Claroty finds vulnerabilities in OvrC platform affecting IoT devices

The Claroty research team has identified 10 significant vulnerabilities within the OvrC cloud platform, affecting an estimated 10 million internet-connected devices globally.

These security flaws have the potential to allow malicious actors to execute code on impacted devices remotely over the cloud. The affected devices include smart cameras, routers, and power supplies. According to Team82's analysis, OvrC Pro and OvrC Connect, components of the platform used for device management and troubleshooting, are particularly susceptible.

Uri Katz from Claroty commented, "Team82 has researched the security of the OvrC cloud platform, which is used by businesses and consumers to remotely manage IoT devices. We uncovered 10 different vulnerabilities that, when chained, allow attackers to execute code on OvrC cloud-connected devices, remotely over the cloud. OvrC Pro and OvrC Connect are affected; updates were released in May 2023 for eight vulnerabilities, and the two remaining issues were addressed in an update announced today."

The vulnerabilities fall into several categories including weak access controls, authentication bypasses, failed input validation, hardcoded credentials, and remote code execution flaws. These security lapses make it possible for attackers to bypass firewall security and network address translation (NAT), potentially hijacking devices, elevating privileges, and executing arbitrary code once inside.

Katz adds, "There are certain commonalities when the cybersecurity of internet-of-things (IoT) devices is researched and discussed. Manufacturers have long treated the security of these connected things as an afterthought, failing to prioritize the use of strong authentication and access controls, or relying on weak or outdated protocols for device communication to the cloud, and avoiding costly encryption implementations for data security."

He further explained, "Some manufacturers may pressure developers to get features and functions out the door quickly, and opt to address vulnerabilities, code defects, and other bugs as they're disclosed. IoT devices have shorter lifecycles than their IT, or certainly OT, counterparts, further supporting this dynamic of features first and security later."

OvrC is a cloud-based remote management and monitoring platform, which was acquired by SnapOne, a company based in North Carolina, in 2014. The platform enables users to configure, monitor, and troubleshoot a range of devices via a mobile application or a websocket-based interface.

The vulnerabilities were reported to be part of OvrC's logistics, specifically in the remote management of devices through OvrC Pro and the mobile app OvrC Connect. "An attacker remotely exploiting these vulnerabilities would not only be able to bypass perimeter security such as firewalls and network address translation (NAT) in order to gain access to the cloud-based management interface, but would also be able to enumerate and profile devices, hijack devices, elevate privileges, and run arbitrary code," stated Katz.

The findings underscore ongoing security risks within the IoT sector, highlighting the need for robust device-to-cloud security protocols. Katz noted, "While there may be some validity to all of these reasons, the fact remains that as more so-called smart devices are connected to the internet and managed via a cloud-based interface, attackers are going to seek out and exploit weaknesses that put critical services, user data, and businesses at risk."