The German company AGFEO is the next manufacturer of devices "Internet of things" (IoT), offering products with an unprotected web-interface. Researchers at SEC Consult found in the controllers for "smart homes" a number of vulnerabilities that allow unauthorized access to certain services, carry out an XSS attack, and also receive encrypted encryption keys.

The firmware AGFEO ES 5xx and 6xx has three certificates with attached private keys, through which attackers can obtain administrative rights. However, for successful hacking, the privileges of the administrator are not necessarily. Developers have created a web-service for debugging in ES 5xx and forgot to delete it after the product is on sale. According to the notification, the service is "accessible via an unusual port" and works with superuser rights. In addition, there is a convenient script for reading files, which means you can view all the files in the operating system.

The configuration ports are also open (TCP 19002, 19004, 19006, 19009, 19010, 19080 and 19081) and allow attackers to read device information and change its configuration. Since user names and passwords are stored in the SQLite database, hackers can steal the credentials of all users.

The manufacturer received a notification of vulnerabilities in January of this year, but updates were released only on June 30.