Vulnerability Disclosure
Listed below are potential vulnerabilities raised against ERA products, software and services. In addition to the issues raised are the actions taken by ERA Home Security Ltd.
| Date Raised | Product | Vulnerability | Date of response | Resolution | Resolution date |
|---|---|---|---|---|---|
| 7th January 2019 | ERA Floodlight Camera & ERA Outdoor Camera | Camera remained connected to external service after removal from account and based on data traffic analysis, the camera continues to transmit UDP traffic externally and the rate of traffic is the same as when connected to the account | 15th January 2019 | Updated FAQ and QSG for Camera to be hard reset when deleted from account. | 20/04/2019 |
| 7th January 2019 | ERA Floodlight Camera &ERA Outdoor Camera | Basic authentication is done in http; also, the Camera reveal sensitive information relating to ID, MAC and internal IP address in plain communication. | 15th January 2019 | Authentication now done in https and all sensitive data encrypted - Firmware fix: | 20/04/2019 |
| 7th January 2019 | ERA Floodlight Camera & ERA Outdoor Camera
| Camera sends snapshot image to S3 in clear texts along with AWS access key in clear text | 15th January 2019 | Backend fix and firmware fix | 20/04/2019 |
| 11th January 2023 | ERA Infrastructure | During internal audit, it was seen that some of our servers were still running on TLS1.1 | 20th January 2023 | Updated all our servers and services to TLS 1.2 | 29/01/2023 |
| 6th February 2023 | ERA TouchKey/ERA TouchKey module | During audit with BSI the remote operation of the lock was captured and replayed at the frequency 866 MHz it was possible to open the lock without the use of the mobile application | 28th February 2023 | Module firmware updated to resolve the issue. ERA_5s_pcb3_v2 was tested and released | 12/03/2023 |
| 6th February 2023 | ERA Protect Alarm | ERA 3555116 Audit stage One 1.0) the following ciphers supported by the hub were classed as weak at the time of the test (ciphers listed in report 355516) | 28th February 2023 | Released new Hub firmware that supported TLS 1.2 and above. | 12/03/2023 |
| 6th February 2023 | ERA Infrastructure | The following vulnerabilities were identified at NIST Vulnerability Database at the time of the test: • nrf5_SDK o CVE-2021-29415 • Corehttp o CVE-2007-4060 o CVE-2009-3586 • lwip o CVE-2020-22283 | Nrf5_sdk: There is not path available to fix this. The Risk is reduced by the fact that AWS authentication is required for all lock operations. We are working with suppliers and once there is a fix patch will be applied as soon as it is released. Core-http: Not affected with our version and this was accepted by BSI in an earlier audit. Lwip: We have fixed the issue with a non-formal release of the library. | Monitoring and will be reviewed when patch is delivered. |
ERA Vulnerability Disclosure
At ERA, we take the security of our products and services seriously, so it is immensely useful for us to get any feedback from researchers that can help develop our services. We operate a reporting procedure for the responsible disclosure of any security vulnerabilities. If you are involved with security research, please find details below.
How to report a suspected security vulnerability
If you believe you’ve found a potential vulnerability, please let us know by filling out the responsible disclosure form below and give us as much detail as possible.
Please do not make any information about any vulnerabilities public or do anything else that may put our customers’ data or our intellectual property at risk, or degrade our systems.
What action will we take?
We will acknowledge your disclosure by email within 7 days of receipt.
We will then review the disclosure and provide our response within 14 days, and if applicable this will include a timeline to resolution.
We will publish the disclosure and our response on the table above, and email you at least once a month until the vulnerability is resolved.
If the issue is with regards to GDPR, then please be advised that the disclosure will be forwarded to our Data Protect Office, and the relevant procedure followed.
Software – we will investigate, and if an issue is identified we will disclose this.
We aim to have the vulnerability resolved within 90 days of us being notified, and advise of any follow up activity required.
Hardware – we will investigate, and if an issue if identified we will disclose this.
On conclusion of the investigation, we will provide an estimated time to resolve the vulnerability, and any follow up activity required.
Timelines that we expect to follow:
Software (App & Platform)
| Risk Level | Time to Confirm | Time to Fix |
|---|---|---|
| Low | Withing 24 Hours | Within 90 Days |
| Medium | Within 12 Hours | Withing 60 Days |
| High | Within 6 Hours | Within 30 Days |
Hardware & Firmware
| Risk Level | Time to Confirm | Time to Fix |
|---|---|---|
| Low | Within 30 Days | Within 90 Days |
| Medium | Within 30 Days | Withing 60 Days |
| High | Within 30 Days | Within 30 Days |
The timelines above are indicative depending on the issue raised and investigation required. Once this has been completed, we will provide a further update on the timescale needed to resolve the issue. The disclosure table above will be updated on a regular basis, until the issue is marked as closed.
Activity that we do not allow
We do not allow any activity that may interfere with customers using our services, or any activity that may result in the modification, deletion or unauthorised disclosure of our intellectual property or personal customer data. Please find specific examples of this below:
- Public disclosure of personal, proprietary or financial information
- The modification or deletion of data that isn’t yours
- Interruption, degradation or outage to services (like Denial of Service attacks)
- Spamming / social engineering / phishing attacks
- Physical exploits and/or attacks on our infrastructure
- Local network-based attacks such as DNS poisoning or ARP spoofing
Vulnerability disclosures that are out of scope of our vulnerability disclosure policy.
- Accessible non-sensitive files and directories (e.g. README.txt, robots.txt, etc.)
- Fingerprinting / banner / version disclosure of common / public services
- Username / email enumeration by brute forcing or by inference of certain error messages – except in exceptional circumstances (e.g. the ability to enumerate email addresses by incrementing a variable)
