what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

my devolo 1.2.8 Insecure Data Storage

my devolo 1.2.8 Insecure Data Storage
Posted Apr 22, 2016
Authored by A. Nochvay | Site sec-consult.com

my devolo version 1.2.8 suffers from an insecure data storage vulnerability.

tags | advisory
SHA-256 | 415a9667d7875e4ffab1d65d9e2cf1a4f4419c8a28f4fcc72dddbb4c9b7a0e90

my devolo 1.2.8 Insecure Data Storage

Change Mirror Download
SEC Consult Vulnerability Lab Security Advisory < 20160422-0 >
=======================================================================
title: Insecure data storage
product: my devolo - android application - air.de.devolo.my.devolo
vulnerable version: 1.2.8
fixed version:
CVE number:
impact: High
homepage: http://www.devolo.com/
found: 2015-10-30
by: A. Nochvay (Office Moscow)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
devolo AG has been developing innovative Powerline and data communications
products for private customers and professional users.devolo Home Control
expands on the idea of the easy way to connect and is emerging as a new
product world for the smart home that simply enables greater comfort and
convenience, security and energy savings.

URL: http://www.devolo.com/en/Company/devolo-AG


Business recommendation:
------------------------
Attackers might be able to recover sensitive information from stolen/lost devices.
With this information attackers can control user's smart devices, change
temperature and watching user's remote camera.

SEC Consult recommends not to store sensitive information on mobile devices.


Vulnerability overview/description:
-----------------------------------
The application "my devolo" uses the SharedPreferences android mechanism for
storing information about the user including login credentials for the site
mydevolo.com. In the event that an adversary physically attains the mobile
device, the adversary might be able to hook up the mobile device to a computer
with freely available software. These tools allow the adversary to see all third
party application directories.


Proof of concept:
-----------------
Has been removed due to the request from the vendor.


Vulnerable / tested versions:
-----------------------------
The vulnerability has been discovered in "my devolo" version 1.2.8, which
is the latest version in Google Play Store at this time.


Vendor contact timeline:
------------------------
2015-11-10: Transmission of advisory via a data-exchange platform provided by
the vendor
2016-02-23: Confirmation of the described issue via email by vendor
2016-04-22: Public advisory release


Solution:
---------
no solution available


Workaround:
-----------
no workaround available


Advisory URL:
-------------
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Berlin - Frankfurt/Main - Montreal - Moscow
Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF Aleksandr Nochvay / @2015

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    0 Files
  • 16
    Jul 16th
    0 Files
  • 17
    Jul 17th
    0 Files
  • 18
    Jul 18th
    0 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close