R7-2019-40: Bloomsky SKY2 Weather Camera Station Data Authenticity and Exposure Vulnerabilities
A number of information leak vulnerabilities are present in the Bloomsky SKY2 network, obtainable via JSON queries intended to work with the Bloomsky SKY2 Weather Camera Stations. This includes individual users’ email addresses, mobile operating system information, and lat/long geographical data, which constitutes an “Exposure of Private Information” vulnerability, CWE-359, with a CVSS score of 4.3. In addition, users can upload images to cloud storage (Amazon S3 buckets) associated with other users’ cameras simply by knowing the associated user ID, which is obtainable via the JSON info leak described. This is an instance of CWE-345, “Insufficient Verification of Data Authenticity,” also with a CVSS score of 4.3.
Product description
The Bloomsky SKY2 weather camera station, described at the vendor’s website, is a home-based weather station intended to record and share weather data with a network of over 100,000 registered users (note that registration is free to anyone without purchase of a device or subscription service). The device also records and shares (usually) outdoor images.
Credit
These issues were discovered by independent security researcher Andrew MacPherson, and reported to Rapid7 for disclosure in accordance with Rapid7’s vulnerability disclosure policy.
Exploitation
There are two exploitable issues exposed in the Bloomsky network: “Exposure of Private Information” (CWE-359, CVSSv3 score 4.3), and “Insufficient Verification of Data Authenticity” (CWE-345, CVSSv3 score of 4.3). In order to exploit these vulnerabilities, an attacker would merely need to register for a free account on the Bloomsky network, then enumerate all user IDs (which are incremental and predictable based on the attacker’s own newly acquired user ID).
For technical details on exploitation, the researcher has published a detailed blog post at his site.
Impact
These vulnerabilities enable an attacker to enumerate the email addresses of all Bloomsky network users, regardless of the intended privacy settings of their SKY2 devices. An attacker can also upload misattributed images associated with arbitrary user IDs.
Vendor Response
Rapid7 was unable to get a response from the vendor after notifying them of these vulnerabilities via the email address listed in their privacy policy.
Remediation
While we have not received a response from the vendor on these issues, there has been an update to the JSON schema since our first disclosure to the vendor to no longer disclose email addresses of device owners (although other personal information, such as username and lat/long of the devices remain).
Unfortunately, it appears impossible for users to restrict malicious users from uploading arbitrary images associated with their account without an update from the vendor to enforce more reasonable access controls.
Disclosure timeline
- September 2019: Issue discovered by Andrew MacPherson
- Monday, Sept. 16, 2019: Issue reported to Rapid7 for coordinated vulnerability disclosure
- Tuesday, Sept. 17, 2019: Issue reported to Bloomsky by Rapid7
- Wednesday, Jan. 29, 2020: Public disclosure of this issue