IoT zone staying alert! HomeAutomation 3.3.2 design weakness exposed (Authentication Bypass, CSRF / Code Execution & Cross Site Request Forgery) – 1-1-2020

Preface: Sometimes lighting can become a security safeguard. Perhaps the lighting system will help you figure out whether intruder jump to your garden at night.

Synopsis: It is hard to avoid the digital transformation trend integrate to your daily life. As the matter of fact, they are on board already. For instance the remote controlled outdoor outlets with on/off function, Z-Wave outlets that measure energy consumption for connected lamps and appliances.

Remark: ZWave is a wireless communications protocol used primarily for home automation.

Vulnerability details:

HomeAutomation is an open-source web interface and scheduling solution. Quite a lot of IoT manufacturer are do the product integration to HomeAutomation (see attached diagram). Expert found design weakness occured in HomeAutomation software.
From technical aspect. Use the cURL_init function, implemented with PHP, to open a connection and the links includes reference’s to the other two functions (curl_setopt & curl_exec) to be able to potentially reuse an existing handle (conncetion).
The HomeAutomation suffers from an authentication bypass vulnerability when spoofing client IP address using the X-Forwarded-For header with the local (loopback) IP address value allowing remote control of the smart home solution. For details, please refer to diagram.

Status: No official announcement for the remediation by software vendor and manufacturer in the moment.

3 thoughts on “IoT zone staying alert! HomeAutomation 3.3.2 design weakness exposed (Authentication Bypass, CSRF / Code Execution & Cross Site Request Forgery) – 1-1-2020”


  1. When I initially left a comment I appear to have
    clicked on the -Notify me when new comments are added- checkbox
    and from now on every time a comment is added I recieve four emails with the same comment.

    Perhaps there is a means you are able to remove me from that
    service? Many thanks!

  2. hi!,I like your writing so a lot! percentage wee be in contact extra about your post on AOL?

    I need an expert on this spacde to solve my problem. May be that’s you!

    Looking forward to peer you.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.