Pierluigi Paganini September 10, 2019

A security researcher disclosed zero-day flaws in Telestar Digital GmbH IoT radio devices that could be exploited by remote attackers to hijack systems without any user interaction.

The security researcher Benjamin Kunz from Vulnerability-Lab disclosed zero-day flaws in Telestar Digital GmbH IoT radio devices that could be exploited by remote attackers to hijack devices without any user interaction.

The vulnerabilities have been tracked as CVE-2019-13473 and CVE-2019-13474. 

The issues were discovered several weeks ago when the company investigating an anomaly on a private network discovered the presence of the Telestar web radio terminals. The researchers discovered an undocumented telnetd server on the standard port 23, then, since port forwarding was activated for all ports on the network, the devices could be addressed from the outside.

“During the investigation of the security incident with our company, we noticed an undocumented Telnet service on the standard port 23 on the said end devices during a port scan. Since port forwarding was activated for all ports on this network, it could be addressed from the outside.” reads the report published by the experts. “Telnet services are less used today, because content is transmitted unencrypted and there are better alternatives today. Nevertheless, the protocol on network level and in end devices is still a bigger topic than originally thought.”

The IoT radio devices are manufactured by Imperial & Dabman (Series I and D) and are distributed in Germany by Telestar, but experts pointed out that it is possible to buy them via Ebay and Amazon by resellers. The devices have httpd web server, Web GUI, Wifi, or Bluetooth on board. The hardware of the terminals is equipped with Shenzen technology, while the firmware is based on BusyBox Linux Debian. 

Kunz and his colleagues were able to brute-force the IoT radio in just 10 minutes and achieve root access with full privileges. 

The researchers were able to edit some of the folders, created files, and modify paths to determine what it was possible to change in the native source of the application.

“Finally we was able to edit and access everything on the box and had the ability to fully compromise the smart web radio device. ” continues the experts.

The following video below shows how it is possible to compromise the radio devices. 

Attackers can perform a broad range of actions by exploiting the issues, including changing device names, setting boot-logo, setting volume, forcing a play stream, saving audio files as messages, transmit audio as commands both locally and remotely. 

According to Kunz, more than one million devices are potentially at risk, an attacker can trigger the flaws to build a huge botnet that could be used to launch powerful DDoS attacks.

The experts reported the vulnerabilities to Telestar Digital GmbH on June 1 and the company by August 30 released a fix to address the flaws.

The telnetd service is being deactivated and old and weak passwords are as well being removed or changed. Automatic updates are available via Wi-Fi and can be installed by setting IoT radio devices back to factory settings and downloading the latest firmware version. 

The good news is that Telestar Digital GmbH is not aware of attacks exploiting the vulnerabilities in the wild.

Pierluigi Paganini

(SecurityAffairs – IoT radio devices, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]