over the device.

Due to these two key vulnerabilities, Hopwood said he was able to hijack the Harmony Hub via its update process, essentially by sending the device a fake update package that turned on a dormant SSH server.

“Since we were able to previously observe what a real update process looked like, we could just simulate a false update to tell the Hub it has an update and tell it where to download the update from,” Hopwood told Threatpost. “Then we would download that resource onto the Hub with our own controlled web server that had a malicious update posted on it.”

Hijacking the GetJson2Uris Response

When the Harmony Hub is first initializing, it sends a GetJson2Uris request to the Logitech application programming interface (API). In response, the server sends back a huge list of URLs that the Hub needs to use for performing different processes.

That list includes a key URL called “Get Updates” that provides instruction around necessary updates given the Hub’s current firmware and installed software package versions.

Connecting over an access point set up in their lab, FireEye researchers were able to intercept and modify the GetJson2Uris response from the server; and point the instructions embedded in the Get Updates URL toward their own server.

“We could intercept that communication since the Hub wasn’t validating any SSL certs, so when it first booted up we intercepted the response for the GetJSON2Uris and set it to our own server,” Hopwood told Threatpost.

On their own local web server, researchers had created a new malicious archive. The fake update package then pointed the Hub to this update.

The Harmony Hub retrieved FireEye’s malicious update package, and after rebooting the Harmony Hub, the SSH interface was enabled. “This allowed us to access the device with the username root and a blank password,” they said.

Hopwood said the next presumable step of accessing connected devices linked to the Hub is an area he’s still looking at that’s “left as an exercise for the readers.”

Logitech, for its part, said in a statement that it has released firmware that addresses “all of the vulnerabilities that were identified.”

“As soon as FireEye shared their research findings with us, we reviewed internally and immediately started to develop firmware to address it,” said the statement. “For any customers who haven’t yet updated to firmware version 4.15.96, we recommend you check the MyHarmony software and sync your Hub-based remote and receive it. ”

Logitech’s Harmony Hub is one of many insecure IoT devices – from smart thermostats to connected surveillance cameras. Smart hubs, in particular, expand the potential attack vector because they act as a hub for multiple connected devices across the home.

“Due to the fact that the Harmony Hub, like many IoT devices, uses a common processor architecture, malicious tools could easily be added to a compromised Harmony Hub, increasing the overall impact of a targeted attack,” Hopwood said in his post.