Zero-Day Advisory
Fortinet Discovers Unprotected Wi-Fi Credentials in eFamilyCloud mobile app for Lingan Intelligent Smart Power Plugs
Summary
Fortinet's FortiGuard Labs has discovered unprotected Wi-Fi credentials on the Android application to manage smart power plugs manufactured by Shenzhen Lingan Intelligent Technology.
The Android application is used to control the smart plugs (set power on/off, etc.) and is connected to a Wi-Fi network. The credentials for the Wi-Fi network are logged in **cleartext** in the smartphone's system logs. As a reminder, system logs are readable by anybody / any application. This action does not require any specific permission or password.
The vulnerability applies to the official application to use with the smart plug. This application is named 'eFamilyCloud' and its latest version (v1.0.8) is vulnerable currently.
Solutions
We detect the vulnerable application as *Riskware/SmartPlug!Android*.
Additional Information
Example of the logs:
```
2018-04-20 09:35:31BindDevicePresenter gggssid: YourSSID_WiFipassword: CENSOREDtoken: EUzoLA6xxxxZHa7
2018-04-20 09:35:31BindDevice gggssidYourSSID_WiFipasswordCENSOREDmodeTY_EZtokenEUzoLA6xxxxZHa7
```
Timeline
- Fortinet reported the vulnerability to Shenzhen Lingan Intelligent Technology on May 15, 2018.
- Fortinet served a second notice on May 22, 2018.
- Fortinet served a third notice on May 25, 2018.
- The vendor did not give any reply.
- Fortinet disclosed the vulnerability on June 22, 2018 by following the Responsible Disclosure policy (https://fortiguard.com/zeroday/responsible-disclosure).