A Brackish Security researcher recently uncovered a vulnerability affecting the myQ iOS application that allows an attacker to take over arbitrary user accounts. This issue was discovered in iOS application version 126.96.36.199277. No other versions were tested, but it is possible that multiple versions and platforms use the same APIs with vulnerable functionality. This issue affects millions of accounts and give attackers access to garage door openers, cameras, locks, and other devices that are controlled via the myQ application. The myQ iOS application has 1.2M ratings on the Apple App Store and is currently #13 in the free application charts.
The attacker needs prior knowledge of a victim’s email account, or as Brackish discovered, an attacker could make repeated requests to the following endpoint to determine if an account is present.
If the account does not exist, a lengthy Location response header containing the following will be returned.
This is the base 64 encoded version of firstname.lastname@example.org – an account that does not exist. If the account exists, this parameter will not be present in the Location response header.
Once a victim’s email is discovered, the account takeover is simple. At the heart of it is the lack of rate limiting on the following endpoint
Where the body of this request contains (amongst other parameters) the reset code that is emailed to the victim.
The reset code is only four digits in length, and there is no rate limiting on this endpoint. An attacker is free to brute force this code and reset the victim’s password. This issue was reported to Chamberlain on 1/10/23.
As of 1/20/23, a fix has been implemented via rate limiting on the server or in middleware. The application itself has not been updated. The fact that the fix was implemented in this fashion lends more credence to the speculation that every myQ account was affected by this vulnerability.
Security of IoT devices is essential. As evidenced by the simplicity of this exploit, these applications and devices sometimes sit without eyes on them for long periods of time.
Brackish Security recommends penetration testing and source code review of all software and IoT devices. Additionally, it is recommended that every company establish a Vulnerability Disclosure Program (VDP) or Bug Bounty Program (BBP). If you need a penetration test, or some assistance in establishing a VPD or BBP, please reach out to Brackish and Help Make the Bad Guys Salty!