A security issue has been identified in a widely used smart home device that could allow information to be leaked via the device’s API. Improper access control vulnerability in WifiSetupLaunchHelper in SmartThings prior to version 184.108.40.206 allows attackers to access sensitive information via implicit intent.
CVE ID: CVE-2019-3889 Details: An improper access control vulnerability has been identified in WifiSetupLaunchHelper in SmartThings prior to version 220.127.116.11.
CVE ID: CVE-2019-3890 Details: An improper access control vulnerability has been identified in WifiSetupLaunchHelper in SmartThings prior to version 18.104.22.168.
Because there are no official updates available from the SmartThings support team, users can only patch their devices with a custom firmware update. A fix is currently available via the below method.
Install Firmware Update for SmartThings
To install the firmware update, please follow the instructions in this article:
Update firmware on SmartThings devices
The proper way to update the firmware on your SmartThings device is to download and install the appropriate firmware update. In order to do this, you'll need to configure your device's permissions in the SmartThings app by following these instructions:
1. Go into the "Device Settings" section of the SmartThings app.
2. Select "Permissions".
3. Uncheck all permissions except for "Control Zigbee devices".
Installing a custom firmware upgrade from the SmartThings website
The below step by step guide is for installing a custom firmware update from the SmartThings website.
1) Login to the SmartThings website and select ‘Settings’ on the left
2) Select ‘SmartApps’ in the list of tabs, then open ‘WifiSetupLaunchHelper’
3) Click Edit Code at the bottom of this page and paste in your custom firmware upgrade into the text box, ex: https://www.smartthings.com/thing/web?api_key=xxxxxxxxx&firmware_name=custom-firmware-upgrade&firmware_version=1.0&minor_version=2
4) Click Save at the top of this page and once you're back on the main dashboard of your SmartThings account, you'll find your device's firmware version updated to include your new custom firmware
Fixing SmartThings Devices
If you are a SmartThings user, there are a couple of methods for fixing the issue. You can either download the firmware update from the below link or use a custom firmware update on your device.
Published on: 10/07/2022 15:15:00 UTC
Last modified on: 10/11/2022 22:57:00 UTC