SOHOpeless: Security stains on Honeywell's Tuxedo home automator

I could have sworn I locked the house when I went to work this morning ...

Honeywell Tuxedo Touch

Honeywell has issued an urgent firmware update for its three-year-old Tuxedo Touch home automation controller to patch vulnerabilities that could, among other things, let an attacker unlock users' deadlocks.

This CERT advisory explains that without the firmware upgrade, all users are vulnerable to authentication bypass and cross-site request forgery.

Following the standard how-to-make-things-insecure playbook, the security behemoth decided that customers' lives would be sadly incomplete if it didn't find a reason to connect the controllers to the cloud.

Accordingly, the system uses the Internet to store surveillance video on Honeywell servers, which means Tuxedo Touch is visible from the 'net.

That leaves the units open to CVE-2015-2847: the JavaScript authentication routine is open to attack. "By intercepting and dropping requests containing the string USERACCT=USERNAME:_,PASSWORD:_, an unauthenticated user may bypass authentication and access restricted pages," the advisory states.

The other vulnerability is CVE-2015-2848: "An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. Note that these actions may include issuing commands to home automation devices controlled by the Tuxedo Touch Controller, such as unlocking or locking doors."

Dealers have been told about a software update here, but individual Tuxedo users probably won't see it. And the notice doesn't mention the security patch.

Threatpost says while Shodan only showed a few hundred vulnerable systems visible to the Internet in America, researcher Maxim Rupp (who discovered the flaws) believes there are likely to be many more.

"Shodan detects about 500 devices, of which about 450 are located in America. I think it is possible to detect about 1,000 devices by a more thorough search," he said. ®


Biting the hand that feeds IT © 1998–2017