They were additionally ready to confirm that the root password of the IoT device was blank which thusly assumed a major part in granting them complete control over the device after they additionally looked more about firmware of the Hub’s SquashFS file system.
It was a direct result of these two vulnerabilities that Hopwood later said made it quite easy for him to hijack the Harmony Hub by means of its update procedure.
“Since we were able to previously observe what a real update process looked like, we could just simulate a false update to tell the Hub it has an update and tell it where to download the update from,” Hopwood told Threatpost. “Then we would download that resource onto the Hub with our own controlled web server that had a malicious update posted on it.”
Logitech’s Harmony Hub is one of numerous unreliable and insecure IoT devices – from smart thermostats to connected surveillance cameras. Smart hubs, specifically, extend the potential attack vector since they go about as a hub for different associated devices across the home.
What’s more, because of the way that the Harmony Hub, in the same way as other IoT gadgets, utilizes a typical processor design, malevolent devices could without much of a stretch be added to a compromised Harmony Hub, expanding the general effect of a targeted attack, Hopwood later included in his post Fire Eye’s Official website.