The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App use an embedded webserver that uses unencrypted plaintext for the transmission of the administrator PIN

Vulnerability

The Auto-Maskin DCU 210E, RP-210E, and Marine Pro Observer Android App (versions prior to 3.7 on ARMv7) contain a cleartext transmission vulnerability (CWE-319) in the embedded web server [1][2]. The administrator PIN is transmitted over HTTP without encryption, enabling unauthorized actors to capture the credential by sniffing network traffic [1][2].

Exploitation

An attacker with network access to the affected device can monitor network traffic to capture the plaintext administrator PIN [1][2]. No authentication is required beforehand, and the attack requires only low skill [1]. Once the PIN is obtained, the attacker can authenticate to the web server and perform privileged actions [1].

Impact

Successful exploitation allows an authenticated attacker to change configurations, upload new configuration files, and upload executable code via the file upload mechanism used for firmware updates [1]. This can lead to full compromise of the device, including root access to the underlying operating system and read/write access to system files [1].

Mitigation

As of the publication date, the vendor had not released a firmware update addressing this vulnerability; CERT/CC was unaware of a solution [2]. Affected users should ensure these devices are accessible only via private, carefully secured networks [2]. CISA advisory ICSA-20-051-04 recommends following defense-in-depth practices but does not announce a patch [1].