Critical Security Flaws in Zipato Smart Hub Let Hackers Walk into Your Home
Three security vulnerabilities in Zipato smart hubs, including a critical one, enable hackers, when combined, to break into a user’s home by easily unlocking smart locks on doors, writes TechCrunch.
“Two vulnerabilities are in the design and implementation of the authentication mechanism in the Zipato Application Programming Interface (API),” say security researchers Chase Dardaman and Jason Wheeler at Blackmarble. “The third vulnerability is embedded SSH private key for ROOT which isn’t unique and can be extracted.”
Any hacker on the same WI-FI network as the smart hub can abuse the security flaws. For a detailed technical description, take a look at their article.
The flaws were detected in March, but Dardaman and Wheeler wanted to give the manufacturer a chance to fix the glitches. After it was informed about the possible hacker compromise, Zipato immediately fixed the vulnerabilities and stopped selling the vulnerable ZipaMicro hub devices.
Zipato is a Croatian company that develops a control and automation platform designed to protect the smart home “from burglary, fire, flood, gas and any other unwanted events,” according to their website. Zipato says it has 112,000 devices in 20,000 households globally. The company did not release an official number of affected hubs.
Smart home technology falls in a grey area when it comes to security. The news about Zipato hubs comes not long after ZDNet reported that a Chinese developer of a smart home management platform exposed billions of records including user information and passwords online through an unsecured ElasticSearch server.
What is medical identity theft and how to protect against it
July 27, 2022
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside
June 28, 2022
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online
June 28, 2022
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021
June 22, 2022
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data
May 24, 2022