tl;dr 🔗

It was possible to control what seems to be all Internet connected Mill heaters worldwide.

Summary 🔗

Who:	Mill
Severity level:	Medium
Reported:	October 2018
Reception and handling:	Very good
Status:	Fixed
Reward:	A thank you
Issue:	It was possible to control all Internet connected heaters

Background 🔗

Mill is a company selling different heaters. If you've ever seen a heater that actually looks good it was probably a Mill heater. Some of the heaters can be controlled with their app via the Internet. They also have Wi-Fi socket product that can be connected to good old "dumb" heaters.

Please note that this was originally not my finding. A friend of mine have a few Mill heaters and let me access what was needed to check out this issue.

Approach (technical stuff)

Skip this part 🙈 I downloaded Mill's Android app and used the HTTP proxy Charles to listen in on the traffic.

The first thing that surprised me was that the app connected to a hostname that belongs to a Chinese "IoT platform" (Mill is Norwegian). The IP seems to belong to a machine running Amazon Elastic Compute Cloud (EC2) in Germany.

The first thing that scared me was that they only used https for the authentication. All other communication was unencrypted.

During authentication the server gave the client an access token. The token seemed to be valid for a 24+ hours.

When receiving information and sending commands the app sent some headers to prove the authenticity. There was a signature based on a nonce, a timestamp, the user id and the authentication token. The timestamp and nonce was also sent in the request. There was one problem with the request headers. The exact same headers could be used again and again for both replay attacks and for any other different command or information retrieval. This was not the app you wanted to use from your sunbed on vacation while connected to the nearest open Wi-Fi network.

But then there was the real issue. I got an ID of an oven from my friend, with his blessing to try to adjust the temperature of it. And guess what, it was possible to do just that. First one could get the status of the oven and check if the oven was online, then one could change the status it - including setting the temperature.

The ovens were assigned an ID that seemed to be an incremental number. So once this issue was present it became a large scale one. It seemed like one could set the temperature of any and all online Mill ovens worldwide.

curl -H 'Content-Type: application/x-zc-object' \
-H 'X-Zc-Content-Length: 85' \
-H 'X-Zc-Major-Domain: seanywell' \
-H 'X-Zc-Sub-Domain: milltype' \
-H 'X-Zc-Timestamp: 1939713271' \
-H 'X-Zc-Timeout: 300' \
-H 'X-Zc-Nonce: [some nounce]' \
-H 'X-Zc-User-Id: [your own user id]' \
-H 'X-Zc-User-Signature: [sha1 of time params, nounce and auth token]' \
-H 'Host: [Mill server]' \
--data-binary '{"homeType":0,"timeZoneNum":"+02:00","deviceId":[some oven id],"value":28,"key":"holidayTemp"}' \
'http://[Mill server]/millService/v1/changeDeviceInfo'

Security issues

It was possible to get the status of up to 50,000 Internet connected Mill ovens and get data like the following:

• Online/offline status
• Current and target temperature
• User selected device name (could they reveal addresses/people?)
• Other status information

It was possible to change the status - aka set the temperature - of the ovens. What if someone had turned off the oven because they were e.g. temporarily storing something close to the oven, and then someone turned the oven to full via the Internet? Could that potentially cause a fire? Their user manuals specify minimum distances for the ovens and that they need to be kept away from flammable materials.

Reception and handling 🔗

Day zero 🔗

At night I sent an e-mail to both their specified contact and Play Store e-mail address.

Day 1 🔗

The morning after, they responded thanking me for telling them about the issue and that they had started working on fixing it.

At night - after business hours - I got a response that they had a solution that they were running some final tests on. They also asked for my opinion on some of the changes they were going to do.

Not everything was fixed overnight at once, but they showed they were on the ball, taking it serious and fixed the worst parts first.

Conclusion 🔗

I live in a smart home, and I like the ease of being able to see the temperature of every room and control the heating from anywhere. I can understand why people use Mill's and other's solutions. And imagine having a cabin in the cold snowy mountains where you can adjust the heat so that it's pre-heated just before you arrive. It's perfect. On the other hand, I have so much respect for those not wanting to connect their lives or homes to the Internet, because it will fail at one or another point. It doesn't have to be a specific case like this, but we're also talking about privacy issues in regards of big companies and governments, and we're talking about surveillance from anything from burglars to jealous partners to governments.

This was yet another one of many, many incidents of IoT security failing. We must come up with up with some kind of labelling of IoT devices that can work as a statement that the vendors can use to say they have at least gone through some minimum efforts checklist and that they actively uses third-party companies to check their security. If some big companies in the industry get together and work out a simple framework for this we could start going down the right path. I don't think we have time to wait for laws and regulations around the world.