Bitdefender BOX v1 vulnerabilities put smart homes at risk

Bitdefender has discovered three critical vulnerabilities in its Bitdefender BOX v1 smart home security device. Although the device has been discontinued, many users are still using it, which poses a risk of remote control by hackers.

The vulnerabilities could allow attackers to execute arbitrary code, modify updates, and roll back firmware to older, unsecured versions.

• CVE-2024-13870 (CVSS 1.8) – allows the device to enter recovery mode and revert to older firmware, making it vulnerable to previous attacks.
• CVE-2024-13871 (CVSS 9.4) – a command injection vulnerability via the /check_image_and_trigger_recovery API, which allows hackers to gain full control over the device.
• CVE-2024-13872 (CVSS 9.4) – Insecure update mechanism using unencrypted HTTP, creating the possibility of man-in-the-middle (MITM) attacks and malicious code injection.

Bitdefender has released an update to version 1.3.11.510, which fixes only one of the issues. However, support for the device has been officially discontinued. Bitdefender BOX v1 was once advertised as a comprehensive solution for protecting computers, smartphones, surveillance cameras, game consoles and other devices. However, after the end of support, the device no longer receives security updates, making it potentially dangerous for users.

Bitdefender recommends that you immediately stop using BOX v1 and upgrade to a more modern solution. Since the device no longer receives updates, it remains vulnerable to attacks that allow hackers to remotely control it and pose a threat to other devices on the network.