Researchers from the Claroty82 Team have revealed a security vulnerability in the OvrC cloud platform used by businesses and consumers to remotely manage IoT devices. Used globally in the communications sector, they identified 10 specific vulnerabilities that, when combined, allow attackers to remotely execute code on devices connected to the OvrC cloud. Both OvrC Pro and OvrC Connect are affected, and updates were released last May 2023 through advisories from the US Cybersecurity and Infrastructure Security Agency (CISA), ICSA-23-136-01 for eight vulnerabilities , and the remaining two cases were addressed. in an update announced Tuesday.
“Our research found 10 vulnerabilities in OvrC Pro, which provides visibility, troubleshooting, and diagnostic data for remote device management, and OvrC Connect, the company’s mobile app that enables troubleshooting and management capabilities, ” explained Uri Katz in the Schioba82 blog on Tuesday. post. “Many of these issues we’ve found stem from neglecting the device-to-cloud interface, a pattern we’ve seen in a number of other IoT platforms. In many of these cases, the main issue is the ability to cross-apply IoT devices due to weak identifiers or similar bugs. These issues range from weak access controls, authentication bypasses, failed input validation, hard-coded credentials, and remote code execution flaws. “
He said that an attacker exploiting these vulnerabilities would not only be able to bypass perimeter security such as firewalls and network address translation (NAT) to access the cloud-based management interface, but that it would also be able to calculate and image tools, solve tools, elevate privileges, and run arbitrary code. “Attackers who successfully exploit these vulnerabilities can access, control and disrupt devices supported by OvrC; some of these include smart electrical power supplies, cameras, routers, home automation systems, and more. ”
The OvrC cloud platform can integrate with third-party tools as well as OvrC-enabled tools, even if those tools do not directly support the OvrC platform.
OvrC was acquired in 2014 by SnapOne, a North Carolina-based company founded in 2005 by a group of technology integrators focused on automation technology, specifically around IoT smart devices. OvrC is used by businesses and consumers alike to configure, monitor and configure devices remotely, via a mobile application or websocket-based user interface. OvrC supports devices from smart home automation endpoints, smart electrical switches, smart cameras, and routers.
According to an OvrC webinar from 2020 around 9.2 million devices were scanned by the platform, so it’s safe to assume that the vulnerabilities reported by Team82 researchers affected around 10 million devices across the world.
The CISA consultant revealed that vulnerabilities were present including Inadequate Access Authentication, Visible Response Inconsistency, Inadequate Access Control, Cleartext Sensitive Information Transmission, Inadequate Data Authentication, Re -Open guidelines, Use of hard-coded Certificates, Hidden functionality, Authentication Bypass with Spoofing, Authentication Required for Critical Operation in Snap One’s devices OvrC cloud and OvrC Pro. Snap One has issued updates and fixes for the affected products. These functions include the automatic deployment of OvrC Pro v7.2 and v7.3 to devices via the OvrC cloud and the elimination of UPnP.
Katz explained that the researchers were able to take over all OvrC cloud-connected devices.
“We found that by default all devices try to reach out to the OVRC cloud immediately when connected, meaning even if users don’t manually choose to access the OVRC cloud use, their devices are still part of the OVRC cloud as ‘unclaimed’ devices. , making them vulnerable with the vulnerabilities we found,” Katz said. “Furthermore, in our research, we discovered that we can make and personalize any OvrC cloud-related tool we want. We could send messages to the cloud on behalf of any device just by knowing its MAC address (which is not a secret).
In conclusion, Team82 pointed out that with more devices coming online every day and cloud management becoming the main way to configure and access services, more than ever, the motivation on manufacturers and cloud service providers to secure these devices and connections.
“Our research on OvrC shows how an attacker can exploit a handful of vulnerabilities to access, disrupt or manipulate IoT devices,” said Katz. “In this case, we were able to enumerate all devices managed by OvrC, application devices using known – and unknown secrets, and also to imitate or overwrite them. In some cases, we were able to execute arbitrary code. ”
He said the negative results can affect connected power supplies, business routers, home automation systems, and more connected to the OvrC cloud. “Our research shows common security vulnerabilities and weaknesses across the IoT and how attackers can exploit them.”
Last month, the US House Committee on Homeland Security contacted CISA and the Federal Bureau of Investigation (FBI), requesting a briefing by November 1 regarding the recent cyber intrusion by ‘Salt Typhoon,’ a threat actor linked to People’s Republic of China. The hacker group has specifically targeted major Internet service providers, including AT&T, Verizon, and Lumen Technologies. By then, bipartisan members of the US House Energy and Commerce Committee had issued letters to telecommunications vendors, urgently seeking explanations and demanding briefings after outages on their communications networks by carriers -hackers connected to the Chinese government.
#Security #flaws #OvrC #cloud #platform #expose #IoT #devices #remote #code #execution #quick #updates