Dreame Technology Mobile Applications Improper Certificate Validation Vulnerability

A vulnerability has been identified in the Dreamehome and MOVAhome mobile applications for iOS and Android. This vulnerability arises from improper validation of TLS certificates, as the applications accept self-signed certificates when establishing secure communications. This flaw could allow man-in-the-middle attacks on untrusted networks, potentially intercepting sensitive information such as user credentials and session tokens. The affected versions are Dreamehome iOS through 2.3.4, Dreamehome Android through 2.1.8.8, and MOVAhome iOS through 1.2.3.

Impact

Exploitation of this vulnerability could lead to unauthorized disclosure of information, with intercepted communications possibly including user credentials and sensitive session tokens.

Remediation

Dreame Technology has not responded to CISA's request for coordination. Users are advised to contact Dreame Technology directly for more information. CISA recommends minimizing network exposure for all control system devices and systems, ensuring they are not accessible from the Internet. When remote access is required, use more secure methods such as Virtual Private Networks (VPNs).