Vulnerability Lab has found vulnerabilities in Telestar Digital GmbH Internet of Things (IoT) radio devices.
According to a post put out by the security firm, the flaw allows attackers to remotely hijack systems.
Some weeks ago, the company said it had “found an anomaly” on a private server linked to Web radio terminals belonging to Telestar devices, and a undocumented telnetd server.
The radios are from Telestar’s Imperial & Dabman Series I and D product line, which include portable radios and DAB stereos.
Here’s what Vulnerability Lab had to say:
…we had a full access to the file system with httpd, telnet and we could as well activate the file transfer protocol. Then we watched through the local paths and one was called “UIData”. In the UIData path are all the local files (binaries, xml, pictures, texts & other contents) located which are available to process the Web GUI (Port 80 & 8080). For testing we edited some of the folders, created files and modified paths to see about what we are able to change in the native source of the application. Finally we was able to edit and access everything on the box and had the ability to fully compromise the smart web radio device.
Shocked by the results, we tried to followup with the research for other critical issues.
Using the mobile application on apple ios im combination with the port scan result shows us by intuition that the air music client (mobile ios app) may be connecting on port 80 through 8080 httpd to send and receive commands. After some short time of functional tests we tried to use different http sniffer & http tamper tools to modify the get method requests on Port 80 & 8080 which we recorded ago in the dmz. One hour later we had captured all the commands send through to the web-service to trigger via client an activity or interaction.
The Lab said it was clear that a remote attacker could easily change the device name, the radio stream or even “leave a shocking live message / audio file.” The problem it had identified was that the Web-service did not have the ability to approve the authorisation for transmitted commands via network. This, thus, allowed a remote attacker to see the radio streams, listen to messages or transmit audio files as commands from the world wide web.
In the worst case a remote attacker could also modify the system to spread remotely ransomware or other malformed malicious viruses / rootkits / destructive scripts. He could also use the Web-server to be part of a IoT botnet.
The firm notified the product representatives and data security officer of Telestar company. The manufacturer took the issue seriously and started to produce a first solution as patch without much delay, said the Lab.
The company itself and the data security department was not aware of the issue by any reports or writeup. The solution was that the Telnetd service was being deactivated because there was no need for it anyway, said Vulnerability Lab.