OvrC, a cloud platform by Snap One, has been found to contain 10 critical vulnerabilities that could allow attackers to remotely execute code and gain unauthorized access to IoT devices. A report by Claroty highlights severe security flaws affecting OvrC Pro and OvrC Connect, which support a variety of smart devices including power supplies, cameras, routers, and home automation systems. The vulnerabilities range from authentication bypasses and input validation flaws to hardcoded credentials and remote code execution (RCE) issues, threatening over 500,000 deployed OvrC devices worldwide.
Key Vulnerabilities
The most significant vulnerabilities impacting OvrC devices include:
- CVE-2023-28649 (CVSS v4: 9.2): Allows device impersonation, enabling attackers to hijack a device.
- CVE-2023-31241 (CVSS v4: 9.2): Enables attackers to claim unclaimed devices by bypassing serial number checks.
- CVE-2023-28386 (CVSS v4: 9.2): Permits unauthorized firmware uploads, leading to remote code execution.
- CVE-2024-50381 (CVSS v4: 9.1): Allows impersonation of a hub, device unclaiming, and further exploitation to claim devices.
These vulnerabilities make it possible for attackers to infiltrate IoT networks, bypass firewalls, take control of devices, elevate privileges, and execute arbitrary code. Fixes were rolled out in May 2023 and November 2024.
Security Implications
With IoT proliferation, securing device-to-cloud interfaces becomes essential. Attackers can leverage these vulnerabilities to access cloud management features, monitor device usage, and execute further attacks, raising risks for both businesses and homeowners relying on connected devices.
Additional Threats in IoT
Parallel security issues in IoT, including recent Nozomi Networks findings on vulnerabilities in EmbedThis GoAhead web servers and Johnson Controls' exacqVision, underline the urgent need for robust IoT security across various platforms.
