Flaws in Logitech's Harmony Hub devices allowed hackers to gain root access
Last year, Logitech announced that the security certificate of its Harmony Link IoT device, which allowed users to control their home cinema setup using a universal remote control, was to expire on 16 March 2018.
Last year, Logitech announced that the security certificate of its Harmony Link IoT device, which allowed users to control their home cinema setup using a universal remote control, was to expire on 16 March 2018. However, the firm said that instead of renewing the certificate, it would offer users a new Harmony Hub device which would be a much-improved version of Harmony Link.
While the company initially offered Harmony Hub to existing Harmony Link users at a 35 percent discount, the firm later decided to offer the new product to all affected users for free after users complained that they were being offered a raw deal. Unlike its predecessor, Harmony Hub supports many new IoT devices such as the Amazon Echo family, the Alexa family, Philips Hue Lighting, and Nest smart thermostats.
Researchers from security firm FireEye's Mandiant Red Team recently discovered that the new Logitech Harmony Hub IoT device featured several security vulnerabilities which, if exploited, could allow an attacker not only to gain "root access to the device via SSH", but also to control all IoT devices linked to the Hub.
They added that since the Hub supported devices such as smart locks, smart thermostats, and electrical devices, an attacker could pose a very high risk to owners of the Harmony Hub.
Security vulnerabilities identified by the researchers in Harmony Hub included improper certificate validation, an insecure update process, developer debugging symbols left in the production firmware image, and the presence of a blank root user password.
The researchers demonstrated how they used a combination of the vulnerabilities to gain administrative access to the device, and observed that attackers could easily add malicious tools to a compromised Harmony Hub, thereby increasing the overall impact of a targeted attack.
After extracting the device's firmware and examining it, the researchers observed that the root user had no password configured, thus allowing an attacker to gain root access to the Harmony Hub through SSH without a password after enabling the dropbear SSH server.
The SSH interface was also enabled after they managed to supply a malicious URL to a Harmony Hub device when it was checking for updates. The device retrieved the malicious update package and after being rebooted, could be accessed by the researchers with the username root and a blank password.
Logitech was alerted about the vulnerabilities in Harmony Hub in late-January, following which the company worked with the researchers to create a new firmware to address the vulnerabilities. In a blog post published last week, it admitted that if a malicious hacker had already gained access to a Hub-users network, these vulnerabilities could be exploited.
"As soon as FireEye shared their research findings with us, we reviewed internally and immediately started to develop firmware to address it. As of 10 April, we have released firmware that addresses all of the vulnerabilities that were identified.
"For any customers who haven't yet updated to firmware version 4.15.96, we recommend you check the MyHarmony software and sync your Hub-based remote and receive it," the company said.
Commenting on the discovery of security vulnerabilities in Harmony Hub, Javvad Malik, security advocate at AlienVault, told SC Magazine UK that the reason why there are many flaws within IoT equipment is because there currently isn't a big driver or requirement placed on manufacturers of secure smart devices or other IoT.
He added that since manufacturers usually procure physical components and software from different vendors, they find it difficult to identify where vulnerabilities lie and how to patch them effectively.
"Having a robust assessment at design stage, including independent third party assessments of code and penetration test. They should also build in customer-friendly security controls, such as requiring the user to change the default password upon first use, and having a convenient way to deploy and install patches.
"While security for IoT devices can incur a cost, and slow development time, given the nature of the type of data IoT devices can collect, and their deployment, it is an area that must be invested in," he added.
Ed Williams, EMEA director of SpiderLabs at Trustwave, told SC Magazine UK that IoT is currently the wild west of security and today's IoT devices contain issues that we would have seen ten years ago in other areas of security.
"Secure by design is massively important in terms of IoT, creating accurate threat models should underpin all aspects of the design and development phases. Patching, passwords and configurations are the key to robust IoT and we're not seeing any of this at the moment," he lamented.
When asked if implementing "security by design" is a costly and time-consuming process for IoT device manufacturers, he said that 'secure by design' is, in fact, the recommended method of creating products. He added that if security can be baked-in from the beginning, IoT devices will inherently be more secure than bolting security on at the end.
"In the long-term, it'll also be less-expensive and less-time-consuming; for example, using an SDLC (Secure Development Lifecycle) will quickly identify blank root accounts as a bad idea and implement best practices around this. Using an SDLC will also ensure that the same mistake isn't made twice, which is always key," he added.