Aqara Hub Certificate Validation Vulnerability in TLS Connections Allows Man-in-the-Middle Attacks

A vulnerability exists in Aqara Hub devices, including the Hub M2, Hub M3, and Camera Hub G3, all of which fail to properly validate server certificates in TLS connections for discovery services and CoAP gateway communications. This oversight enables man-in-the-middle attacks, allowing interception and manipulation of device control and monitoring. The root cause lies in the absence of a configured CA certificate for server validation, leading to successful TLS connections without proper verification. Exploitation can be achieved by redirecting device traffic through a proxy server that simulates a CoAP over TLS server with a self-signed or invalid certificate, intercepting and injecting CoAP messages such as commands to unlock doors or refresh device states.

Impact

Exploitation of this vulnerability allows for man-in-the-middle attacks on CoAP communications, enabling interception, decryption, and injection of messages. This could result in unauthorized control of smart home devices, such as unlocking doors, and continuous monitoring of user activity and device states.

Reproduction

To reproduce this vulnerability, first acquire the CoAP AES keys (this step is out of scope). Then, set up a TCP proxy to simulate a CoAP over TLS server, configuring the proxy with a self-signed or invalid certificate. Redirect the device's traffic to the proxy server and observe that the TLS connection is established successfully without certificate validation. Once the connection is active, intercept and inject CoAP messages, such as commands to unlock doors or refresh device states, using the intercepted authentication tokens and session data.

Remediation

Users can update to Aqara Hub M2 and M3 firmware version 4.3.8, which is available via over-the-air (OTA) updates. For the Aqara Camera Hub G3, a compatible firmware version has been deployed OTA.