Executive Summary

Title Qolsys IQ Panel contains multiple vulnerabilities
Name VU#573848 First vendor Publication 2015-10-29
Vendor VU-CERT Last vendor Modification 2015-10-29
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores


Vulnerability Note VU#573848

Qolsys IQ Panel contains multiple vulnerabilities

Original Release date: 29 Oct 2015 | Last revised: 29 Oct 2015


All firmware versions of Qolsys IQ Panel contain hard-coded cryptographic keys, do not validate signatures during software updates, and use a vulnerable version of Android OS.


Qolsys IQ Panel is an Android OS-based touch screen controller for home automation devices and functions. All firmware versions contain the following vulnerabilities.

CWE-321: Use of Hard-coded Cryptographic Key - CVE-2015-6032

Qolsys IQ Panel contains multiple hard-coded cryptographic keys. With these keys it may be possible for attackers to sign malicious code that would then be accepted as valid by affected devices.

CWE-347: Improper Verification of Cryptographic Signature - CVE-2015-6033

Qolsys IP Panel fails to properly validate cryptographic signatures for software updates before installing them. Malicious updates provided by an attacker may be accepted as valid by affected devices.

CWE-937: OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

Qolsys IP Panel uses an outdated version of Android OS with known vulnerabilities. An attacker may be able to leverage vulnerabilities affecting Android 2.2.1 to compromise affected devices.

The CVSS score below is for CVE-2015-6033.


A remote, unauthenticated attacker may be able to inject malicious firmware or software updates that will be accepted as valid by affected devices. It may be possible to leverage known vulnerabilities affecting Android OS 2.2.1 compromise affected devices.


The CERT/CC is currently unaware of a practical solution to this problem. The vendor has indicated that they will release QOL 1.5.1 to address these issues in November 2015, but until then, users should consider the following workaround.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Since the nature of these vulnerabilities means that malicious updates can be made to appear valid, users should consider disabling automatic updates altogether. Users should confirm the source of any update before applying it manually.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
QolsysAffected23 Jun 201529 Oct 2015
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)



  • http://www.qolsys.com/
  • https://cwe.mitre.org/data/definitions/321.html
  • https://cwe.mitre.org/data/definitions/347.html
  • https://cwe.mitre.org/data/definitions/937.html
  • https://www.cvedetails.com/vulnerability-list/vendor_id-1224/product_id-19997/version_id-103819/Google-Android-2.2.1.html


Thanks to Roman Faynberg from Carve Systems for reporting this vulnerability.

This document was written by Joel Land.

Other Information

  • CVE IDs:CVE-2015-6032CVE-2015-6033
  • Date Public:29 Oct 2015
  • Date First Published:29 Oct 2015
  • Date Last Updated:29 Oct 2015
  • Document Revision:22


If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/573848

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-310 Cryptographic Issues
50 % CWE-255 Credentials Management

Alert History

If you want to see full details history, please login or register.
Date Informations
2015-11-02 21:27:25
  • Multiple Updates
2015-10-31 09:26:36
  • Multiple Updates
2015-10-29 21:21:46
  • First insertion