Improper Certificate Validation in Bosch Smart Home System App for iOS

Published

2020-08-24 00:00:00 UTC

Summary

BOSCH-SA-347336: A recently discovered security vulnerability affects the Bosch Smart Home System App for iOS. Both Bosch Smart Home Camera Apps as well as the Bosch Smart Home System App for Android are not affected. It potentially allows to intercept video contents by performing a man-in-the-middle attack. Since only connections to Bosch's video backend are potentially affected this vulnerability applies only to customers that have paired a Bosch camera to their Bosch Smart Home Controller (SHC). Bosch Smart Home rates this vulnerability with a CVSS v3.1 base score of 6.8 (medium) and recommends customers to upgrade the app to updated versions. As of 2020-07-22 updated app versions are available and offered to all customers via the Apple app store. As of 2020-08-12 there is currently no indication that the vulnerability has been utilized. The vulnerability was discovered during one of the regular internal security tests.