SEC Consult Vulnerability Lab Security Advisory < 20240418-0 > ======================================================================= title: Broken authorization product: Dreamehome app vulnerable version: <=2.1.5 (iOS) fixed version: none, see solution CVE number: - impact: medium homepage: https://www.dreametech.com found: 2024-01-17 by: Alissa Kim (Office Bochum) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "We've emerged as one of the leading brands in smart home cleaning with our 4 major product lines: robotic vacuums and mops, cordless stick vacuums, wet and dry vacuums, and high-speed hair dryers. Each product is meticulously designed to redefine convenience in household innovation and improve our users' homes." Source: https://www.dreametech.com/pages/about-us Business recommendation: ------------------------ The vendor was unresponsive/uncooperative during multiple months of trying to establish a security contact and to send them our findings. There is no patch/ solution available. Try to contact your local support team and request a patch for this issue. Stay up-to-date with firmware and app installations and be vigilant. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Broken authorization An owner of the robot vacuum cleaner device can share it with other users via the app. The privileges of the shared users are very limited. It is not possible to interact with photos and videos from within the mobile application, but it was identified that it is possible to delete and list all images/videos of the main account and even download the encrypted images/videos by sending the requests with the JWT of the shared user. The encryption was not reverse-engineered but it could potentially be possible for unauthorized users to gain access to sensitive imaging data. Proof of concept: ----------------- 1) Broken authorization To exploit the vulnerability it is sufficient to follow these steps: 1. Connect a robot vacuum cleaner to the Dreamehome app (in our case the device "Dreame L10S ultra" was used). 2. Take a photo and video with the Dreamehome app using the connected device. 3. Share the robot vacuum cleaner with another user. 4. The "shared user" can list the photos using the following curl command: (It is necessary to set the "did" of the device) [ POC removed] 5. The "shared user" can list the videos using the following curl command: [POC removed] 6. The response with the list of photos/videos contains an "id" parameter. Knowing this "id" parameter, a shared user can delete the photos/videos using the value of "id" in the "ossIds" parameter using the following command: [POC removed] 7. Furthermore, the responses with the list of photos/videos contains a "filepath" parameter with the URL to the encrypted photo/video. Any user even without a valid JWT token can download the encrypted photo/video using this URL. The encryption was not reverse-engineered but it could potentially be possible for unauthorized users to gain access to sensitive imaging data. Vulnerable / tested versions: ----------------------------- The following versions have been tested which were the latest version available at the time of the test: * Dreamehome app 2.1.0 (tested with Dreame L10S ultra device) * Dreamehome app 2.1.5 was tested later on 2024-04-12 and found to be vulnerable as well. It is assumed, that other platforms (Google Android) are affected as well. Vendor contact timeline: ------------------------ 2024-01-24: Contacting vendor through support.us@dreame.tech; aftersales@dreame.tech 2024-02-05: Contacting vendor through support.us@dreame.tech; aftersales@dreame.tech 2024-02-06: Answer from vendor ticket system (#82462919) to contact marketing@dreame.tech 2024-02-06: Contacting vendor through marketing@dreame.tech, no response. 2024-02-12: Contacting vendor through marketing@dreame.tech, no response. 2024-03-04: Contacting vendor through marketing@dreame.tech, no response. 2024-04-11: Sending final email to support.us@dreame.tech; aftersales@dreame.tech and marketing@dreame.tech. Requesting security contact again. As they are unresponsive, setting release date to 18th April. 2024-04-11: Same ticket auto-response (#82521551) as from 2024-02-06: "Thank you for your great support and interest in our products! This is Dreame aftersales team; we are glad to be at your service. For your request, please kindly contact our marketing department (Email: marketing@dreame.tech) for direct assistance. Feel free to contact us with product related issues or concerns you may have." 2024-04-11: Sending them once again that marketing does not respond (and should not be responsible for security) and that we proceed to release the advisory on 2024-04-18. 2024-04-12: Vendor: "Thank you for reaching Dreame. We're sorry for the inconvenience. According to our service policy, we have no access to confirm any application for cooperation. We have already contacted our sales team and IT support to further check your information. They will reply to you if they decide to proceed cooperation with you. Your kind understanding and patience are greatly appreciated." 2024-04-18: Public release of security advisory. Solution: --------- The vendor was unresponsive/uncooperative during multiple months of trying to establish a security contact and to send them our findings. There is no patch/ solution available. Try to contact your local support team and request a patch for this issue. Stay up-to-date with firmware and app installations and be vigilant. Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Alissa Kim / @2024