HC2/HCL vulnerability <v4.140

[MaTi 29]

Hi all,

 

Just figured I'd share this with you all, to make you all aware and to stress out the importance to update your gateway!!!

 

Please login or register to see this link.

 

Good to see it is fixed. It does leave one wonder about Fibar's security policies and why the heck this had to take over half a year to get patched.

Alse when there is a confirmed patch.. Why has there not been an emergency patch?

Edited September 27, 2017 by MaTi

[barend121 13]

The good:

The vurnerability was only active from the internet when (wrongly) portforward your HC2 to the internet and ofcourse local.

The amount of work to solve this internally is quite big in my estimation; other update procedure (with disabling the script, etc) good work Fibaro!

 

The bad:

No responsable disclosure

No message to their users (security by obscurity is not a very good practice, keep initiative Fibaro, don't wait for the news)

maybe not a very strong and secure system

 

The Ugly:

Hard to get this sort of messages to the right persons at Fibaro, this is ugly and should have to go better. And a T-shirt.. .come on Fibaro.. at least an actor or a HC2 as a reward

 

Next steps:

Try to contact the 194 users who are directly connected (look at the shodan) to the internet (maybe using abuse proces of ISP's, maybe by some intelligence at the fibaro HQ with some notifications inserted to the homegateway webinterface. 

 

 

[Sankotronic 2,370]

Thank you @MaTi, but this theme was already opened here:

 

 

[MaTi 29]

Ah! Hadn't seen it.. Thanks @Sankotronic. Ill join that thread

[petergebruers 1,268]

Seems a fairly decent issue with bluetooth was found out recently:

 

Please login or register to see this link.

 

The technical part: "The most salient point about the Blueborne vulnerability is that it does not require permission to pair Bluetooth devices or any action by the user (such as clicking a link or downloading a file). Simply being in range with Bluetooth enabled is enough, even if your device is not set to be discoverable. Hence the name BlueBorne, a combination of Bluetooth and "airborne" to highlight the ability for an attack to spread "through the air". It does not rely on a physical connection or an Internet connection, and for the most part, all Bluetooth-enabled devices can be discovered trivially by other Bluetooth enabled devices.

This is possible because the only information you need to be able to send traffic to a Bluetooth device is its Bluetooth Device Address/MAC address (BDADDR)—and this can be obtained through Bluetooth packets which contain enough plaintext information in its header that the BDADDR can be guessed. And, if not, the adapters for Wi-Fi and Bluetooth are usually the same, in which case extrapolating from the more accessible Wi-Fi MAC address is possible."

 

I think the main issue is older stuff just does not use up-to-date encryption/authentication/security. Hence the "S2" initiative of the Z-Wave alliance...

 

Please login or register to see this link.

 

[T.Konopka 8]

Duplicate.