Skip to main content

Researchers discover a worrying security flaw in Zipato smart home hubs

In light of recent discussion surrounding smart home security, researchers Chase Dardaman and Jason Wheeler began to look into popular smart home hubs to discover just how secure the devices actually were. What they found is unsettling at best, TechCrunch reports. The two researchers hacked into a ZipaMicro, a smart home hub produced by the Croatian company Zipato. Their research revealed three specific security flaws that, when used in conjunction with one another, could open a smart lock connected to the hub.

Dardaman and Wheeler discovered a secure shell key (SSH), a standard part of most modern network security, had been hardcoded into every hub. This key could be extracted from the memory card on the device. What’s more, anyone with a private key could access the device without the master password.

Recommended Videos

In other words, every home with the same hub was vulnerable to attack. The Zipato hub uses a type of security authentication called “pass the hash.” When a password is entered into a device, it normally scrambles the password upon entry and stores it that way so only someone or something with the right encryption code can access it. “Pass the hash”  means the Zipato hub does not need to unscramble the password to use it; the device grants access even if the scrambled (hashed) version is used, which allowed Dardaman and Wheeler access.

Please enable Javascript to view this content

While this vulnerability only applies to Zipato hubs, any device operating under the same account is open to attack. Many apartment buildings have begun to install smart locks in units to offer potential renters more convenience, but this exploit means any apartment under the same account could be opened at will.

The ZipaMicro is designed to grant homeowners easy control of all their devices through a central point, but these findings show how a hub can potentially create vulnerabilities that bypass other security measures.

Of course, there are obstacles in the way. Any attacker would need to have access to the same Wi-Fi network as the smart hub in question. If a device is connected to the internet, however, that is no longer an issue — an attacker could gain remote access.

According to Zipato, it has 112,000 devices across 20,000 households, but the exact number of vulnerable systems is not yet known. Zipato released a statement after the researcher’s findings were made public that multiple security improvements have been made, but the existence of such a vulnerability brings security advocate’s concerns front and center: Smart home technology needs more protection.

Patrick Hearn
Patrick Hearn writes about smart home technology like Amazon Alexa, Google Assistant, smart light bulbs, and more. If it's a…
Kwikset’s new Matter-enabled smart lock is now available
The Kwikset Halo Select installed on a door.

The Kwikset Halo Select Smart Lock is now available, and it’s aiming to bring some cool new functionality (and enhanced security) to your front door. Along with premium features like the ability to remotely lock or unlock your door, the smart lock supports Matter and is compatible with a variety of different voice assistants. This is Kwikset’s first new smart lock in years, and it looks to be a big leap forward.

Like all the best smart locks, you'll find a long list of capabilities on the Halo Select, giving you complete control over its performance. Whether you want to set up unique access codes for friends and family, check your door's status remotely, have it automatically unlock as you approach with your smartphone, or get notifications when a wrong code is entered, there’s a lot of cool tech packed into the smart lock.

Read more
Wyze Scale Ultra vs. Wyze Scale X: Which premium smart scale is for you?
The Wyze mobile app next to the Wyze Scale Ultra.

Wyze makes a handful of smart scales, but few are as compelling as the Wyze Scale X and the new Wyze Scale Ultra. Both are capable of measuring over a dozen health metrics, boast eye-catching designs, and clock in at reasonable prices. But what exactly is different between the two? More importantly, which one is the better fit for your lifestyle?

Here’s a closer look at these two smart scales to help you pick the right one for your home.
Pricing and availability

Read more
This premium smart lock is small, stylish, and among the fastest on the market
The Nuki Smart Lock Ultra on a door.

The Nuki Smart Lock Ultra is the fifth generation of Nuki’s popular smart lock, and with previous generations performing well overseas, this one is finally getting a U.S. release. Slated to arrive in Europe later this year and stateside in early 2025, the Nuki Smart Lock Ultra is aiming to be one of the fastest -- and most stylish -- smart locks on the market.

The first thing you'll notice about the Nuki Smart Lock Ultra is its striking design. The stainless steel smart lock exudes luxury, and it’s more elegant than most smart locks available today. With an LED indicator and little else, it’s a streamlined device that should look great on most doors.

Read more