Yale Home System (Europe) Man in the Middle Command Execution Vulnerability

    Type

  • Man in the Middle Command Execution Vulnerability

    • Severity

  • High

    • Affected products

  • Yale Home System

    • CVE Reference

  • N/A
Timeline
1/7/2015MWR Contact Yale Requested details for sending security details
9/7/2015Yale provide details for sending security details
10/7/2015Security details sent
12/10/2015MWR contact Yale for updates
13/10/2015Yale respond stating issue is now resolved and update is available from Google Play
24/11/2015Advisory Published

A JavaScript bridge was discovered in the Yale Home System (Europe) app for Android used to manage and control home alarms. The vulnerability allows for arbitrary execution of commands. As the bridge is used over a clear-text channel, an attacker on the same network as a user would be to execute Java commands on the device with the privileges of the Yale Home System app.

Description

The Yale Home System (Europe) for Android is part of the Smartphone alarm system. The application allows users to monitor and control their home alarm systems.

A vulnerability was discovered that would allow an attacker to perform a man in the middle attack, bypassing the TLS protection and executing arbitrary commands on the Android device with the permissions of the Home System app.

Impact

If an attacker was able to intercept the communications of a user using the Yale Home System application, then they would be able to read and alter any of the data going to and from the application and the server.

The attacker would also be able to include specific messages to the Android application that would allow them to run commands on the device within the privileges of the Yale Home System application.

Cause

The Yale Home System Android application is based upon a Webview. This is a feature of Android that allows applications to display HTML content within their apps.

It was found that the Webview used in the application was configured to ignore TLS errors. This means that if the network traffic was intercepted by an attacker, the application would ignore the security warnings and continue communicating, allowing the attacker to read and alter the communications between the application and the server.

The Webview was also configured to use a JavaScript Interface. There is a known issue with older versions of Webview (compiled with SDK < 17) that means if an attacker can inject their own traffic, then they can use this interface to execute any command they wish on the device with the permissions of the application.

This means that if a user is on the same network as an attacker, or connects to a WiFi hotspot controlled by the attacker, then the attacker would be able to read credentials sent by the user, and run commands on their Android device.

Interim Workaround

The application should not be used on untrusted networks such as public WiFi hotspots.

Solution

All users should update to the latest version of the application. This is version 1.11 at time of publication.

Technical details

Please refer to the attached advisory