SEC Consult Vulnerability Lab Security Advisory < 20240418-0 >
=======================================================================
               title: Broken authorization
             product: Dreamehome app
  vulnerable version: <=2.1.5 (iOS)
       fixed version: none, see solution
          CVE number: -
              impact: medium
            homepage: https://www.dreametech.com
               found: 2024-01-17
                  by: Alissa Kim (Office Bochum)
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Eviden business
                      Europe | Asia

                      https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"We've emerged as one of the leading brands in smart home cleaning with
our 4 major product lines: robotic vacuums and mops, cordless stick vacuums,
wet and dry vacuums, and high-speed hair dryers. Each product is meticulously
designed to redefine convenience in household innovation and improve our
users' homes."

Source: https://www.dreametech.com/pages/about-us


Business recommendation:
------------------------
The vendor was unresponsive/uncooperative during multiple months of trying to
establish a security contact and to send them our findings. There is no patch/
solution available. Try to contact your local support team and request a patch
for this issue. Stay up-to-date with firmware and app installations and be vigilant.

SEC Consult highly recommends to perform a thorough security review of the product
conducted by security professionals to identify and resolve potential further
security issues.


Vulnerability overview/description:
-----------------------------------
1) Broken authorization
An owner of the robot vacuum cleaner device can share it with other users via the
app. The privileges of the shared users are very limited. It is not possible to
interact with photos and videos from within the mobile application, but it was
identified that it is possible to delete and list all images/videos of the main
account and even download the encrypted images/videos by sending the requests
with the JWT of the shared user. The encryption was not reverse-engineered but
it could potentially be possible for unauthorized users to gain access to sensitive
imaging data.


Proof of concept:
-----------------
1) Broken authorization
To exploit the vulnerability it is sufficient to follow these steps:
1. Connect a robot vacuum cleaner to the Dreamehome app (in our case the device
    "Dreame L10S ultra" was used).
2. Take a photo and video with the Dreamehome app using the connected device.
3. Share the robot vacuum cleaner with another user.
4. The "shared user" can list the photos using the following curl command:
    (It is necessary to set the "did" of the device)

[ POC removed]

5. The "shared user" can list the videos using the following curl command:

[POC removed]

6. The response with the list of photos/videos contains an "id" parameter. Knowing
this "id" parameter, a shared user can delete the photos/videos using the value
of "id" in the "ossIds" parameter using the following command:

[POC removed]

7. Furthermore, the responses with the list of photos/videos contains a "filepath"
parameter with the URL to the encrypted photo/video. Any user even without a valid JWT
token can download the encrypted photo/video using this URL. The encryption was not
reverse-engineered but it could potentially be possible for unauthorized users to gain
access to sensitive imaging data.


Vulnerable / tested versions:
-----------------------------
The following versions have been tested which were the latest version available
at the time of the test:
* Dreamehome app 2.1.0 (tested with Dreame L10S ultra device)
* Dreamehome app 2.1.5 was tested later on 2024-04-12 and found to be vulnerable
   as well.

It is assumed, that other platforms (Google Android) are affected as well.


Vendor contact timeline:
------------------------
2024-01-24: Contacting vendor through support.us@dreame.tech; aftersales@dreame.tech
2024-02-05: Contacting vendor through support.us@dreame.tech; aftersales@dreame.tech
2024-02-06: Answer from vendor ticket system (#82462919) to contact marketing@dreame.tech
2024-02-06: Contacting vendor through marketing@dreame.tech, no response.
2024-02-12: Contacting vendor through marketing@dreame.tech, no response.
2024-03-04: Contacting vendor through marketing@dreame.tech, no response.
2024-04-11: Sending final email to support.us@dreame.tech; aftersales@dreame.tech
             and marketing@dreame.tech. Requesting security contact again. As they
             are unresponsive, setting release date to 18th April.
2024-04-11: Same ticket auto-response (#82521551) as from 2024-02-06:
               "Thank you for your great support and interest in our products!
                This is Dreame aftersales team; we are glad to be at your service.
                For your request, please kindly contact our marketing department
                (Email: marketing@dreame.tech) for direct assistance.

                Feel free to contact us with product related issues or concerns you
                may have."
2024-04-11: Sending them once again that marketing does not respond (and should not
             be responsible for security) and that we proceed to release the advisory
             on 2024-04-18.
2024-04-12: Vendor: "Thank you for reaching Dreame. We're sorry for the inconvenience.
                      According to our service policy, we have no access to confirm any
                      application for cooperation. We have already contacted our sales
                      team and IT support to further check your information. They will
                      reply to you if they decide to proceed cooperation with you.
                      Your kind understanding and patience are greatly appreciated."
2024-04-18: Public release of security advisory.


Solution:
---------
The vendor was unresponsive/uncooperative during multiple months of trying to
establish a security contact and to send them our findings. There is no patch/
solution available. Try to contact your local support team and request a patch
for this issue. Stay up-to-date with firmware and app installations and be vigilant.


Workaround:
-----------
None


Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Alissa Kim / @2024