CVE-2018-3833

Name of the Vulnerable Software and Affected Versions Insteon Hub version 1013

Description An exploitable issue exists in the firmware upgrade functionality of the Insteon Hub, triggered via PubNub. The device retrieves signed firmware binaries using plain HTTP requests and does not check the firmware version to be installed, allowing for the installation of older firmware images. To exploit this, an attacker must impersonate the remote server 'cache.insteon.com' and serve any signed firmware image.

Recommendations For version 1013, consider disabling the firmware upgrade functionality via PubNub until a patch is available to prevent exploitation. Restrict access to the device to minimize the risk of an attacker impersonating the 'cache.insteon.com' server. Avoid using plain HTTP requests for firmware updates until the issue is resolved.