Skip to main content
  1. Home
  2. Smart Home
  3. News

Researchers discover a worrying security flaw in Zipato smart home hubs

By

In light of recent discussion surrounding smart home security, researchers Chase Dardaman and Jason Wheeler began to look into popular smart home hubs to discover just how secure the devices actually were. What they found is unsettling at best, TechCrunch reports. The two researchers hacked into a ZipaMicro, a smart home hub produced by the Croatian company Zipato. Their research revealed three specific security flaws that, when used in conjunction with one another, could open a smart lock connected to the hub.

Dardaman and Wheeler discovered a secure shell key (SSH), a standard part of most modern network security, had been hardcoded into every hub. This key could be extracted from the memory card on the device. What’s more, anyone with a private key could access the device without the master password.

Recommended Videos

In other words, every home with the same hub was vulnerable to attack. The Zipato hub uses a type of security authentication called “pass the hash.” When a password is entered into a device, it normally scrambles the password upon entry and stores it that way so only someone or something with the right encryption code can access it. “Pass the hash”  means the Zipato hub does not need to unscramble the password to use it; the device grants access even if the scrambled (hashed) version is used, which allowed Dardaman and Wheeler access.

Related

While this vulnerability only applies to Zipato hubs, any device operating under the same account is open to attack. Many apartment buildings have begun to install smart locks in units to offer potential renters more convenience, but this exploit means any apartment under the same account could be opened at will.

The ZipaMicro is designed to grant homeowners easy control of all their devices through a central point, but these findings show how a hub can potentially create vulnerabilities that bypass other security measures.

Of course, there are obstacles in the way. Any attacker would need to have access to the same Wi-Fi network as the smart hub in question. If a device is connected to the internet, however, that is no longer an issue — an attacker could gain remote access.

According to Zipato, it has 112,000 devices across 20,000 households, but the exact number of vulnerable systems is not yet known. Zipato released a statement after the researcher’s findings were made public that multiple security improvements have been made, but the existence of such a vulnerability brings security advocate’s concerns front and center: Smart home technology needs more protection.

Editors’ Recommendations

Topics
Patrick Hearn
Patrick Hearn
Mobile Writer
Patrick Hearn writes about smart home technology like Amazon Alexa, Google Assistant, smart light bulbs, and more. If it's a…
This tiny smart puck can control your smart home without the need for mobile apps
The Linxura with four buttons on the screen.

My home is overrun with smart gadgets, and the main way I interact with them is through my smartphone. This is usually a robust way to control my gadgets, as my phone is never far from my side -- whether I need to toggle my smart lights, adjust my air purifier, or change the thermostat, my smartphone lets me tackle most of these tasks in a matter of seconds. However, having a physical button to perform these actions would certainly be preferred. Instead of diving into apps and wading through menus and automations, a physical controller would perform actions at the press of a button, much like a remote works for a TV.

That’s the idea behind the Linxura Smart Controller -- a disc-shaped object that lets you perform a long list of actions at the press of a button. After syncing it with your smart devices, you’ll no longer need your companion mobile apps. Just tap or double-tap its outer ring, and you can toggle hundreds of different products. I’ve been testing it out in my home, and while I think it’s a fun device, it falls short in a few areas. But if you’re craving a physical remote for your smart home, there’s good reason to take a closer look at the innovative gadget.
Simple, but tedious setup

Read more
Your Google TV can now control smart home devices
The Home Panel on Google TV Streamer.

In late September, Google announced a new feature for Google TV called the Home Panel that would make it easier to control all of your (compatible) smart home devices from a single location. The feature first appeared on the Google TV Streamer and then later on Chromecast, but it has now rolled out to Google TVs from other companies including Hisense, TCL, and others.

The Home Panel offers a lot of utility. It shows your lights' current brightness level, the volume level of speakers, and even live streams from security cameras. The demo video Google has on its blog shows that the user can even adjust the thermostat. All of this is done through the remote, so you don't even have to get up off the couch.

Read more
Roku makes monitoring security cameras a little easier
The Roku Smart Home camera webview.

Roku today announced updates that will bring even tighter integration between the platform's operating system and smart home features. And in case you'd missed it, Roku got into the smart home game in 2022 as it partnered with Wyze first for cameras, a doorbell, and lights, and later for a full-home security system.

New features being announced today include:

Read more