Summary

A recently discovered security vulnerability affects the Bosch Smart Camera for Android App. Other Bosch apps, in particular the Bosch Smart Camera for iOS app, are not affected.

Due to improperly implemented TLS certificate checks, a malicious actor could potentially succeed in executing a man-in-the-middle attack for connections to Bosch’s identity management backend systems, therefore potentially being able to intercept and/or modify a particular customer’s Bosch-ID.

Bosch Smart Home rates this vulnerability at 8.3 (high) and recommends customers to upgrade all Android devices with updated app versions.

As of 2019-02-14, an updated Smart Camera App for Android is available via the Google Play Store.

Affected Products

Smart Camera App for Android < 1.3.1

Solution

As of 2019-02-14, an updated Smart Camera App for Android is available via the Google Play Store.

The following subsections list mitigations and/or workarounds that can be used before the update has been applied.

Change Password (Process)

As a precaution, customers may want to change the password associated with their Bosch-ID. This can be done via the web portal accessible at https://myaccount.bosch.com/BeaPUssWeb/profile. Furthermore, in case the same password has been used for other services, customers should consider changing the password there as well.

Refrain from using the Bosch-ID (Process)

It is advised that customers should not start any workflow in the Smart Camera app that requires entering their Bosch-ID, for instance changing the password.

Vulnerability Details

This vulnerability is classified as CWE-295: Improper Certificate Validation, located in erroneous TLS connection setup code that is solely used to access the Bosch identity management backend systems. The app update fixes the coding error to achieve proper certificate validation.

CVSS Rating

The CVSS V3 Base Score is rated at: 8.3 (high) CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

Impact

The vulnerability can be used to mount a man-in-the-middle attack on a given customer. This would enable a potential attacker, for example, to obtain a customer’s Bosch-ID (eMail address / password) and use these credentials to impersonate this particular customer.

Despite its high rating, note that exploiting the vulnerability needs limited user interaction as the Bosch-ID is only used in a very limited time frame, for instance when connecting the Smart Camera app to a customer’s Bosch-ID on first app execution.

Vulnerability classification has been performed using the CVSSv3 scoring system. The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

[1] Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com.

Revision History

22 Feb 2019: Initial Publication