#############################################################
#
# SWISSCOM CSIRT ADVISORY
# https://www.swisscom.ch/en/about/company/portrait/network/security/bug-bounty.html
#
#############################################################
#
# ID:       CVE-2018-15476
#           CVE-2018-15477
#           CVE-2018-15478
#           CVE-2018-15479
#           CVE-2018-15480
# Product:  myStrom WiFi Switch, Bulb, LED Strip, Button, Button Plus
# Vendor:   myStrom AG
# Subject:  Multiple IoT device vulnerabilities
# Credits:  Jan Almeroth (@almeroth)
# Handling: Stefan Kuch, Daniel Roethlisberger (csirt _at_ swisscom.com)
# Date:     2018-08-29
#
#############################################################


Summary
-------
Multiple vulnerabilities were fixed in the myStrom WiFi line products which in
combination allowed a determined attacker to either remotely take full control
over myStrom devices before their registration by their rightful owner, or
locally take full control over the devices by manipulating their network
traffic in a Man-in-the-Middle attack, regardless of their registration status.

Combined CVSS score of the vulnerabilities in this advisory:
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (8.1)


Remediation
-----------
Customers are advised to update their myStrom devices to the latest firmware.
All vulnerabilities in this advisory have been addressed in the following
firmware versions, published 2018-08-11:

myStrom WiFi Switch V1          2.66
myStrom WiFi Switch V2          3.80
myStrom WiFi Switch EU          3.80
myStrom WiFi Bulb               2.58
myStrom WiFi LED Strip          3.80
myStrom WiFi Button             2.73
myStrom WiFi Button Plus        2.73


Insecure device registration (CVE-2018-15478)
---------------------------------------------
The process of registering a device with a cloud account was based on an
activation code derived from the device MAC address.  By guessing valid MAC
addresses or using MAC addresses printed on devices in shops and reverse
engineering the protocol, an attacker would have been able to register
previously unregistered devices to their account.  When the rightful owner
would have connected them after purchase to their WiFi network, the devices
would not have registered with their account, would subsequently not have been
controllable from the owner's mobile app and would not have been visible in the
owner's account.  Instead, they would have been under control of the attacker.

In combination with the lack of server certificate verification
(CVE-2018-15476) and server URL reconfiguration (CVE-2018-15480), a determined
attacker would have been able to take full control over devices without
breaking them for their real owners, by first reconfiguring them to talk to an
attacker rogue cloud API and then deregistering the devices in time before
registration by their real owners.

The attack only worked on unregistered devices; while being registered to an
account, devices were immune against the attack.  The attack would have left
traces on the server side; there is no indication that the attack has been
successfully carried out by any attacker.

This vulnerability was addressed by issuing a device token to the device as
part of registration and authenticating later communication using that device
token.

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:L (7.0)


Lack of server certificate verification (CVE-2018-15476)
--------------------------------------------------------
The SSL/TLS server certificate in the device to cloud communication was not
verified by the device.  As a result, an attacker in control of the network
traffic of a device could have taken control of a device by intercepting and
modifying commands issued from the server to the device in a Man-in-the-Middle
attack.  This included the ability to inject firmware update commands into the
communication and cause the device to install maliciously modified firmware.

This vulnerability was addressed by adding server certificate verification.

CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (7.5)


Lack of device authentication (CVE-2018-15479)
----------------------------------------------
Devices did not authenticate themselves to the cloud in device to cloud
communication.  This lack of device authentication allowed an attacker to
impersonate any device by guessing or learning their MAC address, and allowed
injection of fake metrics into their cloud statistics.

This vulnerability was initially addressed by adding device authentication
based on the device token issued as part of registration.  The fix was later
improved on the server side to prevent replay attacks and cross-account device
impersonation within authenticated sessions.  Note that the replay attack is
also prevented by server certificate verification (fix for CVE-2018-15476).

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (5.3)


OS command injection (CVE-2018-15477)
-------------------------------------
myStrom WiFi Switch V1 devices did not sanitize a parameter received from the
cloud that was used in an OS command.  Malicious servers were able to run
operating system commands on the device.  In combination with the lack of
server certificate verification (CVE-2018-15476), this would have been possible
for attackers in control of the network traffic of a device in a
Man-in-the-Middle attack, and in combination with insecure device registration
(CVE-2018-15478) and server URL reconfiguration (CVE-2018-15480), for attackers
who maliciously registered and reconfigured a device to use their rogue server
URL.

This vulnerability was addressed by sanitizing the parameter appropriately.

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2)


Server URL reconfiguration (CVE-2018-15480)
-------------------------------------------
The cloud API had a hidden parameter, which allowed an authenticated user to
reconfigure the server URL for a device registered to their account.  This
would cause a server URL reconfiguration command to be pushed to the device.
In combination with insecure device registration (CVE-2018-15478) and lack of
server certificate verification (CVE-2018-15476), this allowed an attacker to
reconfigure a maliciously registered device to their own rogue replica of the
myStrom API and issue commands to the device, including firmware update
commands.

This vulnerability was addressed by removing the hidden parameter.

CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H (6.5)


Credits
-------
The vulnerabilities were discovered by Jan Almeroth (@almeroth).


Timeline
--------
2018-05-08  Vulnerabilities initially reported to myStrom AG
2018-08-08  CVE-2018-15480 fixed
2018-08-11  CVE-2018-15478, CVE-2018-15476, CVE-2018-15479, CVE-2018-15477 fixed
2018-08-12  Vulnerability management transferred to Swisscom CSIRT
2018-08-17  CVE IDs assigned by MITRE
2018-08-22  CVE-2018-15479 fix improved (server-side)
2018-08-29  Public release of advisory