Endpoint Security , Internet of Things Security

Cloud Platform Bugs Threaten Smart Home Security

Researchers Find Exploitable Flaws in the OvrC Platform
Cloud Platform Bugs Threaten Smart Home Security
Image: Shutterstock

Security flaws in a cloud platform for remotely configuring and monitoring Internet of Things gadgets could expose millions of devices to remote code execution hacks.

See Also: Frost Radar™ on Healthcare IoT Security in the United States

Security researchers at Claroty's Team82 uncovered 10 vulnerabilities in the widely used OvrC cloud platform. The flaws affected OvrC Pro and Connect, which are used for managing devices such as smart power supplies, cameras and routers.

The vulnerabilities involved weaknesses in the platform's authentication and device communication processes. When exploited together, they could grant attackers control over devices connected to the OvrC cloud. The flaws include improper handling of access controls, insecure update mechanisms and vulnerabilities in the communication protocols used by the platform. "Attackers successfully exploiting these vulnerabilities can access, control and disrupt devices supported by OvrC," said Claroty.

OvrC, acquired in 2014 by Snap One, connects over 10 million devices globally through a cloud-based platform. Claroty's research revealed weaknesses in both user-facing and device-facing communication interfaces, such as weak authentication protocols and hardcoded credentials.

Exploitable flaws include CVE 2023-31241, allowing attackers to claim unregistered devices using only MAC addresses, and CVE-2024-50381, enabling takeover of already claimed devices.

OvrC patched eight of the flaws in May 2023, with details included in a Cybersecurity and Infrastructure Security Agency advisory based on findings from Claroty's Team82. Two issues that could also enable remote code execution received patches on Tuesday.

Claroty said the vulnerabilities highlight cost-cutting on security measures by manufacturers that leave IoT ecosystems exposed.

"Manufacturers have long treated the security of these connected things as an afterthought, failing to prioritize the use of strong authentication and access controls, or relied on weak or outdated protocols for device communication to the cloud, avoiding costly encryption implementations for data security," the company wrote.


About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.