SIK-2016-053


Title:

Boot Loop Through USB Update in RWE Smarthome

Report ID

SIK-2016-053

Summary:

  • Vendor: RWE AG
  • Product: RWE Smarthome
  • Affected Version: n/a
  • Severity: low
  • Short summary: By attaching a specially-crafted USB stick to the smarthome appliance, the appliance can be sent into a boot loop. The device then tries to update on each attempted boot, reboots, and tries again infinitely.

Details:

Both the low-level firmware and the RWE application running on the appliance can be updated via USB. Before the appliance boots, the attacker needs to insert a USB stick formatted with FAT32 containing a file “shc.zip” for the application or a file “nk_signed.bin” for the firmware. During boot, the appliance will detect the presence of these files and start an automatic update process that overwrites the current firmware or application. At least for the first step of the update process, there is no integrity or authenticity protection. In the case of the application, the updater will download the “shc.zip” file from the USB stick, unpack it, and execute every executable (*.exe) file in it.

Our attempts to inject custom code here resulted in a broken installation, i.e., our code was not executed, but the appliance did not complete the boot process either. After a reset (and without the USB stick attached), the appliance detected its invalid state and restored (“updated” according to the hardware display) the firmware from ROM. We therefore rate this vulnerability as a low-severity denial-of-service vulnerability (the device can be prevented from booting by attaching a USB stick with a broken firmware during boot) and not as a high-severity code injection vulnerability.

This issue needs further investigation. We cannot guarantee that it is not possible to inject code. Our test exploit might just have been faulty and might have failed by bad luck. Again, the updater code that unpacks “shc.zip”, iterates over its contents, and executes every “*.exe” file it finds does not perform any security checks. Unless signature requirements are enforced on the operating system-level, this is a severe vulnerability.

If we assume that no code injection is possible, the vulnerability makes a denial-of-service attack possible. An evil maid with physical access to the appliance can attach a small USB stick that is hard to spot casually to the appliance and reboot it. The appliance will then cease to work until someone finds the USB stick, removes it, reboots the box once again, and waits for the firmware to be restored from ROM (low severity).

If we assume that code injection is possible, an attacker with physical access to the appliance (evil maid) can attach a USB stick with a specially-crafted “shc.zip” file to it and reboot the appliance. The appliance’s updater will the download the exploit and run it. This gives the attack full control over the device (high severity).

Workaround

Make sure that no untrusted persons can gain physical access to the appliance.

Suggested Mitigation

Check the authenticity and integrity of software or firmware updates before performing any further actions on them. This can include checking a signature on the “shc.zip” file or, alternatively, on each file inside it, before running any program extracted from this ZIP file. Do not assume code to be trusted just because of physical access to the appliance.

Timeline

  • 2016-08-26 Vulnerability Discovered
  • 2016-08-29 Vulnerability Reported