Almeroth

**Name of the Vulnerable Software and Affected Versions** myStrom WiFi Switch V1 versions prior to 2.66 myStrom WiFi Switch V2 versions prior to 3.80 myStrom WiFi Switch EU versions prior to 3.80 myStrom WiFi Bulb versions prior to 2.58 myStrom WiFi LED Strip versions prior to 3.80 myStrom WiFi Button versions prior to 2.73 myStrom WiFi Button Plus versions prior to 2.73 **Description** An issue was discovered where the SSL/TLS server certificate in device to cloud communication was not verified by the device. This allowed an attacker in control of the network traffic to potentially take control of a device through a Man-in-the-Middle attack by intercepting and modifying commands from the server to the device. The attacker could also inject firmware update commands, causing the device to install maliciously modified firmware. **Recommendations** For myStrom WiFi Switch V1 versions prior to 2.66, update to version 2.66 or later. For myStrom WiFi Switch V2 versions prior to 3.80, update to version 3.80 or later. For myStrom WiFi Switch EU versions prior to 3.80, update to version 3.80 or later. For myStrom WiFi Bulb versions prior to 2.58, update to version 2.58 or later. For myStrom WiFi LED Strip versions prior to 3.80, update to version 3.80 or later. For myStrom WiFi Button versions prior to 2.73, update to version 2.73 or later. For myStrom WiFi Button Plus versions prior to 2.73, update to version 2.73 or later.

**Name of the Vulnerable Software and Affected Versions** myStrom WiFi Switch V1 versions prior to 2.66 **Description** The issue concerns a lack of sanitization for a parameter received from the cloud, which is then used in an OS command. This allows malicious servers to execute operating system commands on the device. **Recommendations** For versions prior to 2.66, update to version 2.66 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** myStrom WiFi Switch V1 versions prior to 2.66 myStrom WiFi Switch V2 versions prior to 3.80 myStrom WiFi Switch EU versions prior to 3.80 myStrom WiFi Bulb versions prior to 2.58 myStrom WiFi LED Strip versions prior to 3.80 myStrom WiFi Button versions prior to 2.73 myStrom WiFi Button Plus versions prior to 2.73 **Description** An issue was discovered where the registration process of devices with a cloud account was based on an activation code derived from the device MAC address. This allowed an attacker to register previously unregistered devices to their account by guessing valid MAC addresses or using MAC addresses printed on devices in shops and reverse engineering the protocol. As a result, when the rightful owner connected the devices to their WiFi network, the devices would not register with their account and would not be controllable from the owner's mobile app. **Recommendations** For myStrom WiFi Switch V1 versions prior to 2.66, update to version 2.66 or later. For myStrom WiFi Switch V2 versions prior to 3.80, update to version 3.80 or later. For myStrom WiFi Switch EU versions prior to 3.80, update to version 3.80 or later. For myStrom WiFi Bulb versions prior to 2.58, update to version 2.58 or later. For myStrom WiFi LED Strip versions prior to 3.80, update to version 3.80 or later. For myStrom WiFi Button versions prior to 2.73, update to version 2.73 or later. For myStrom WiFi Button Plus versions prior to 2.73, update to version 2.73 or later.

**Name of the Vulnerable Software and Affected Versions** myStrom WiFi Switch V1 versions prior to 2.66 myStrom WiFi Switch V2 versions prior to 3.80 myStrom WiFi Switch EU versions prior to 3.80 myStrom WiFi Bulb versions prior to 2.58 myStrom WiFi LED Strip versions prior to 3.80 myStrom WiFi Button versions prior to 2.73 myStrom WiFi Button Plus versions prior to 2.73 **Description** An issue was discovered in the cloud API, where a hidden parameter allowed an authenticated user to reconfigure the server URL for a device registered to their account. This, in combination with an insecure device registration, enabled an attacker to reconfigure a maliciously registered device to their own rogue replica of the API and issue commands, including firmware updates. **Recommendations** For myStrom WiFi Switch V1 versions prior to 2.66, update to version 2.66 or later. For myStrom WiFi Switch V2 versions prior to 3.80, update to version 3.80 or later. For myStrom WiFi Switch EU versions prior to 3.80, update to version 3.80 or later. For myStrom WiFi Bulb versions prior to 2.58, update to version 2.58 or later. For myStrom WiFi LED Strip versions prior to 3.80, update to version 3.80 or later. For myStrom WiFi Button versions prior to 2.73, update to version 2.73 or later. For myStrom WiFi Button Plus versions prior to 2.73, update to version 2.73 or later.