More than a million IoT radio devices affected by backdoor vulnerability

Vulnerabilities have been uncovered in Telestar Digital GmbH Internet of Things (IoT) radio devices that could allow attackers to hijack systems remotely.

The web radios “Dabman & Imperial” (series i & d) are distributed in Germany by Telestar Digital GmbH from Germany.

The vulnerabilities were found by researcher Benjamin Kunz, of Vulnerability Lab, when an anomaly was spotted on a private server.

The first (CVE-2019-13473) covers a weak password vulnerability within an undocumented telnet service presented by the device. This is vulnerable to brute force attacks, which could give the attacker root access to the device’s underlying Linux operating system.

The second (CVE-2019-13474) is a command execution vulnerability which could allow attackers to gain access and issue unauthorised commands.

The affected product line, which includes portable radios and DAB stereos, are sold across Europe and utilise Bluetooth and internet connectivity.

Vulnerability Lab disclosed their findings to Telestar Digital GmbH with the latter responding and producing a patch within the week.

Telestar confirmed they had not seen any evidence of the vulnerabilities being exploited, but automatic updates via Wi-Fi are now available which can be implemented by setting impacted devices back to factory settings and accepting latest firmware version downloads.