CVE-2020-28713 in Smart Doorbell
Summary
by MITRE • 06/09/2021
Incorrect access control in push notification service in Night Owl Smart Doorbell FW version 20190505 allows remote users to send push notification events via an exposed PNS server. A remote attacker can passively record push notification events which are sent over an insecure web request. The web service does not authenticate requests, and allows attackers to send an indefinite amount of motion or doorbell events to a user's mobile application by either replaying or deliberately crafting false events.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/11/2021
The vulnerability identified as CVE-2020-28713 represents a critical access control flaw within the push notification service of Night Owl Smart Doorbell firmware version 20190505. This weakness stems from improper authentication mechanisms within the Push Notification Service (PNS) server, which operates with exposed endpoints that lack adequate security controls. The flaw creates a scenario where remote adversaries can exploit the service without proper authorization, fundamentally undermining the security model of the smart doorbell system.
The technical implementation of this vulnerability manifests through the absence of request authentication within the web service interface. The PNS server fails to validate incoming requests, allowing attackers to submit malicious payloads without presenting valid credentials or authorization tokens. This authentication bypass enables the exploitation of the service through insecure web requests, where the system processes and forwards notifications without verifying the legitimacy of the source. The vulnerability is particularly concerning as it operates over unencrypted channels, making it susceptible to passive network monitoring and interception attacks.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass potential denial of service and user privacy violations. Attackers can generate unlimited motion or doorbell events, creating a flood of false notifications that overwhelm user applications and potentially degrade system performance. The ability to replay previously recorded events or craft new false notifications enables persistent disruption of service and may lead to user confusion or false security alerts. This vulnerability directly violates the principle of least privilege and represents a failure in the security architecture of the device.
The security implications of this flaw align with CWE-284, which addresses improper access control vulnerabilities, and can be mapped to ATT&CK technique T1190, representing the exploitation of exposed services. The vulnerability demonstrates poor security design practices in IoT devices, where exposed services lack proper authentication mechanisms. Organizations should implement network segmentation to isolate such services and deploy intrusion detection systems to monitor for abnormal notification traffic patterns. Additionally, the firmware should be updated to include proper request authentication, implement rate limiting for notification services, and ensure all communication occurs over encrypted channels. The remediation approach must address both the immediate authentication bypass and establish comprehensive security controls to prevent similar vulnerabilities in future implementations.