/NightOwl Disclosure Secret
Created
February 5, 2021 04:28
Star
You must be signed in to star a gist
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Vulnerability | |
| The Night Owl Doorbell mishandles encryption, which allows attacker to insert or spoof notifications into the device that do not correspond to any actual occurred behavior. | |
| Affected Items | |
| Night Owl Doorbell Series - WDB-20-V2 | |
| The a↵ected Night Owl doorbell communicate events (such as doorbell ring events) to a third party Push Notification Service located at host.nightowldvr04.com. This service accepts notification events directly from the doorbell’s firmware through the a plaintext HTTP GET request that includes the following parameters. | |
| • cmd - command being run | |
| • uid - unique identifier, based on serial number | |
| • event type - enumerable event type | |
| • event time - unix timestamp for when event occurred | |
| An attacker can use the command line tool, curl, to simply spoof a fake event as described below. | |
| $ curl "http://host.nightowldvr04.com/tpns?cmd=event&uid=BEG6ZXASXXXXXXXXXXXX&event_type =1&dev_type=0001" | |
| 200 Success. $ | |
| Impact of the vulnerability | |
| An attacker can abuse this unsecure API to insert of spoof events, including ghost doorbell notification events that do not correspond to any actual behavior. Repeated ghost notifications can lead to denial of service conditions where the user disables the application. | |
| Acknowledgements | |
| Florida Tech IoT Security and Privacy and ASSIST Research Labs |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment