A Loxone system is not only designed to protect residential and commercial buildings as a structure, but also the data and privacy of the occupants in that building. This is arguably in contrast to many IoT solutions – in that the Loxone Miniserver does not send any data about the user behaviour to any online services. Basically, a Loxone system works entirely without an internet connection. However, since many users want to be able to control their building from afar, or make use of the weather services to enhance the automation, an internet connection would be required in these cases. As such, security measures related to this are regularly assessed in conjunction with both internal and external experts.
A few weeks ago, we were informed about a weakness in the Loxone Cloud DNS by the Hagenberg campus of the University of Applied Sciences Upper Austria, with whom we have already co-operated on several projects. Their Security Advisory discusses the theoretical possibility of the Loxone Cloud DNS registering the wrong IP address as a result of fake data packets. This would enable an attacker to temporarily store the IP address of a website similar to the Loxone Web Interface and thus access the login information of a Loxone installation.
Several prerequisites must exist to be able to exploit this vulnerability. The attacked would need to know the MAC address of the Loxone Miniserver; the Miniserver would need to be registered and active on the Loxone Cloud DNS, and a user would need to make a login attempt at the time of the attempted exploit – as the Miniserver updates the IP address after every minute. Additionally, should an attacker want to undertake any damage on-site, they would need to know the physical address where the Miniserver is installed.
There have been no known instances of this vulnerability actually being exploited by an attacker.
The security of Loxone users and consumer installations is a priority for as at the core of what we do. For this reason, we have taken immediate measures to permanently prevent this attack scenario.