Title:

Heag Mobilo Insecure Database Replication

Report ID:

SIK-2016-014

Summary:

• Vendor: GeoMobile GmbH
• Product: HEAG mobilo
• Affected Version: 2.4.45
• Severity: Low
• Short summary:
  The app synchronizes data with a remote CouchDB server without proper server authentication. This allows man-in-the-middle attackers to manipulate the data shown in the app.

Details

The app connects to http://couchdata.busaccess.de:5984/ using a plain HTTP connection. Since this connection is neither authenticated, nor integrity-protected, a man-in-the-middle attacker on the same network can easily inject rogue data. A simple DNS manipulation is sufficient to spoof a rogue database server and supply attacker-defined records

The app apparently uses the publicly-visible CouchDB for updating its own data via database replication. An attacker can inject new records, or modify and delete existing ones during this replication due to the missing transport security.

Workaround

Disable the replication between the local database and CouchDB.

Suggested Mitigation

Always use TLS when communicating with remote services. Using a properly validated TLS connection ensures that the authenticity of the remote server and the integrity of the downloaded data.

Timeline

• 2016-11-29: Vulnerability Discovered
• 2016-12-12: Reported
• 2017-02-16: Fixed