A Loxone system is not only designed to protect residential and commercial buildings as a structure, but also the data and privacy of the occupants in that building. This is arguably in contrast to many IoT solutions – in that the Loxone Miniserver does not send any data about the user behaviour to any online services. Basically, a Loxone system works entirely without an internet connection. However, since many users want to be able to control their building from afar, or make use of the weather services to enhance the automation, an internet connection would be required in these cases. As such, security measures related to this are regularly assessed in conjunction with both internal and external experts.
A few weeks ago, we were informed about a weakness in the Loxone Cloud DNS by the Hagenberg campus of the University of Applied Sciences Upper Austria, with whom we have already co-operated on several projects. Their Security Advisory discusses the theoretical possibility of the Loxone Cloud DNS registering the wrong IP address as a result of fake data packets. This would enable an attacker to temporarily store the IP address of a website similar to the Loxone Web Interface and thus access the login information of a Loxone installation.
Several prerequisites must exist to be able to exploit this vulnerability. The attacked would need to know the MAC address of the Loxone Miniserver; the Miniserver would need to be registered and active on the Loxone Cloud DNS, and a user would need to make a login attempt at the time of the attempted exploit – as the Miniserver updates the IP address after every minute. Additionally, should an attacker want to undertake any damage on-site, they would need to know the physical address where the Miniserver is installed.
There have been no known instances of this vulnerability actually being exploited by an attacker.
The security of Loxone users and consumer installations is a priority for as at the core of what we do. For this reason, we have taken immediate measures to permanently prevent this attack scenario.
With an HTTP request, the IP address and the port of the Miniserver, that is configured on the home router can be read (this is used by the app for external/remote access, for example). In the HTTP response, the field for “Last Update Timestamp” has been removed so as not to reveal the update cycle of the Miniserver. This measure was implemented on 6 July 2020.
A sophisticated check detects potential attackers as soon as the IP address changes several times within one minute. Therefore, a potential attack can be identified after one occurrence and, as a result, the IP address of the perceived attacker is then blacklisted for 24 hours. This measure was implemented on 16 July 2020.
Separate to this, a single IP address can send a maximum of 50 updates to the Loxone Cloud DNS within one minute. Should this be exceeded, the IP address in this instance is blacklisted for 7 hours and all updates will simply be ignored during this time. This measure was implemented on 16 July 2020.
From one IP address for a Miniserver, a maximum of 5 updates per minute can be sent to the Loxone Cloud DNS. This, in itself, is to prevent update spamming for a Miniserver. Should this be exceeded, the IP address is blacklisted for 7 hours. This measure was implemented on 16 July 2020.
For all Miniservers using version 11.1 (2020.09.03) and above, and which make use of the Loxone Cloud DNS, a signature of the update package was introduced. With the help of an authentication handshake, assurance is made that the respective package originates from the Miniserver in question. Once a successful update has been carried out using this authentication method, the Miniserver will not allow any future packets that are not signed in this way. This update was rolled out to consumers and Loxone Partners on 3 September 2020.
These measures taken with the Loxone Cloud DNS ensure a strong level of protection for Loxone installations which make use of this service. We always recommend keeping installations up-to-date to benefit from such improvements. The updates in V11.1 prevent attacks based on the scenarios outlined above and therefore provide utmost protection in this regard.
Note: The attack scenarios detailed above are in reference to the Loxone DNS service only. The Loxone “Remote Connect” service is not affected by the aforementioned.