Bugs in HDL Automation expose IoT devices to remote hijacking

A security researcher discovered vulnerabilities in an automation system for smart homes and buildings that allowed taking over accounts belonging to other users and control associated devices.

In a presentation on Saturday at the IoT Village during the DEF CON hacker conference, Barak Sternberg shows how some weak spots in the HDL automation system could have been leveraged by attackers to fully compromise it.

Taking control

Looking at how a user can configure and control HDL components, the researcher noticed that registering a new account (email and password) on the mobile app automatically generates another account for applying the settings.

This additional account has the string “debug” in the username (user-debug@email.com) and the same password defined by the user for their account.

Its purpose is to apply the settings and send the configuration for the local devices to an external HDL server so that other authorized users can download it and control the smart home.

Sternberg found that the password changing process allows defining a new password for the “debug” account while the one for the user remains the same.

An attacker could register the email address for the “debug” username to receive the instructions for changing the password. Once the procedure completes, the attacker can control the components (lights, temperature, cameras, various sensors) in the HDL automated environment as well as configure them.

Sternberg also found an HDL endpoint (“/api/GetRoomBindingDevice”) that was vulnerable to SQL injection. Using a special query, Sternberg received the following response data:

Although he did not go any further, the researcher says that “extracting email, clients list, user list and probably passwords and others is straightforward.”

Additional details about the internal network, such as subnet and HDL controller parameters, could be extracted from gateway info.

There are some questions about the firmware and device backup tables, but some potential scenarios may have allowed supplying malicious software or altering user configurations.

As such, scenarios with an impact on people and hardware inside an HDL automated building become possible. One example from Sternberg is raising the temperature in the server room.

HDL Automation provides intelligent control systems and integrated solutions for hotels, homes, and various types of other buildings so the security implications in its systems could have disastrous effects.

Sternberg says that the company moved quickly to fix the issues he discovered, which did not allow him to fully explore the exploitation avenues presented by the vulnerabilities.