U.S. power and electronics giant Eaton has fixed a security vulnerability that allowed a security researcher to remotely access thousands of smart security alarm systems.
Security researcher Vangelis Stykas said he found the vulnerability in Eaton’s SecureConnect, a cloud-based system that allows customers to remotely access, manage, and arm and disarm their security alarm systems from a phone app.
Stykas said the vulnerability allowed anyone to sign up as a new user and assign that account to any other group of users, including a “root” group, which has access to all of the smart alarm systems connected to Eaton’s cloud.
The vulnerability is known as an insecure direct object reference, or IDOR, a class of security bug that allows unchecked access to files, data, or user accounts because of weak or lacking access controls on a server. Stykas said the bug was easy to exploit using man-in-the-middle tools like Burp Suite by intercepting the new user’s group number and swapping it with the number of the root group, which was simply “1”.
Stykas said adding a user to the root group “gave access to everything,” including the registered user’s name and email address, and the location of every connected security alarm system. Stykas said that the access could have allowed a potential attacker to remotely control security alarm systems connected to Eaton’s cloud — though he did not attempt this.
In a security notification published to its website, Eaton confirmed the bug was discovered in its group access authorization logic.
Jonathan Hart, a spokesperson for Eaton, said the vulnerability was fixed in May. Hart declined to say how many smart alarm customers it has, though Stykas said the number of Eaton connected smart alarm systems was in the high tens of thousands.
Eaton declined to say if the vulnerability allowed the remote control of connected security alarm systems. Eaton said the vulnerability was “verified to be a single event,” but did not say how it came to this conclusion or if the company has the technical means, such as logging systems, to determine if the vulnerability was previously discovered or exploited.