Jump to content
Guides for the Forum ×
Poradniki na Forum ×

Welcome to Smart Home Forum by FIBARO

Dear Guest,

 

as you can notice parts of Smart Home Forum by FIBARO is not available for you. You have to register in order to view all content and post in our community. Don't worry! Registration is a simple free process that requires minimal information for you to sign up. Become a part of of Smart Home Forum by FIBARO by creating an account.

 

As a member you can:

  •     Start new topics and reply to others
  •     Follow topics and users to get email updates
  •     Get your own profile page and make new friends
  •     Send personal messages
  •     ... and learn a lot about our system!

 

Regards,

Smart Home Forum by FIBARO Team


Guest Message by DevFuse

Dutch researcher finds critical leak in Fibaro-domotic system

fkruis

By fkruis
in Home Automation

 Share

Recommended Posts

Bodyart    231

Bodyart
Posted

Thanks @T.Konopka for your story even on sunday :-D

 

AutoFrank    372

AutoFrank
Posted

Hi @T.Konopka

Thanks for the explanation and I appreciate that you took the time over the weekend to prepare and post.

 

I am running 4.140 but I am sure that there are may that are not. Additionally some of these users may be infrequent visitors to this forum.

 

Is there any way fibaro could send users that are running firmware that is pre 4.140 as you already have their email addresses from when they registered Fibaro ID. I appreciate this may take a little effort but think it would be a nice gesture to inform them and give the option to upgrade ?

Would this be possible ?  

 

Bodyart    231

Bodyart
Posted

Hi @AutoFrank,

 

probably the same way as the new FW releases are anounced... ?!?

Robert Folbigg    22

Robert Folbigg
Posted (edited)

@T.Konopka,

 

Once again thank you for going into further detail however the way in which Fibaro has handled this security incident is far from professional and it is very clear to me that Fibaro have not developed a response framework for security issues such as this. An organisation of Fibaro's scale selling hardware on a global market has a resposibility to ensure the security and integrity of it's systems and safeguard their users devices and information to the best of their ability. 

 

Im Sorry @Fibaro but you have failed! And even now there are HC's in the field with open ports and un-patched.. Why has there not been a security bulletin to all these owners??

 

I have added some dot points below as points of reference to improve on.

 

Quote

When verifying the vulnerability we estimated that the possibility of any attack using the vulnerability is very low.

  • How did you estimate this? did you cross your fingers and hope the "Blogger" didn't go public.

 

Quote

We did not get any signals from users that something unexpected is going on with the system, so we deduced that no system has been exposed

  • What framework do you have in place that allows your support teams to recognise patterns to identify a potential security breach??
  • Did you consider the users that have become accustom to devices not function as expected during the last few releases? they may not even bother reporting them.

 

Quote

Moreover, as you can see the blogger informed about his finding after the threat was eliminated. We knew that he will post about it.

  • You admit Fibaro knew the blogger would post about his findings, this is pure negligence on Fibaro's part as Fibaro have now admitted that they knew that a security breach was possible, they developed a patch secretly and deployed it disguised in a standard release update and did not take any further action to ensure their user base was secure. This is wrong on so many levels, what about the users that haven't patched their systems yet?? the Blogger has posted his findings to the world and every script kiddy on the planet is now going to target these machines..
  • There needs to be a press release to warn of the potential threat, this goes deeper than someone turning your lights on and off as the attackers can gain root access and potentially use it as a stepping stone to launch any number of attacks.

 

 

Quote

Hopefully, this explanation is satisfying. The most important part is that the threat was eliminated :)

  • Im sorry the threat won't be eliminated until you make certain that no Fibaro system is left un-patched.
  •  

As stated before @T.Konopka, this is not aimed at you in any way, I am just extremely disappointed in the lack of urgency Fibaro have displayed on this occasion.

Edited by Robert Folbigg
  • Thanks 1

AutoFrank    372

AutoFrank
Posted (edited)
1 hour ago, Bodyart said:

probably the same way as the new FW releases are anounced..

not even as complicated as that 

Search database for systems still running pre 4.140 fw

identify fibaro id email addresses for these system

Prepare an email/bulletin in plain language outlining risk of running fw pre 4.140

send at least twice to identified users

 

..101 communications bth

Edited by AutoFrank

Bodyart    231

Bodyart
Posted (edited)

And/Or send to all users frequently some newletter with all relevant info by e-mail :-)

 

Edited by Bodyart

Robert Folbigg    22

Robert Folbigg
Posted

@Bodyart,

4 minutes ago, Bodyart said:

And/Or send to all users frequently some newletter with all relevant info by e-mail :-)

 

 

While this would be nice to have on any given day of the week, security incidents require a special bulletin. People become complacent about common newsletter type email and often won't read it. however if they receive something with the title ### IMPORTANT FIBARO SECURITY BULLETIN ### they will read it.

