Endpoint Security , Internet of Things Security
Cloud Platform Bugs Threaten Smart Home Security
Researchers Find Exploitable Flaws in the OvrC PlatformSecurity flaws in a cloud platform for remotely configuring and monitoring Internet of Things gadgets could expose millions of devices to remote code execution hacks.
See Also: Frost Radar™ on Healthcare IoT Security in the United States
Security researchers at Claroty's Team82 uncovered 10 vulnerabilities in the widely used OvrC cloud platform. The flaws affected OvrC Pro and Connect, which are used for managing devices such as smart power supplies, cameras and routers.
The vulnerabilities involved weaknesses in the platform's authentication and device communication processes. When exploited together, they could grant attackers control over devices connected to the OvrC cloud. The flaws include improper handling of access controls, insecure update mechanisms and vulnerabilities in the communication protocols used by the platform. "Attackers successfully exploiting these vulnerabilities can access, control and disrupt devices supported by OvrC," said Claroty.
OvrC, acquired in 2014 by Snap One, connects over 10 million devices globally through a cloud-based platform. Claroty's research revealed weaknesses in both user-facing and device-facing communication interfaces, such as weak authentication protocols and hardcoded credentials.
Exploitable flaws include CVE 2023-31241, allowing attackers to claim unregistered devices using only MAC addresses, and CVE-2024-50381, enabling takeover of already claimed devices.
OvrC patched eight of the flaws in May 2023, with details included in a Cybersecurity and Infrastructure Security Agency advisory based on findings from Claroty's Team82. Two issues that could also enable remote code execution received patches on Tuesday.
Claroty said the vulnerabilities highlight cost-cutting on security measures by manufacturers that leave IoT ecosystems exposed.
"Manufacturers have long treated the security of these connected things as an afterthought, failing to prioritize the use of strong authentication and access controls, or relied on weak or outdated protocols for device communication to the cloud, avoiding costly encryption implementations for data security," the company wrote.