Broken authorization in Dreamehome app

Title

Broken authorization

Product

Dreamehome app

Vulnerable Version

<=2.1.5 (iOS)

Fixed Version

-

CVE Number

-

Impact

medium

Found

17.01.2024

By

Alissa Kim (Office Bochum) | SEC Consult Vulnerability Lab

The Dreamehome app suffers from a broken authorization vulnerability. An owner of the robot vacuum cleaner device can share it with other users. However, the privileges of the shared user are very limited. Although it is not possible to interact with photos and videos within the mobile application, it is still possible to delete and list the images/videos, and even download the encrypted images/videos by sending the requests with the JWT of the shared user.

Vendor description

"We've emerged as one of the leading brands in smart home cleaning with our 4 major product lines: robotic vacuums and mops, cordless stick vacuums, wet and dry vacuums, and high-speed hair dryers. Each product is meticulously designed to redefine convenience in household innovation and improve our users' homes."

Source: https://www.dreametech.com/pages/about-us


Business recommendation

The vendor was unresponsive/uncooperative during multiple months of trying to establish a security contact and to send them our findings. There is no patch/solution available. Try to contact your local support team and request a patch for this issue. Stay up-to-date with firmware and app installations and be vigilant.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.


Vulnerability overview/description

1) Broken authorization

An owner of the robot vacuum cleaner device can share it with other users via the app. The privileges of the shared users are very limited. It is not possible to interact with photos and videos from within the mobile application, but it was identified that it is possible to delete and list all images/videos of the main account and even download the encrypted images/videos by sending the requests with the JWT of the shared user. The encryption was not reverse-engineered but it could potentially be possible for unauthorized users to gain access to sensitive imaging data.

Proof of concept

1) Broken authorization

  1. To exploit the vulnerability it is sufficient to follow these steps:
  2. Connect a robot vacuum cleaner to the Dreamehome app (in our case the device "Dreame L10S ultra" was used).
  3. Take a photo and video with the Dreamehome app using the connected device.
  4. Share the robot vacuum cleaner with another user.
  5. The "shared user" can list the photos using the following curl command (It is necessary to set the "did" of the device):
[ POC removed]

5. The "shared user" can list the videos using the following curl command:

[ POC removed]

6. The response with the list of photos/videos contains an "id" parameter. Knowing this "id" parameter, a shared user can delete the photos/videos using the value of "id" in the "ossIds" parameter using the following command:

[ POC removed]

7. Furthermore, the responses with the list of photos/videos contains a "filepath" parameter with the URL to the encrypted photo/video. Any user even without a valid JWT token can download the encrypted photo/video using this URL. The encryption was not reverse-engineered but it could potentially be possible for unauthorized users to gain access to sensitive imaging data.


Vulnerable / tested versions

The following versions have been tested which were the latest version available at the time of the test:

  • Dreamehome app 2.1.0 (tested with Dreame L10S ultra device)
  • Dreamehome app 2.1.5 was tested later on 2024-04-12 and found to be vulnerable as well.

It is assumed, that other platforms (Google Android) are affected as well.

Vendor contact timeline

2024-01-24: Contacting vendor through support.us@dreame.tech and aftersales@dreame.tech

2024-02-05: Contacting vendor through support.us@dreame.tech and aftersales@dreame.tech

2024-02-06: Answer from vendor ticket system (#82462919) to contact marketing@dreame.tech

2024-02-06: Contacting vendor through marketing@dreame.tech, no response.
2024-02-12: Contacting vendor through marketing@dreame.tech, no response.
2024-03-04: Contacting vendor through marketing@dreame.tech, no response

2024-04-11: Sending final email to support.us@dreame.tech; aftersales@dreame.tech and marketing@dreame.tech.
Requesting security contact again. As they are unresponsive, setting release date to 18th April.



2024-04-11: Same ticket auto-response (#82521551) as from 2024-02-06 - "Thank you for your great support and interest in our products! This is Dreame aftersales team; we are glad to be at your service. For your request, please kindly contact our marketing department (Email marketing@dreame.tech) for direct assistance. Feel free to contact us with product related issues or concerns you may have."

2024-04-11: Sending them once again that marketing does not respond (and should not be responsible for security) and that we proceed to release the advisory on 2024-04-18.

2024-04-12: Vendor: "Thank you for reaching Dreame. We're sorry for the inconvenience. According to our service policy, we have no access to confirm any application for cooperation. We have already contacted our sales team and IT support to further check your information. They will reply to you if they decide to proceed cooperation with you.Your kind understanding and patience are greatly appreciated."

2024-04-18: Public release of security advisory.  

 

Solution

The vendor was unresponsive during multiple months of trying to establish a security contact and send them our findings. There is no patch/solution available. Try to establish contact with your local support team and request a patch for this issue. Stay up-to-date with firmware and app installations and be vigilant.


Workaround

None

 

Advisory URL

https://sec-consult.com/vulnerability-lab/

EOF Alissa Kim  / @2024

 

Interested to work with the experts of SEC Consult? Send us your application

Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices