An issue exists in myStrom WiFi Switch V1 prior to 2.66, WiFi Switch V2 prior to 3.80, WiFi Switch EU prior to 3.80, WiFi Bulb prior to 2.58, WiFi LED Strip prior to 3.80, WiFi Button prior to 2.73, and WiFi Button Plus prior to 2.73. The SSL/TLS server certificate in the device to cloud communication was not verified by the device. As a result, an attacker in control of the network traffic of a device could have taken control of a device by intercepting and modifying commands issued from the server to the device in a Man-in-the-Middle attack. This included the ability to inject firmware update commands into the communication and cause the device to install maliciously modified firmware.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
mystrom wifi_switch_firmware |
||
mystrom wifi_button_plus_firmware |
||
mystrom wifi_button_firmware |
||
mystrom wifi_switch_eu_firmware |
||
mystrom wifi_bulb_firmware |
||
mystrom wifi_led_strip_firmware |