Logitech Harmony Hub exploit allows complete home takeover

The growth of smart home devices has introduced a plethora of individual device makers and an equivalent number of different apps to control them. Tying all these together under one umbrella not only convenient but increasingly necessary, both to manage them all and to make them play nicely together. As such, smart home hubs are increasingly important additions to the smart home.

Logitech was an early entrant here, taking the concept of their long established Harmony universal remote controls and extending it into the smart home era with the Harmony Hub. The remote becomes a smart phone app which can not only control your home entertainment gear, but every other (just about) smart thing in the house. The Harmony Hub has an enormous supported device list, and an equally large user base to go with it.

A researcher over at cyber security firm Tenable has published an exploit which allows for trivial rooting of the device, and thus the home as the Hub has (in all likelihood) been given access to everything else it supports. The specifics of the method used to discover the vulnerability can be delved into on Medium, but essentially by using a man-in-the-middle attack during a firmware update the device firmware can be captured and trivially extracted. Examination of the firmware code allowed for exploration of the functionality of the Hub.

Like many smart devices, the Harmony Hub relies on a back end cloud service to provide communication between the device and the smart phone app. This allows for commands to be send from anywhere via the internet, which in this case could be reasonably considered core functionality for a hub. The Hub can then communicate with devices in the home via IR, Bluetooth or through a web API provided by the relevant device maker (similar to how Alexa or IFTTT do things). In order to facilitate communications in and out of the device, a messaging service is used for various critical functions to enable control via the app.

By design, these commands should only ever come via Logitech’s servers, so there is a rudimentary validation that the command is from a valid source. This is done simply by checking the origin header of the request to ensure it contains the domain name “.myharmony.com”. Unfortunately, this is easily spoofed by changing the HTTP request header.

In order to leverage this flaw, a second issue was used involving the time synchronization message handler. Like many computer systems the Hub updates it’s internal clock from a trusted time server, but the response from the time server is not validated and is passed straight through to the OS. By sending a command to change the time server to a system controlled by the attacker using the spoofed origin header, the Hub will then send a synchronization request to the new server. This bogus server can then respond with a rootkit payload and gain root access to the Hub.

Naturally, with root access, the attacker can now send commands to any device that has been configured for the hub to control and all manner of fun can ensue. The good news with all of this is that the attacker would need access to the internal network first to be able to send traffic to the Hub. A NAT standard router or home firewall would effectively prevent access to the Hub from outside the network, but the weak authentication method, the use of unencrypted HTTP messaging, and no firmware encryption are all cause for concern here. Nor is this the first major exploit found on the Harmony Hub.

Hubs are naturally high value targets given the amount of control they give to cause mischief, and as more smart home devices proliferate this will only become more critical. Hub manufacturers have a responsibility to build security into these products by design, or their customers will eventually pay the price. To be fair, Logitech has been responsive to security researchers findings, even to the chagrin of their customers. However, the lack of some accepted best practices here suggests their approach is more reactive than trying to get it right the first time.