lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 12 Jul 2017 15:55:38 +0000
From: Ilia Shnaidman <>
To: "" <>
Subject: [FD] [CVE-2017-7726] - Missing SSL Certificate Validation in

[+] Credits: Ilia Shnaidman
[+] Source:

iSmartAlarm, inc.

iSmartAlarm cube - All versions

iSmartAlarm is one of the leading IoT manufactures in the domain of smart alarm systems.
It provides a fully integrated alarm system with siren, smart cameras and locks.
It functions like any alarm system, but with the benefits of a connected device: alerts pop up on your phone,
offering you full remote control via mobile app wherever you are.

Vulnerability Type:
Missing SSL Certificate Validation

CVE Reference:

Security Issue:
iSmartAlarm's cube communicates with iSmartAlarm's backend using SSL encryption on port tcp/8443.
But the cube does not validate server certificate.

Attack Vectors:
An attacker can get any password/personal data by setting man
in the middle sniffer attack with a fake certificate on port 8443.

Network Access:


Disclosure Timeline:
Jan  30, 2017: Initial contact to vendor
Feb  1,  2017: Vendor replied, requesting details
Feb  2,  2017: Disclosure to vendor
Apr  12, 2017: After vendor didn't replied, I've approached CERT
Apr  13, 2017: Confirmed receipt by CERT and assigning CVEs
July 05, 2017: Public disclosure

Sent through the Full Disclosure mailing list
Web Archives & RSS:

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