MWR InfoSecurity has today issued an advisory detailing a vulnerability it has discovered in the Yale Home System (Europe) Android Application. While the vulnerability itself could be quite damaging, this particular app is in limited use with between 1,000 and 5,000 downloads [source: Google], greatly reducing the impact. However it highlights the risks posed from IoT devices and applications.
Robert Miller, senior security researcher at MWR explains, “We performed a number of tests on the application and discovered that the Webview used was configured to ignore TLS errors. This means that, if the network traffic were intercepted by an attacker, the application would ignore the security warnings and continue communicating, allowing the attacker to read and alter the communications between the application and the server. As the application is used to control and monitor the home alarm, it is likely that the attacker could control the alarm system if the vulnerability were exploited.
“While proliferation of this particular app is limited, there is universally a massive drive to catapult SmartHome technology into the mainstream. As we increasingly link our homes and businesses to the web, and control them with applications on our smart devices, insecurities such as this could have far wider consequences. Enterprises are suffering breaches at an alarming rate as historically security wasn’t a priority in many of the legacy technologies today’s infrastructure is built on. As we start to move into a new ‘smart’ era, with the Internet of Things, we need to learn from previous mistakes. While functionality should be first and foremost, security must also be given priority.”
MWR InfoSecurity alerted Yale to the issue with its application in July this year and has worked with the company to resolve the vulnerability.
A statement from Yale adds, “Yale’s policy is neither to confirm nor deny any reports about the security of Yale products, as any comment could inadvertently disclose information which might aid criminal activity … Yale recently released a new version of the Android App for this product, which is now available to all customers to download and update through the Google Play store, and this version further improves the App.”
If they haven’t already, all users should update to the latest version of the Yale Home System (Europe) Android application. This is version 1.11 at time of writing.
MWRLabs full advisory can be seen here: https://labs.mwrinfosecurity.com/system/assets/1150/original/mwri_Advisory-YaleHomeSystem-Android-MitM_2015-11-24.pdf