Pwnie Awards 2017

2020 Nomination for Lamest Vendor Response

CHAL-TEC GmbH, aka Electronic Star, aka Auna

What can be more concerning for today’s generations than global warming? Yes, the security of IoT devices! Fortunately, you can use one problem to mitigate the other: if you complain at CHAL-TEC about backdoor accounts in their products, apparently they’ll send you a ceiling fan (firmware update not included): “I bought an Auna Connect 100 iot radio device in august 2018 on Electronic Star’s Amazon market (Auna and Electronic Star are both entities of CHAL-TEC GmbH). 30 days ago I asked them if there is a fix to their nearly one year old undocumented telnet backdoor problem (CVE-2019-13473 and CVE-2019-13474) and/or to reimburse me.This is what I received yesterday: “Je vous conseille de vous renseigner auprès de vos proches, voisins et/ou concierge. En effet, quelqu’un aurait pu réceptionner le colis pour vous en votre absence.” It means: I advise you to inquire with your relatives, neighbors and / or concierge. Indeed, someone could have received the package for you in your absence.

CVE-2019-13473