Vendor Description
“Control with Vibratissimo your AMOR Toy on your smartphone and get even more features by the app. With Vibratissimo you are open to new and exciting opportunities, whether you are in the same room or on different continents.”
Source: http://www.vibratissimo.com/en/index.html
Business Recommendation
SEC Consult highly recommends to update the app to the newest version available in the appstore. Furthermore the password, which was used within the app, should be changed immediately. If the password was used for multiple services, all passwords should be changed. To get rid of issue number 3 (Unauthenticated Bluetooth LE Connections) a firmware update can be applied. To apply the firmware update the devices have to be sent to Amor Gummiwaren GmbH.
Vulnerability Overview/ Description
1) Customer Database Credential Disclosure
The credentials for the whole Vibratissimo database environment were exposed on the internet. Due to the fact, that the PHPMyAdmin interface was exposed as well, an attacker could have been able to connect to the database and dump the whole data set. The dataset contains for example the following data:
- Usernames
- Session Tokens
- Cleartext passwords
- chat histories
- explicit image galleries, which are created by the users themselves
2) Exposed administrative interfaces on the internet
An administrative interface for databases was available without any filtering to the whole internet. In combination with other vulnerabilities an attacker could have been able to get access to the whole database data and even take over the server.
3) Cleartext Storage of Passwords
The user passwords were stored unhashed in cleartext in the database. If an attacker gained access to the database (e.g. via credential disclosure), he could have been able to retrieve the plaintext passwords of users and abuse their privileges in the system.
4) Unauthenticated Bluetooth LE Connections
The sex toys are connected without prior authentication to the app, which is the standard use case. For example one of the identified Bluetooth services allows to read the current device temperature. Other services, which can be accessed without prior authentication are:
- Setting the “intensity” of the current vibration pattern
- Reading various values (Temperature, etc)
5) Insufficient Authentication Mechanism
The android application is using a type of authentication, which is against known best practice. The username and password are sent with every request to the server to authenticate and authorise the request. There is no session management implemented. However, the authentication credentials are transmitted via an encrypted SSL/TLS connection.
6) Insecure Direct Object Reference
Due to flaws in the authorization schema, an authorization bypass vulnerability allows an attacker to get access to restricted functions and resources. In this case a user is able to set a profile picture by uploading a provided image. The image is stored on the Vibratissimo server and renamed. All images are renamed by incrementing a global number and assigning this number as the name of the image (e.g 200.png). An attacker is now able to iterate through those images and dump personal user images containing partially explicit content. The image can even be accessed if the profile has been set to “hidden” by the user.
7) Missing Authentication in Remote Control
The mobile apps allow their users to use a feature called quick control. This feature allows to send a link with a unique ID to an email address or a telephone via SMS to get direct control of the sex toy over the internet. This wouldn’t be a problem in general if the link containing the unique ID would be random and long enough. Furthermore, it would be quite useful if the receiving user must confirm the remote control before being controlled by the other user. Unfortunately this is not the case.
The IDs are again a global counter, which just gets incremented by one everytime a new quick control link is created. An attacker can guess this ID easily and therefore control the victim’s sex toy directly over the internet.
8) Reflected Cross-Site Scripting
An endpoint, which handles remote control links, returns unfiltered user input resulting in reflected XSS attacks. With reflected cross-site scripting, an attacker can inject arbitrary HTML or JavaScript code into the victim’s web browser. Once the victim clicks a malicious link, the attacker’s code is executed in the context of the victim’s web browser. As a result, the attacker is able to execute arbitrary client-side JavaScript code, for example to deface the website or steal user credentials. In addition, users of the site can become victims of browser exploits and JavaScript trojan horses.
Proof Of Concept
1) Customer Database Credential Disclosure
During the evaluation a .DS_STORE file was found on the webserver of Amor Gummiwaren GmbH. A .DS_STORE file typically contains a listing of all the sub-directories in the current directory, including various different custom attributes for the OSX operating system. In this directory many subdirectories and files were identified.
Besides some subfolders containing outdated PHP mail services and test PHP files a file called config.ini.php was found in a configuration directory which included the databases credentials in plain text.
In combination with the exposed phpmyadmin interface an attacker was able to dump the whole customer database containing sensitive information.
2) Exposed administrative interfaces on the internet
The PHPMyAdmin interface was accessible by everyone without any restrictions by visiting the following URL
www.vibratissimo.com/phpmyadmin/
In combination with the information disclosure vulnerability, which discloses the database credentials, an attacker could have been able to connect to the database and extract/dump the available tables including sensitive user information (such as passwords).
3) Cleartext Storage of Passwords
The password entries of the user were stored in plaintext in the database. As we don’t want to put users at risk and the vulnerability is self explaining a detailed proof-of-concept is not included in the advisory.
4) Unauthenticated Bluetooth LE Connections
The Bluetooth LE connection between the smartphone and the vibrator, which is used to control the vibrator is insecure in multiple ways, which leaves the connection open for eavesdropping, replay-attacks and vulnerable to MitM attacks.
Bluetooth LE offers the following pairing methods:
- No Pairing
- Just Works(TM)
- Out of Band (OOB) Pairing
- Passkey
- Numeric Comparison
Every available pairing method has its up- and downsides, except the “No Pairing” method, which is offering only downsides. The reason to use the “no pairing” is to offer the user simplicity. Furthermore, all the other methods require some kind of input or interaction by the user, which can’t be offered by the tested devices. The tested device used the “no pairing” method exclusively. This allows an attacker to query the device for information or write data to the device. An attacker is therefore able to control the sex toy remotely if he is in range.
5) Insufficient Authentication Mechanism
The apps are lacking a real authentication mechanism and a session management. Every request is “authenticated” by sending the cleartext password and username with every request to the API in a GET parameter via an encrypted SSL/TLS connection. A request to the API looks as follows:
GET /userManager.php?action=getUser&password=$clearTextPassword&user_login=$ClearTextUsername HTTP/1.1
Host: www.vibratissimo.com
6) Insecure Direct Object Reference
The profile pictures of a user are uploaded to the following folder:
www.vibratissimo.com/userPictures/$ID.png
The profile pictures can be accessed without prior authentication and even if the profile has been set to “hidden” by the user.
7) Missing Authentication in Remote Control
For this vulnerability a setup with 3 devices was prepared:
- The victim
- The sex toy connected to the victim via Bluetooth
- The attacker
The victim is directly connected via Bluetooth to the sex toy and creates a quick control link for his friend. This creates the following link as an example:
vibratissimo.com/quickControl.php
An attacker can now launch the app and create a quick control link and send the link to himself. He receives the following link:
vibratissimo.com/quickControl.php
The attacker can now just decrement the ID in the link by one to get immediate and direct access to the victim’s sex toy.
8) Reflected Cross-Site Scripting
To demonstrate the vulnerability, it is enough to open the following link in an arbitrary browser:
vibratissimo.com/quickControl.php;
The payloads gets executed immediately.
Vulnerable / Tested Versions
Vibratissimo <6.3 (iOS), <6.2.2 (Android), <2.0.2 (most up to date version in October 2017)