Bodyart    231

Bodyart
Posted

Hi @Robert Folbigg,

 

totally agree! But as i understood the story of @T.Konopka, at Fibaro they were affraid of panic :-D

 

  • Like 1

T.Konopka    8

T.Konopka
Posted

Hello! :)

 

Our team analyzed the potential threat in regards to the detected vulnerability. As there are certain factors that have to be met in order to expose the system (public IP, open ports), we deduced that the threat concern only a small number of systems. Informing about that publicly would cause panic and we wanted to avoid that. Moreover, we were not notified about any incidents that would imply that the vulnerability was exploited.

 

Of course, we knew that the blogger will post about this. We were in constant contact with the blogger and he knew that it would be unwise to blog about the vulnerability before we fix it. He discovered it, he tested the patch himself and he gave us feedback. We can’t image what would happen if the information went public before the patch.

 

We always encourage our users to update to the newest stable release, however we cannot force anyone to do that. We also recommend to use dedicated remote access offered by our services which is safe and the vulnerability did not concern our remote access, but also we cannot force anyone to use that.

 

@AutoFrank

, thank you for your suggestion about how to inform the users. We will definitely make sure that every users is informed about the necessity of the update.

 

Finally, we are gathering feedback from you about our communication and we are already working on improving it. Hopefully, you will see improvement with the next release ;)

jompa68    121

jompa68
Posted

Not sure why so many people get upset with this potential threat. Don't you all use computer with an operating system.... how safe is that? Or your mobile phone? Home wi-fi?
Any system is hackable, if you have the right skills, or just g00gling around little. ;)

 

I trust my Fibaro and the Fibaro team. They do a great job, of course with some glitches but overall everything runs smoothly. 

 

 

  • Like 2

Robert Folbigg    22

Robert Folbigg
Posted

@jompa68,

 

While your statement is true, all internet connected systems are potentially at risk of being hacked any day of the week, it’s not the fact Fibaro had a weakness that has “upset every one”. 

 

Our displeasure was the result of Fibaro failing to inform end users. In my case I have several HC2 devices within corporate networks where I am also responsible for upkeep of network security and IT systems. Had I not stumbled across this thread I may not have proceeded to update these devices as quickly as I did. If one of these sites where compromised as a result I would be held accountable and potentially loose customers or pay heafty bills to repair damages.

 

I don’t think it is unrealistic to expect information to be made available quickly to allow people such as my self to respond in our own way to the threat.

 

I can assure you that if Microsoft was informed of a similar problem they would not react several weeks later, there would be a security bulletin released As soon as possible and technet articles on how to mitigate the risk would quickly follow.

 

If we don’t provide this feedback, Fibaro can’t improve their communications. It’s very easy for a large company such as Fibaro to loose site of the impact these instances can have on their end users.

 

And for the record I still love Fibaro. ;)

 

T.Konopka    8

T.Konopka
Posted

Hello,

 

4 hours ago, jompa68 said:

I trust my Fibaro and the Fibaro team. They do a great job, of course with some glitches but overall everything runs smoothly.

Wow! Thank you for such kind words! ;)

 

59 minutes ago, Robert Folbigg said:

Our displeasure was the result of Fibaro failing to inform end users. In my case I have several HC2 devices within corporate networks where I am also responsible for upkeep of network security and IT systems. Had I not stumbled across this thread I may not have proceeded to update these devices as quickly as I did. If one of these sites where compromised as a result I would be held accountable and potentially loose customers or pay heafty bills to repair damages.

 

I don’t think it is unrealistic to expect information to be made available quickly to allow people such as my self to respond in our own way to the threat.

 

If we don’t provide this feedback, Fibaro can’t improve their communications. It’s very easy for a large company such as Fibaro to loose site of the impact these instances can have on their end users.

 

And for the record I still love Fibaro. ;)

We are grateful for the feedback ;) We are learning every day and we try to improve every day as well. This situation gives us a good lesson :)

 

And of course, we love you too :D

Cameleon    17

Cameleon
Posted

@Fibaro 

 

I suggest you take a leaf out of Synology's book. Since 'Synolocker' ransomware which also spread through users exposing their Synology NAS directly to the internet hit them hard. In that instance they sent out a Security Bulletin telling users to upgrade their systems and where to go to get help from support. This is the minumum I would expect to keep trust with users in these kind of incidents.

 

Not everyone keeps an eye on the latest version of firmware/software levels and once you have a stable system you are even less likely to update unless the manufacturer tells you it plugs security vulnerabilities.

 

I must say I am disappointed that neither an email was sent about this, nor does it appear to be mentioned in the release notes, regardless of how well you think you've got it covered, there will be users out there and they are still at risk now, no matter how low. Its very easy for a script kiddy to now gain what appears to be low level access to their Fibaro systems :(

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...