Vulnerability in the Rubetek Home smart-home app | Kaspersky official blog

Smart homes today are nothing like the science fiction in late-90s movies. They’re a reality for almost everyone living in a major city. You’d be hard-pressed to find a modern apartment without smart electricity outlets, speaker, or TV. In new construction, you’ll sometimes see homes built smart right from the get-go, which results in entire smart residential complexes. Residents can manage not just their in-apartment devices, but also external systems like intercoms, cameras, gates, utility meters, and fire alarms – all through a single app.

But what happens if there’s a security hole in an app like that? Our experts in the Global Research and Analysis Team (GReAT) know the answer. They’ve uncovered a vulnerability in the Rubetek Home app and explored the potential security risks for smart-home owners, which, thankfully, didn’t materialize.

What the vulnerability was all about

This vulnerability stemmed from the app sending sensitive data during its logging process. The developers used the Telegram Bot API to collect analytics and send debug information files from users to a private development-team chat via a Telegram bot.

The problem was that these files, in addition to system information, contained users’ personal data and, more critically, refresh tokens needed to authorize access to the user’s account. Potential attackers could have forwarded all these files to themselves using the same Telegram bot. To do this, they could obtain its Telegram token and the chat ID from the app code, and then iterate through the sequential numbers of messages containing the files.

Recently, logging events via Telegram has become increasingly popular. It’s convenient and fast to receive important notifications in messenger. However, this approach requires caution: we recommend not to forward sensitive data in the application logs, and, in addition, to prohibit copying and forwarding content from the group in Telegram settings or use the protect_content parameter when sending a message through a Telegram bot.

Important note: we contacted Rubetek immediately upon discovering the vulnerability. At the time of this post, the issue had been fixed.

Potential attackers could have gained access to data that all of the user’s apps were sending to the developer. The list of this data is mind-boggling:

• Full name, email address or cellphone number, and address of the property linked to the app
• List of devices linked to the smart-home system
• Information about events logged by smart devices, like whether the home was armed or disarmed, or whether any suspicious sounds were picked up by cameras
• System information about devices within the local home network: MAC address, IP address, and device type
• IP addresses for connecting to cameras over the WebRTC protocol
• Snapshots from smart cameras and intercoms
• The user’s chats with form of assistance
• Tokens allowing to initiate a new session with the user’s account

Users of both Android and iOS apps were at risk.

What happens if bad actors actually gain control of your smart home?

This wide range of data could have allowed for comprehensive surveillance – permitting knowing who lives where and on which days they aren’t home. Criminals could have learned someone’s schedule and, during those empty hours, enter any apartment after remotely disabling cameras and other security systems through the app.

While such a blatant break-in would certainly have been noticed, there are other, more subtle possibilities. For example, by exploiting the vulnerability, attackers could have remotely changed the colors of smart lightbulbs and floor temperatures, endlessly turning lights on and off, causing the homeowners a noticeable financial loss.

What’s even more unsettling was the potential for an attacker to target not just one apartment or house, but thousands of residents in an entire complex. Of course, simultaneously disabling access-control systems wouldn’t have gone unnoticed by the building management, but how quickly would they work out what was happening, and what damage could residents suffer in the meantime?

How to secure your smart home

Keep in mind that the type of vulnerabilities we’re discussing could be present in other smart-home apps as well. Being one of millions of customers, you have virtually no way of knowing if an app has been compromised. Therefore, if you notice even the slightest kinds of suspicious activity, such as new people on your guest list, unauthorized opening and closing of gates and doors, and so on, we recommend contacting the app administrator and vendor as soon as possible.

Back in a more common scenario, like using smart devices within your own apartment with no network administrator to turn to, we recommend following these rules:

• Secure your Wi-Fi router by changing the default password to a stronger one, disable WPS, and enable WPA2 encryption.
• Create a dedicated Wi-Fi network for your smart-home devices, and set a different password for it. Modern routers support guest networks, so if, say, a smart cradle is hacked, criminals won’t gain access to your computers or smartphones.
• Use the Kaspersky Premium app to regularly check your network for unauthorized devices. If everything is fine, Smart Home Monitor will only show information about your devices.
• Set strong passwords for each device. You don’t have to memorize them: Kaspersky Password Manager can handle that.
• Regularly update the firmware of all your smart devices – including your router.

Check out these links to explore other potential risks of a hacked smart home and ways to protect your property.

• How to secure your smart home
• IP camera security: the bad, the ugly, and the evil
• Home smart home
• Are your TV, smartphone, and smart speakers eavesdropping on you?
• Hole in the bowl: smart pet feeder springs a leak

Kaspersky official blog – ​Read More