SIK-2016-051


Title:

Unprotected NTP Connection in RWE Smarthome

Report ID

SIK-2016-051

Summary:

  • Vendor: RWE AG
  • Product: RWE Smarthome
  • Affected Version: n/a
  • Severity: low
  • Short summary: The appliance does not verify the authenticity and/or integrity of the time it receives as an answer to its NTP requests during the booting phase.

Details:

The appliance does not verify the authenticity and/or integrity of the time it receives as an answer to its NTP requests during the booting phase. An attacker with control over the local network can send intercept and manipulate the response messages sent form the NTP server. There are two different attack scenarios here:

  1. The attacker sends an old time, i.e., a time in the past. This will force the appliance to accept expired server certificates, because according to the appliance’s system time, the expiration has not yet happened. As a consequence, certificate expiration is effectively disabled.
  2. The attacker sends a specific time to trigger actuators. The appliance can be configured to perform certain actions (e.g., enable or disable a power socket) at certain points in time. This can be used to, e.g., have a night mode in a building with the alarm system turned on and a day mode with the alarm turned off. If the attacker fools the appliance to use a “daytime” time at night, he can fore malicious actuator events and disable the alarm at night in the example.

We rated the vulnerability as “low”, because we only experienced NTP queries at boot time. It is perfectly possible that the appliance sends further periodic NTP requests if run for long enough periods of time, giving the attacker more chances to fake the time.

Workaround

None that really works.

Suggested Mitigation

Use authentication to make sure that only trusted NTP responses are used to set the system clock.

Timeline

  • 2016-08-26 Vulnerability Discovered
  • 2016-08-29 Vulnerability Reported