Insecure data storage in my devolo - android application

SEC Consult Vulnerability Lab Security Advisory < 20160422-0 >

=======================================================================

title: Insecure data storage

product: my devolo - android application - air.de.devolo.my.devolo

vulnerable version: 1.2.8

fixed version:

CVE number:

impact: High

homepage: www.devolo.com

found: 2015-10-30

by: A. Nochvay (Office Moscow)

SEC Consult Vulnerability Lab

 

An integrated part of SEC Consult

Berlin - Frankfurt/Main - Montreal - Moscow

Singapore - Vienna (HQ) - Vilnius - Zurich

 

www.sec-consult.com

 

=======================================================================

 

Vendor description:

-------------------

devolo AG has been developing innovative Powerline and data communications

products for private customers and professional users.devolo Home Control

expands on the idea of the easy way to connect and is emerging as a new

product world for the smart home that simply enables greater comfort and

convenience, security and energy savings.

 

URL: www.devolo.com/en/Company/devolo-AG

 

 

Business recommendation:

------------------------

Attackers might be able to recover sensitive information from stolen/lost devices.

With this information attackers can control user's smart devices, change

temperature and watching user's remote camera.

 

SEC Consult recommends not to store sensitive information on mobile devices.

 

 

Vulnerability overview/description:

-----------------------------------

The application "my devolo" uses the SharedPreferences android mechanism for

storing information about the user including login credentials for the site

mydevolo.com. In the event that an adversary physically attains the mobile

device, the adversary might be able to hook up the mobile device to a computer

with freely available software. These tools allow the adversary to see all third

party application directories.

 

 

Proof of concept:

-----------------

Has been removed due to the request from the vendor.

 

 

Vulnerable / tested versions:

-----------------------------

The vulnerability has been discovered in "my devolo" version 1.2.8, which

is the latest version in Google Play Store at this time.

 

 

Vendor contact timeline:

------------------------

2015-11-10: Transmission of advisory via a data-exchange platform provided by the vendor

2016-02-23: Confirmation of the described issue via email by vendor

2016-04-22: Public advisory release

 

 

Solution:

---------

no solution available

 

 

Workaround:

-----------

no workaround available

 

 

Advisory URL:

-------------

www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

SEC Consult Vulnerability Lab

 

SEC Consult

Berlin - Frankfurt/Main - Montreal - Moscow

Singapore - Vienna (HQ) - Vilnius - Zurich

 

About SEC Consult Vulnerability Lab

The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It

ensures the continued knowledge gain of SEC Consult in the field of network

and application security to stay ahead of the attacker. The SEC Consult

Vulnerability Lab supports high-quality penetration testing and the evaluation

of new offensive and defensive technologies for our customers. Hence our

customers obtain the most current information about vulnerabilities and valid

recommendation about the risk profile of new technologies.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Interested to work with the experts of SEC Consult?

Send us your application www.sec-consult.com/en/Career.htm

 

Interested in improving your cyber security with the experts of SEC Consult?

Contact our local offices www.sec-consult.com/en/About/Contact.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

 

Mail: research at sec-consult dot com

Web: www.sec-consult.com

Blog: blog.sec-consult.com

Twitter: twitter.com/sec_consult

 

EOF Aleksandr Nochvay / @2015