CVE-2024-48790

Overview

CVE-2024-48790 is an incorrect access control vulnerability in the ILIFE Home application (com.ilife.home.global, version 1.8.7). The issue resides in the firmware update process, where the app uses HTTPS requests to download new firmware. By reverse engineering the app, attackers can extract the download mechanism and construct direct requests to the vendor's firmware server [1].

Exploitation

The vulnerability is exploitable remotely without authentication. An attacker only needs to analyze the app's decompiled code to retrieve the firmware download URL. Dynamic testing confirmed that sending a direct GET request to the server, with parameters derived from the app, returns the latest firmware file without any access control check [1]. The server responds with a 200 OK and delivers the firmware archive (e.g., a ZIP file) to anyone who constructs the proper request.

Impact

Successful exploitation allows an attacker to download firmware files intended only for the ILIFE Home app. This can lead to the disclosure of proprietary code, device configuration details, or sensitive data embedded in the firmware. Additionally, the leaked firmware could be reverse engineered to find further vulnerabilities or used to create malicious updates if the device does not verify firmware signatures.

Mitigation

As of the publication date, ILIFE has not publicly addressed this issue via a security advisory. The official website does not mention this vulnerability [2]. Users should monitor vendor updates for a patched version of the app. In the meantime, restricting network access to the firmware server and monitoring for unexpected download requests may reduce risk.