Exploit for Dreamehome 2.1.5 Broken Authorization

Name: Exploit for Dreamehome 2.1.5 Broken Authorization
Rating: 5 (38 reviews)
2024-04-22 | CVSS 7.4
## https://sploitus.com/exploit?id=PACKETSTORM:178218
SEC Consult Vulnerability Lab Security Advisory < 20240418-0 >  
=======================================================================  
title: Broken authorization  
product: Dreamehome app  
vulnerable version: <=2.1.5 (iOS)  
fixed version: none, see solution  
CVE number: -  
impact: medium  
homepage: https://www.dreametech.com  
found: 2024-01-17  
by: Alissa Kim (Office Bochum)  
SEC Consult Vulnerability Lab  
  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
https://www.sec-consult.com  
  
=======================================================================  
  
Vendor description:  
-------------------  
"We've emerged as one of the leading brands in smart home cleaning with  
our 4 major product lines: robotic vacuums and mops, cordless stick vacuums,  
wet and dry vacuums, and high-speed hair dryers. Each product is meticulously  
designed to redefine convenience in household innovation and improve our  
users' homes."  
  
Source: https://www.dreametech.com/pages/about-us  
  
  
Business recommendation:  
------------------------  
The vendor was unresponsive/uncooperative during multiple months of trying to  
establish a security contact and to send them our findings. There is no patch/  
solution available. Try to contact your local support team and request a patch  
for this issue. Stay up-to-date with firmware and app installations and be vigilant.  
  
SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.  
  
  
Vulnerability overview/description:  
-----------------------------------  
1) Broken authorization  
An owner of the robot vacuum cleaner device can share it with other users via the  
app. The privileges of the shared users are very limited. It is not possible to  
interact with photos and videos from within the mobile application, but it was  
identified that it is possible to delete and list all images/videos of the main  
account and even download the encrypted images/videos by sending the requests  
with the JWT of the shared user. The encryption was not reverse-engineered but  
it could potentially be possible for unauthorized users to gain access to sensitive  
imaging data.  
  
  
Proof of concept:  
-----------------  
1) Broken authorization  
To exploit the vulnerability it is sufficient to follow these steps:  
1. Connect a robot vacuum cleaner to the Dreamehome app (in our case the device  
"Dreame L10S ultra" was used).  
2. Take a photo and video with the Dreamehome app using the connected device.  
3. Share the robot vacuum cleaner with another user.  
4. The "shared user" can list the photos using the following curl command:  
(It is necessary to set the "did" of the device)  
  
[ POC removed]  
  
5. The "shared user" can list the videos using the following curl command:  
  
[POC removed]  
  
6. The response with the list of photos/videos contains an "id" parameter. Knowing  
this "id" parameter, a shared user can delete the photos/videos using the value  
of "id" in the "ossIds" parameter using the following command:  
  
[POC removed]  
  
7. Furthermore, the responses with the list of photos/videos contains a "filepath"  
parameter with the URL to the encrypted photo/video. Any user even without a valid JWT  
token can download the encrypted photo/video using this URL. The encryption was not  
reverse-engineered but it could potentially be possible for unauthorized users to gain  
access to sensitive imaging data.  
  
  
Vulnerable / tested versions:  
-----------------------------  
The following versions have been tested which were the latest version available  
at the time of the test:  
* Dreamehome app 2.1.0 (tested with Dreame L10S ultra device)  
* Dreamehome app 2.1.5 was tested later on 2024-04-12 and found to be vulnerable  
as well.  
  
It is assumed, that other platforms (Google Android) are affected as well.  
  
  
Vendor contact timeline:  
------------------------  
2024-01-24: Contacting vendor through support.us@dreame.tech; aftersales@dreame.tech  
2024-02-05: Contacting vendor through support.us@dreame.tech; aftersales@dreame.tech  
2024-02-06: Answer from vendor ticket system (#82462919) to contact marketing@dreame.tech  
2024-02-06: Contacting vendor through marketing@dreame.tech, no response.  
2024-02-12: Contacting vendor through marketing@dreame.tech, no response.  
2024-03-04: Contacting vendor through marketing@dreame.tech, no response.  
2024-04-11: Sending final email to support.us@dreame.tech; aftersales@dreame.tech  
and marketing@dreame.tech. Requesting security contact again. As they  
are unresponsive, setting release date to 18th April.  
2024-04-11: Same ticket auto-response (#82521551) as from 2024-02-06:  
"Thank you for your great support and interest in our products!  
This is Dreame aftersales team; we are glad to be at your service.  
For your request, please kindly contact our marketing department  
(Email: marketing@dreame.tech) for direct assistance.  
  
Feel free to contact us with product related issues or concerns you  
may have."  
2024-04-11: Sending them once again that marketing does not respond (and should not  
be responsible for security) and that we proceed to release the advisory  
on 2024-04-18.  
2024-04-12: Vendor: "Thank you for reaching Dreame. We're sorry for the inconvenience.  
According to our service policy, we have no access to confirm any  
application for cooperation. We have already contacted our sales  
team and IT support to further check your information. They will  
reply to you if they decide to proceed cooperation with you.  
Your kind understanding and patience are greatly appreciated."  
2024-04-18: Public release of security advisory.  
  
  
Solution:  
---------  
The vendor was unresponsive/uncooperative during multiple months of trying to  
establish a security contact and to send them our findings. There is no patch/  
solution available. Try to contact your local support team and request a patch  
for this issue. Stay up-to-date with firmware and app installations and be vigilant.  
  
  
Workaround:  
-----------  
None  
  
  
Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/  
  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia  
  
About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.  
  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/  
  
Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
  
EOF Alissa Kim / @2024