Vulnerability Note VU#573848
Qolsys IQ Panel contains multiple vulnerabilities
All firmware versions of Qolsys IQ Panel contain hard-coded cryptographic keys, do not validate signatures during software updates, and use a vulnerable version of Android OS.
Qolsys IQ Panel is an Android OS-based touch screen controller for home automation devices and functions. All firmware versions contain the following vulnerabilities.
CWE-321: Use of Hard-coded Cryptographic Key - CVE-2015-6032
A remote, unauthenticated attacker may be able to inject malicious firmware or software updates that will be accepted as valid by affected devices. It may be possible to leverage known vulnerabilities affecting Android OS 2.2.1 compromise affected devices.
The CERT/CC is currently unaware of a practical solution to this problem. The vendor has indicated that they will release QOL 1.5.1 to address these issues in November 2015, but until then, users should consider the following workaround.
Vendor Information (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Qolsys||Affected||23 Jun 2015||29 Oct 2015|
CVSS Metrics (Learn More)
Thanks to Roman Faynberg from Carve Systems for reporting this vulnerability.
This document was written by Joel Land.
- CVE IDs: CVE-2015-6032 CVE-2015-6033
- Date Public: 29 Oct 2015
- Date First Published: 29 Oct 2015
- Date Last Updated: 29 Oct 2015
- Document Revision: 22
If you have feedback, comments, or additional information about this vulnerability, please send us email.