SIK-2016-050
Title:
Custom CA Certificate Required for RWE Smarthome That Allows Full Traffic Decryption
Report ID
SIK-2016-050
Summary:
- Vendor: RWE AG
- Product: RWE Smarthome
- Affected Version: n/a
- Severity: medium
- Short summary: For being able to administrate the RWE smarthome appliance using RWE’s Windows program based on Microsoft Silverlight, the user must install a custom RWE certificate into his operating system’s trusted root CA store. This allows RWE (and any attacker who gains access to RWE’s private key) to intercept all of the user’s traffic.
Details:
The server certificate installed on the appliance is signed by a custom root CA. For the user to be able to connect to the appliance using the management software (Windows program based on Microsoft Silverlight), he must install RWE’s root certificate into his computer’s trust store. This is accomplished by downloading and running an installer which places the certificate into the store.
Each root CA certificate added to the user’s trust store pose a potential security risk. Commercial CAs invest considerable effort into protect their root keys, through both technical and processual means. Unless RWE is providing the same level of security despite running a CA not being their core business, they should not force users to trust their CA. Adding a certificate to the root CA store makes the trust global. Even if the user visits his online banking website in a browser that relies on the Windows trust store (such as Microsoft Internet Explorer, Microsoft Edge, and Google Chrome), the RWE certificate can be used the validate the identity of the remote server. A compromise of the RWE CA’s private key thus endangers all SSL/TLS connections made from all computers on which the certificate was installed, i.e., all computers used to manage the appliance.
Workaround
Only use a dedicated (virtual) machine for managing the appliance that is not used for any other important communication. Alternatively, only import the RWE certificate right before using the management program and delete it again once the management task at hand is completed.
Suggested Mitigation
Do not force users to globally trust a custom certificate. Change the management program to trust the RWE root CA just locally inside that program for the connections on which you expect this certificate to be used without impacting the configuration of the host operating system.
Timeline
- 2016-08-26 Vulnerability Discovered
- 2016-08-29 Vulnerability Reported