Bosch PSIRT

Improper Certificate Validation in Bosch Smart Home System App for iOS

BOSCH-SA-347336

Advisory Information

  • Advisory ID: BOSCH-SA-347336
  • CVE Numbers and CVSS v3.1 Scores:
  • Published: 25 Aug 2020
  • Last Updated: 25 Aug 2020

Summary

A recently discovered security vulnerability affects the Bosch Smart Home System App for iOS. Both Bosch Smart Home Camera Apps as well as the Bosch Smart Home System App for Android are not affected. It potentially allows to intercept video contents by performing a man-in-the-middle attack. Since only connections to Bosch's video backend are potentially affected, this vulnerability applies only to customers that have paired a Bosch camera to their Bosch Smart Home Controller (SHC). Bosch Smart Home rates this vulnerability with a CVSS v3.1 base score of 6.8 (medium) and recommends customers to upgrade the app to updated versions.

As of 2020-07-22, updated app versions are available and offered to all customers via the Apple app store.

As of 2020-08-12, there is currently no indication that the vulnerability has been utilized.

The vulnerability was discovered during one of the regular internal security tests.

Affected Products

  • Bosch Smart Home < 9.17.1 on: iOS

Solution and Mitigations

App Update

The recommended approach is to update the app to a fixed version, that is, 9.17.1 or higher. Updated apps are available and offered to all customers via the Apple app store.

No User Interaction

Since the vulnerability only affects customers that have paired a Bosch camera to the SHC and requires user interaction, customers may simply not use the camera functionality in the app or remove the camera from the SHC.

Vulnerability Details

CVE-2020-6781

This vulnerability is classified as ‘improper certificate validation’, located in the TLS client setup for connections to the Bosch camera backend systems. It is accordingly ranked as “CWE-295: Improper Certificate Validation”. The fix ensures proper certificate validation. The vulnerability can be used to retrieve or modify information exchanged between the Bosch Smart Home System App for iOS and the Bosch camera backend systems, for instance video clips, video preview thumbnails, or video live streams. A necessary prerequisite for this attack is a position in the network path between the app and the backend that allows a man-in-the-middle scenario.

CVE description: Improper certificate validation for certain connections in the Bosch Smart Home System App for iOS prior version 9.17.1 potentially allows to intercept video contents by performing a man-in-the-middle attack.

Remark

Vulnerability classification has been performed using the CVSS v3.1 scoring system . The CVSS environmental score is specific to each customer’s environment and should be defined by the customer to attain a final scoring.

Additional Resources

Please contact the Bosch PSIRT if you have feedback, comments, or additional information about this vulnerability at: psirt@bosch.com .

Revision History

  • 25 Aug 2020: Initial Publication