The attacker can therefore gather the timestamp of the last UDP datagram and can send his fake UDP datagram shortly after this time. Among other things these are the currently registered IP address and the timestamp of the last update. The URI has the structure &json=true, which is mentioned in the interface description by Loxone ( ). With this service customers who get assigned a dynamic public IP address from their Internet service provider can access their Loxone Miniserver through a fixed URI. From smart homes to commercial buildings of all types, our goal is that it is equipped with the truly intelligent automation for the simplest control.“Īs an alternative to DDNS providers like No-IP or DynDNS Loxone offers the Cloud DNS service ( ). „We focus on the simple idea of creating a building that knows what to do on its own. Simon Birngruber BSc (University of Applied Sciences Upper Austria Campus Hagenberg)ĭieter Vymazal BSc MSc (University of Applied Sciences Upper Austria Campus Hagenberg)ĭI Markus Zeilinger (University of Applied Sciences Upper Austria Campus Hagenberg) IoT Lab, University of Applied Sciences Upper Austria, Campus Hagenberg Loxone Miniserver - Loxone Cloud DNS VulnerabilityĮvery version before 11.1.9.3 since the introduction of Loxone Cloud DNS (confirmed by Loxone tested with 11.0.5.5 and 10.3.11.27) With these credentials the attacker can access the Loxone Miniserver and furthermore the whole Loxone Smart Home depending on the users’ permissions. with a website similar to the Loxone Miniserver web interface) he is able to tap the users’ credentials. When running a webserver at this IP address (e.g. As a consequence an attacker can register his own IP address at the service if he knows a MAC address of a Loxone Miniserver. In this service the announcement of the Loxone Miniservers’ public IP address to the Cloud DNS service is unauthenticated. In order to access the Loxone Miniserver from outside the home network Loxone offers the Cloud DNS service.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |