Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Denial Of Service

Tinycontrol LAN Controller v3 (LK3) 1.58a – Remote Denial of Service Vulnerability: A Deep Dive

The Tinycontrol LAN Controller v3 (LK3) 1.58a, a widely used industrial IoT device, has recently been flagged for a critical remote denial of service (DoS) vulnerability. Discovered by cybersecurity researcher Gjoko "LiquidWorm" Krstic, this flaw allows unauthenticated attackers to remotely reboot or factory-reset the device, effectively rendering it unusable without physical access.

Understanding the Device and Its Role

Tinycontrol’s LK3 series is designed as a versatile IoT gateway for monitoring and controlling various sensors and actuators across industrial, agricultural, and smart building environments. It supports protocols like Modbus, TCP/IP, and integrates with cloud platforms for remote data visualization and automation.

Key features include:

• Real-time sensor monitoring (temperature, humidity, pressure, voltage, current)
• Remote control of up to 10 outputs (relays, switches, etc.)
• Event-based automation via "if -> then" logic with calendar integration
• Web-based user interface accessible via standard browsers

Its popularity stems from its low cost, ease of setup, and broad protocol compatibility. However, its simplicity belies a significant security oversight.

Exploitation Mechanism: The stm.cgi Endpoint

The vulnerability lies in the stm.cgi web endpoint, which is exposed to the network without authentication. This CGI script handles internal device commands, including system-level operations such as rebooting and resetting EEPROM settings.

curl http://192.168.1.1:8082/stm.cgi?eeprom_reset=1

This simple HTTP request triggers a factory reset—erasing all user configurations, saved events, network settings, and calibration data. The device reverts to default state, effectively locking out users until reconfigured.

curl http://192.168.1.1:8082/stm.cgi?lk3restart=1

Similarly, this command forces an immediate reboot of the controller. While not as destructive as a factory reset, repeated exploitation can lead to sustained service disruption, especially in critical environments like HVAC systems or process control.

Why This is a Critical Vulnerability

Despite the lack of authentication, the endpoint is accessible from any network segment—making it a prime target for attackers with minimal access to the local network. This is particularly dangerous in environments where:

• Devices are deployed in public or shared networks
• Firewalls are misconfigured or absent
• Remote access via the internet is enabled (e.g., via port forwarding)

Attackers can exploit this flaw for unauthorized DoS attacks, disrupting operations without needing credentials or advanced tools.

Technical Root Cause

Analysis of the device’s firmware reveals that the stm.cgi script lacks input validation and access controls. It directly executes system commands based on query parameters—specifically:

• eeprom_reset=1 → triggers EEPROM wipe
• lk3restart=1 → initiates reboot

These parameters are interpreted as binary triggers, with no checks for origin, user identity, or rate-limiting. The use of lwIP (lightweight IP stack) further amplifies the risk, as it prioritizes functionality over security in embedded systems.

Real-World Impact and Use Cases

Consider a smart greenhouse using LK3 controllers to regulate temperature and irrigation. An attacker could:

• Send repeated lk3restart=1 requests, causing the system to cycle every few seconds
• Trigger eeprom_reset=1 to erase all automation rules, leaving plants unregulated
• Disrupt data logging, leading to loss of environmental records

Similarly, in a factory automation setup, a single DoS attack could halt production lines reliant on sensor feedback and relay control—causing significant downtime and financial loss.

Vendor Response and Mitigation

As of August 2023, Tinycontrol has acknowledged the issue. The advisory ZSL-2023-5785 issued by Zeroscience recommends:

• Immediate firmware update to version 1.59 or higher
• Disabling remote access via internet
• Implementing firewall rules to restrict access to stm.cgi to trusted IP ranges
• Enabling HTTP authentication (if supported in newer firmware)

For affected devices running 1.58a or earlier, the only mitigation is to physically secure the network and monitor for suspicious traffic.

Security Best Practices for IoT Devices

This vulnerability highlights a recurring pattern in embedded systems: exposed system endpoints without authentication. Experts recommend the following:

• Principle of least privilege: Only expose necessary endpoints, and restrict access based on role
• Input validation: Sanitize and verify all parameters before execution
• Rate limiting: Prevent repeated exploitation via throttling
• Secure firmware updates: Ensure updates are signed and verified
• Network segmentation: Isolate IoT devices from critical systems

Organizations should conduct regular penetration testing on deployed IoT infrastructure to identify such hidden attack vectors.

Conclusion

The Tinycontrol LK3 v3 1.58a DoS vulnerability serves as a stark reminder: even simple, widely used IoT devices can harbor serious security flaws. The lack of authentication on critical endpoints like stm.cgi is a critical oversight that can be exploited with minimal effort. Proactive patching, network hardening, and awareness are essential to protect industrial and automation systems from such threats.

For users, the takeaway is clear: update firmware promptly and never expose device interfaces to untrusted networks.