Researchers have disclosed a pair of vulnerabilities in multiple Imperial and Dabman-branded web radios that could allow malicious actors to remotely compromise the IoT devices.

Telestar Digital GmbH, the company that manufacturers the web radios, has patched both problems, according to a security advisory yesterday from Vulnerability Lab, whose researchers made the discovery. Several reports have cited Vulnerability Lab researcher and advisory author Benjamin Kunz Mejri of Germany as saying via Facebook that over 1 million device models are affected.

The first of the two flaws, CVE-2019-13473, consists of a weak, hard-coded password for an undocumented telnet service called telenetd, which in affected models is permanently turned on within the device’s Linux BusyBox software. This credential can be easily cracked by using brute-force tactics or automated script-based attacks. In fact, Vulnerability Lab researchers tested out this premise and found it took only about 10 minutes to achieve their objective.

Armed with the deciphered password, malicious actors could next gain full root access to the BousyBox and web server and obtain highly sensitive device data and file contents. In its advisory, Vulnerability Lab says its researchers were ultimately “able to edit and access everything on the box and had the ability to fully compromise the smart web radio device.”

Vulnerability Lab actually found a second manufacturer whose product also uses the same documented telnet service. The research firm did not name the manufacturer, but noted that it is actively working on a patch.

The second of the two bugs, CVE-2019-13474, is a command execution flaw that can be exploited by local or remote attackers, even if they are unauthorized and unauthenticated.

The bug surfaces during web server communication on ports 80 and 8000. “Local and remote attackers can send basic GET commands with basic command line tools… to modify or manipulate http requests,” the advisory states. “The attacker can also capture the http airmusic commands to reverse engineer the radio device for unauthorized interactions.”

The system has no built-in defense to block the unauthorized sending of commands, and there’s no protection to ensure that only trusted sources can transmit commands, the advisory continues.

Vulnerability Lab warns that the bug can be exploited to spread malware, conduct mass defacements, set the stage for further Linux network attacks, or form an IoT botnet.

“The potential of the issue being exploited in thousands of end user devices all over Europe is estimated as high,” warns the advisory.

Web radio models confirmed to be affected by both vulnerabilities are as follows: Bobs Rock Radio, Dabman D10, Dabman i30 Stereo and the Imperial models: i110, i150, i200, i200-cd, i400, i450, i500-bt and i600.