Aqara Hub Certificate Validation Vulnerability in HTTPS Firmware Downloads

A vulnerability exists in Aqara Hub devices, including the Camera Hub G3, Hub M2, and Hub M3, all of which fail to properly validate server certificates during HTTPS firmware downloads. This oversight allows man-in-the-middle attackers to intercept firmware update traffic and potentially deliver modified firmware. The issue arises because the firmware download process establishes a TLS connection without requesting certificate verification, leaving the devices susceptible to accepting any certificate, regardless of its validity or whether it matches the expected hostname.

Impact

Exploitation of this vulnerability could lead to unauthorized interception and modification of firmware updates, allowing attackers to introduce malicious changes that could be executed by the device.

Reproduction

The vulnerability can be reproduced by initiating a firmware update over HTTPS on an affected Aqara Hub device. The hub will download the firmware without verifying the server's certificate, creating an opportunity for a man-in-the-middle attack.

Remediation

Users can update to Aqara Hub M2 and M3 firmware version 4.3.8, released on August 28, 2025, or to the Camera Hub G3 fixed version released on October 20, 2025.