Multiple Vulnerabilities in Logitech Harmony Hub allow the hacker to gain root access

Recently FireEye revealed that there are multiple loopholes in the Logitech Harmony Hub smart home control system, and the vendor has released firmware update bug fixes. These vulnerabilities include:

• Improper certificate validation
• Insecure update process
• Developer debugging symbols left in the production firmware image
• Blank root user password

An attacker can use these four vulnerabilities together to obtain the root permission of the device through SSH.

Logitech Harmony Hub provides users with a smart home remote control experience. Users can control smart home devices through Andriod or iOS mobile phones or tablets. Once the initial pairing is done via Bluetooth, the Harmony application uses the HTTP-based API to communicate with the Harmony Hub. The Harmony Hub is basically a smart upgrade of Harmony Link. Harmony Hub not only serves as the center of entertainment control, but also can control ordinary or smart light bulbs with other devices.

The researchers found that the attacker could exploit these vulnerabilities to access the local network to control the devices connected to the Hub and attack other devices on the network. Given that some users use the Harmony Hub to control multiple smart home devices such as smart door locks and thermostats, these vulnerabilities could pose a serious security risk.

One of the vulnerabilities is related to the debug details in the firmware image generation process. Another vulnerability is that the SSL certificate vulnerability was not properly verified during a firmware update. The firmware update process itself is not secure and an attacker can send malicious updates to the device.

Since the root password is not configured on the Hub, an attacker can obtain root access via SSH once he or she can somehow manage to enable the Dropbear SSH server. It is worth noting that an attacker could use an SSL certificate validation vulnerability to upload specially crafted firmware to enable the Dropbear SSH server.

FireEye pointed out that these vulnerabilities affect Harmony Hub-based products:

• Harmony Elite
• Home Hub
• Ultimate Hub
• Home Control
• Pro
• Smart Control
• Companion
• Smart Keyboard
• Ultimate
• Ultimate Home
• Harmony Hub

Logitech received a vulnerability notice at the end of January 2018 and released firmware version 4.15.96 on April 10, 2018, to fix these vulnerabilities. Logitech has provided a complete guide and suggested that users install updates as soon as possible.