Summary

A recently discovered security vulnerability affects the Bosch Smart Camera for Android App. Other Bosch apps, in particular the Bosch Smart Camera for iOS app, are not affected.

Due to setting of insecure permissions, a malicious app could potentially succeed in retrieving video clips or still images that have been cached for clip sharing. Note that camera sharing is a different functionality that is not affected.

Bosch Smart Home rates this vulnerability at 4.8 (medium) and recommends customers to upgrade all Android devices with updated app versions.

As of 2019-02-14, an updated Smart Camera App for Android is available via the Google Play Store.

Affected Products

Smart Camera App for Android < 1.3.1

Solution

As of 2019-02-14, an updated Smart Camera App for Android is available via the Google Play Store. To complete the fix, the updated app needs to be started at least once.

The following subsections list mitigations and/or workarounds that can be used before the fix has been applied.

Install apps from trusted sources only (Process)

As a general advice, customers should only install apps from trusted vendors, and via trusted app stores, to reduce the likelihood of installing malicious apps.

Refrain from using clip sharing (Process)

It is advised that customers should refrain from using the video clip/still image sharing functionality.

Vulnerability Details

This vulnerability is classified as “CWE-276: Incorrect Default Permissions”, located in the video clip/still image sharing subsystem. The app update ensures that video clips and still images are stored in areas that are only accessible by the Smart Camera app. Furthermore, files that have been created due to the issue at hand will be removed on first app start.

CVSS Rating

The CVSS V3 Base Score is rated at: 4.8 (medium) CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L/E:H/RL:O/RC:C.

Impact

The vulnerability can be used to access video clips and still images stored on the SD card by the sharing subsystem for given customer’s smartphone. This would enable a potential malicious app installed on the same device, for example, to obtain, modify or remove video clips that have been selected by the customer for video clip sharing.

It is noteworthy that video clips and still images are stored on the SD card when a customer selects video clips or still images, respectively, for sharing and remain stored for a given time irrespective of the customer cancelling or completing the sharing process. The fixed app version will ensure that such files are removed.

Vulnerability classification has been performed using the CVSSv3 scoring system. The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

[1] Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com.

Revision History

22 Feb 2019: Initial Publication