Chamberlain MyQ Garage Door Devices Expose an unauthenticated API on The Local Network
I was recently poking at some IoT devices and discovered that MyQ garage door devices expose an unauthenticated and unencrypted wsgi API accessible over WiFi. The API allows GET and POST, so you can access settings on the device and overwrite them over the network.
Disappointingly, I haven't figured out how to open and close the garage door through this API. I also haven't discovered a remote take over opportunity, or a means to reprogram the device maliciously – largely due to my lack of skill and perhaps some good practices on the manufacturers end. To their credit, both the OS and webserver are obfuscated which makes it difficult to identify relevant CVE's (see errata below for details).
The primary problem is that Chamberlain doesn't have a responsible disclosure policy/process that I can find.
The API can be easily enumerated, and has interfaces listed under /sys. There may be other interfaces I haven't discovered, so this list isn't wholly complete:
/sys/interface /sys/mode /sys/network /sys/time
You can query these with curl, and also do a post to overwrite the settings.
/sys/interface puzzles me a bit. It seems to be a setting for how the device integrates with other MyQ devices on the same network.
curl 192.168.0.102/sys/interface
{"interface":"station"}
/mode was also discovered by McAfee, although McAfee didn't seem to take issue with the API. This seems to have a boolean value and can be used to factory reset the IoT settings.
curl 192.168.0.102/sys/mode
{"mode":1}
Doing a POST to change the mode to 0 knocks the device offline and seems to reset the IOT functions.
/network gives you the current network settings, and probably (I didn't bother testing) allows overwriting the settings.
curl 192.168.0.102/sys/network
{"ssid":"MyNetwork","bssid":"00:00:00:00:00:00","channel":1,"security":5,"rssi":-59,"ip":{"ipv4":{"iptype":1,"ipaddr":"192.168.0.102","ipmask":"255.255.255.0","ipgw":"192.168.0.1","ipdns1":"192.168.0.1","ipdns2":"0.0.0.0"}}
Errata:
Nmap scan results against a MyQ device:
Nmap scan report for MyQ-A78.localdomain (192.168.0.102)
Host is up (0.017s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
443/tcp open https
MAC Address: CC:6A:10:4F:04:39 (The Chamberlain Group)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=12/18%OT=80%CT=1%CU=43914%PV=Y%DS=1%DC=D%G=Y%M=CC6A
OS:10%TM=67637553%P=x86_64-pc-linux-gnu)SEQ(SP=0%GCD=4AD427%ISR=CC%TI=I%CI=
OS:I%II=RI%SS=S%TS=U)SEQ(SP=9F%GCD=1%ISR=CC%TI=RD%CI=I%TS=U)SEQ(SP=AB%GCD=1
OS:%ISR=CC%TI=I%CI=I%II=RI%SS=S%TS=U)SEQ(SP=B7%GCD=1%ISR=CA%TI=I%CI=I%II=RI
OS:%SS=S%TS=U)SEQ(SP=E7%GCD=1%ISR=E5%TI=RD%CI=RD%II=RI%TS=U)OPS(O1=M578%O2=
OS:M578%O3=M578%O4=M578%O5=M578%O6=M578)WIN(W1=36B0%W2=36B0%W3=36B0%W4=36B0
OS:%W5=36B0%W6=36B0)ECN(R=Y%DF=N%T=FF%W=36B0%O=M578%CC=N%Q=)T1(R=Y%DF=N%T=F
OS:F%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=N%T=FF%W=36B0%S=O%A=S+%F=AS%O=M
OS:578%RD=0%Q=)T4(R=Y%DF=N%T=FF%W=36B0%S=A%A=S%F=AR%O=%RD=0%Q=)T5(R=Y%DF=N%
OS:T=FF%W=36B0%S=A%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=N%T=FF%W=36B0%S=A%A=S%F=A
OS:R%O=%RD=0%Q=)T7(R=Y%DF=N%T=FF%W=36B0%S=A%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=
OS:N%T=FF%IPL=38%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=S%T=FF%C
OS:D=S)
Basic Nikto scan results:
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.0.102
+ Target Hostname: 192.168.0.102
+ Target Port: 80
+ Start Time: 2024-12-18 17:30:11 (GMT-8)
---------------------------------------------------------------------------
+ Server: Marvell-WM
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /sys/: This might be interesting.
+ 8102 requests: 0 error(s) and 3 item(s) reported on remote host
+ End Time: 2024-12-18 17:33:46 (GMT-8) (215 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
Evidence of wsgi:
curl -X post 192.168.0.102/sys/interface
wsgi handler failed
https is available but the certificates are not valid under any common CA:
curl -k https://192.168.0.102/sys/interface
{"interface":"station"}
There are also /about and /index.html locations that appear empty.