YoSmart YoLink API Authorization Bypass Vulnerability in Smart Hub

An authorization bypass vulnerability has been identified in the YoSmart YoLink Smart Hub API, allowing attackers to remotely control devices connected to the hub. This issue arises from the API endpoint construction, which uses the device's MAC address and an MD5 hash of non-secret information. The vulnerability affects YoLink Smart Hub version 0382, with implications for all connected YoLink devices, including locks, sensors, and plugs.

Impact

Exploitation of this vulnerability allows for unauthorized control of YoLink devices connected to the affected hub, potentially leading to physical access to homes by manipulating smart locks or garage doors.

Reproduction

The vulnerability can be reproduced by obtaining valid MQTT credentials for a YoLink Smart Hub user account. Once authenticated, commands can be sent to control devices associated with that account. The authorization bypass can be tested by using MQTT credentials from one account to control devices linked to a different account, successfully issuing commands to unlock smart locks or open garage doors.

Remediation

Users are advised to treat the YoLink Smart Hub as untrusted, disconnect it from critical networks, and avoid using it for access control. Consider switching to vendors that provide regular security updates and independent security testing.