Owning the Smart Home with Logitech Harmony Hub [source: medium]
Logitech’s Harmony hub is a popular smart home device which enables communication with and control of all network connected devices in your house. It has an install base of millions of users across the globe and supports 270,000 devices from 6,000 brands. Tenable recently released critical, undisclosed vulnerabilities that allow an attacker remote root access without user interaction.
The hub is a favorite among enthusiasts for its scripting and automation capability. As smart home functionality becomes more mainstream, controllers are becoming increasingly necessary to centralize functionality for the user. Amazon (Alexa), Google (Home), Apple (Homekit), and Logitech (Harmony) all have products that offer centralized control of the various home devices from security systems to entertainment devices. Logitech’s Harmony is a popular choice, with a user base of at least seven figures. The nature of the smart home hub creates huge opportunity for an attacker. If they can control the hub, they get access to every device connected to the hub. Smart locks, the Apple TV, your Nest thermostat, even your smart refrigerator can be controlled by a remote attacker.
Exploring the device
The hub has several services open over 3 ports implementing XMPP, WebSocket, and a custom web API service. The services are all implemented in Lua, which will be discussed later on.
You can acquire the hub’s firmware during a device update and open it up fairly quickly. It contains a Linux kernel and squash filesystem with the application code on it. The application code is a large set of compiled Lua files which implement the hub’s services and functionality. You can decompile it using a patched version of the luadec github project to produce very human-readable source code.
For more, click here.