- Vulnerability-Lab researchers found two vulnerabilities - Undocumented Telnet Service (telnetd) and AirMusic Unauthenticated Command Execution (httpd) - affecting the internet radio devices.
- The first vulnerability found in internet radio devices permits attackers to remotely hijack systems.
- The second vulnerability was found in the AirMusic client of the internet radio device. In this, attackers could transmit and receive commands without client authentication.
A few weeks ago, researchers from Vulnerability-Lab came across an anomaly on a private broadcast of internet radio. Further investigation into the matter led them to an undocumented telnetd server on the standard port 23 of the internet radio during a port scan. It was found that the network had enabled port forwarding for all ports, allowing adversaries to gain unauthorized access to the radio and to the OS subsequently.
The issue (CVE-2019-13473) was found in the internet radios of Imperial Dabman which are distributed in Germany by Telestar Digital GmbH. The products are sold across Europe via eBay, Amazon resellers. The devices utilize Bluetooth and Internet connectivity, and are based on BusyBox Debian Linux.
The second vulnerability (CVE-2019-13474) detected in the AirMusic client onboard the device permitting unauthenticated command-execution. “Using the mobile application on Apple iOS in combination with the port scan result shows us by intuition that the AirMusic client may be connecting on port 80 through 8080 httpd to send and receive commands,” said the researchers.
The researchers also released a proof-of-concept video showing how the devices could be exploited.
What is the scope of the attack?
It is estimated that over 1 million models of the Imperial Dabman internet radio series could be vulnerable. By exploiting this vulnerability, attackers can perform malicious activities such as:
- Blackmailing, shocking and simple web-server defacements;
- Changing the device name, altering the radio stream, or deliver their live message or transmit audio files as commands;
- Modifying the system to spread ransomware or other malformed malicious viruses/rootkits/destructive scripts;
- Converting the web server into an IoT botnet and more.
How was it resolved?
Addressing the concern, Telstar said that it will not be using Telnet going forward. For existing deployments, it released manual binary patches that can be downloaded from the Telestar Digital Gmbh website. Also, an automated over-the-air update will be made available via the webradio firmware update function in the local settings menu. The process for installing the update is as follows:
- Set the device to the factory setting
- Select language
- Switch off the device
- Switch on the device
- Network setup
- Wait for the "New Software" message
- Press OK to start the update
- Updated Version: TN81HH96-g102h-g103**a*-fb21a-3624