CVE-2019-11063

SmartHome application has a broken access control vulnerability in its Web API Server

CVSS 10 CRITICALEPSS 4.5%

In short

The SmartHome app has a security flaw that allows anyone on the same WiFi network to see user accounts and control IoT devices without needing a password. This means attackers can access and manipulate your smart home devices.

Technical detail

A broken access control vulnerability in SmartHome app (Android ≤3.0.42_190515, iOS ≤2.0.22) permits unauthenticated access to the Web API endpoint /smarthome/devicecontrol over HTTP from the local network, enabling account enumeration and unauthorized device control via the HG100 gateway. Attack vector is network-based with low complexity; no authentication or user interaction required; impact spans confidentiality, integrity, and availability across the system.

Summary generated and translated by AI from the official description.

A broken access control vulnerability in SmartHome app (Android versions up to 3.0.42_190515, ios versions up to 2.0.22) allows an attacker in the same local area network to list user accounts and control IoT devices that connect with its gateway (HG100) via http://[target]/smarthome/devicecontrol without any authentication. CVSS 3.0 base score 10 (Confidentiality, Integrity and Availability impacts). CVSS vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Affected products

ASUS · SmartHome Android app ASUS · SmartHome ios app

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/tim124058/ASUS-SmartHome-Exploit/https://tvn.twcert.org.tw/taiwanvn/TVN-201908014 http://surl.twcert.org.tw/5LWQJ