1. OVERVIEW Credential leaks lead to complete compromise of home automation system 2. BACKGROUND The 2 devices are identical, and act as an IP gateway between the SCS home automation bus, and an IP network. The devices uses https for the web-front, and is also open on port 20000 with an semi open protocol that allows controlling everything at the owner's location. 3. VULNERABILITY DESCRIPTION A file https://[ip address of device]/TiWeb.xml is directly accessible without requiring credential requests of any sort, that contains plaintext login and passwords to the device these credentials are all that's needed to reprogram the entire home automation system, access video cameras in the installation, control the burglar alarm, and more. 4. VERSIONS AFFECTED Firmare 1.00.26 5. PROOF-OF-CONCEPT/EXPLOIT just head to the url on an affected device. you can find those devices by searching google for 'top_right_bticino' (and probably 'top_right_legrand') 6. SOLUTION upgrade to version 1.00.32 available http://www.myopen-legrandgroup.com/devices/gateways/m/f454_-_003598/38439.aspx 7. VENDOR Legrand Group 8. CREDIT This vulnerability was found by Raphaël Jacquot, an independant security researcher 9. DISCLOSURE TIME-LINE 2012-07-23: Vendor Notified 2012-10-02: Vendor published non-vulnerable firmare 1.00.32 2012-10-17: Vulnerability disclosed Best regards, Raphaël Jacquot