CVE-2018-3834

Name of the Vulnerable Software and Affected Versions Insteon Hub version 1013

Description An exploitable permanent denial of service issue exists due to the firmware upgrade functionality retrieving signed firmware binaries using plain HTTP requests. The device does not check the type of firmware image to be installed, allowing any signed firmware to be flashed into any MCU. Since the device contains different and incompatible MCUs, flashing one firmware to the wrong MCU results in a permanent brick condition. To trigger this issue, an attacker needs to impersonate the remote server "cache.insteon.com" and serve a signed firmware image.

Recommendations For Insteon Hub version 1013, consider disabling the firmware upgrade functionality via PubNub until a secure update is available to prevent exploitation. Restrict access to the device to minimize the risk of an attacker impersonating the remote server "cache.insteon.com". At the moment, there is no information about a newer version that contains a fix for this issue.