Multiple security breaches in smart home devices

The ESET IoT (Internet of Things) team of researchers identified multiple serious security vulnerabilities in three different smart home units, Fibaro Home Center Lite, HomeMatic Central Control Unit (CCU2) and eLAN-RF-003. These centers are used to control connected devices in “smart homes” and other environments in thousands of homes and businesses in Europe and around the world.

An intruder could exploit some security vulnerabilities to carry out MitM (Man-in-the-middle) attacks, interceptions, and back doors, or even gain full access (root access) to devices and their contents. In the worst case, they could allow an intruder to gain control of the central units and all the peripheral devices they control.

Although these central units are mainly used in homes and small offices, they are also a potential risk factor for companies. This risk becomes even greater since many employees work from home at this time.

ESET announced the results of the investigation to the manufacturers of these devices. Fibaro has proven to be extremely cooperative, solving most problems in a few days. EQ-3 followed standard procedures and updated its devices within the default 90-day period. Elko covered some of the security vulnerabilities on his devices within the default 90-day period. Some of the vulnerabilities have been fixed in newer versions of the devices, but remain in older devices, and the manufacturer claims that there are limitations due to hardware compatibility.

“We realized that there are multiple security vulnerabilities in IoT (Internet of Things) devices. At the same time, our research suggests that configuration vulnerabilities, lack of encryption or authentication are not just problems with low-end financial devices, but are often found in high-end devices, “said Ondrej Kubovič, specialist in ESET security and information.

It is important to note that the vulnerabilities described in this article were reported in 2018 to manufacturers, who then released updates to restore most of them. Its launch was later delayed as ESET focused its investigation on other security breaches that still existed. However, with the increasing security needs that apply today, ESET includes in the publication and the results of previous research to inform all owners of the affected devices to install updates on their devices, increase security and reduce risk.