Skip to main content
  1. Home
  2. Smart Home
  3. News

Researchers discover a worrying security flaw in Zipato smart home hubs

By

In light of recent discussion surrounding smart home security, researchers Chase Dardaman and Jason Wheeler began to look into popular smart home hubs to discover just how secure the devices actually were. What they found is unsettling at best, TechCrunch reports. The two researchers hacked into a ZipaMicro, a smart home hub produced by the Croatian company Zipato. Their research revealed three specific security flaws that, when used in conjunction with one another, could open a smart lock connected to the hub.

Dardaman and Wheeler discovered a secure shell key (SSH), a standard part of most modern network security, had been hardcoded into every hub. This key could be extracted from the memory card on the device. What’s more, anyone with a private key could access the device without the master password.

Recommended Videos

In other words, every home with the same hub was vulnerable to attack. The Zipato hub uses a type of security authentication called “pass the hash.” When a password is entered into a device, it normally scrambles the password upon entry and stores it that way so only someone or something with the right encryption code can access it. “Pass the hash”  means the Zipato hub does not need to unscramble the password to use it; the device grants access even if the scrambled (hashed) version is used, which allowed Dardaman and Wheeler access.

Related

While this vulnerability only applies to Zipato hubs, any device operating under the same account is open to attack. Many apartment buildings have begun to install smart locks in units to offer potential renters more convenience, but this exploit means any apartment under the same account could be opened at will.

The ZipaMicro is designed to grant homeowners easy control of all their devices through a central point, but these findings show how a hub can potentially create vulnerabilities that bypass other security measures.

Of course, there are obstacles in the way. Any attacker would need to have access to the same Wi-Fi network as the smart hub in question. If a device is connected to the internet, however, that is no longer an issue — an attacker could gain remote access.

According to Zipato, it has 112,000 devices across 20,000 households, but the exact number of vulnerable systems is not yet known. Zipato released a statement after the researcher’s findings were made public that multiple security improvements have been made, but the existence of such a vulnerability brings security advocate’s concerns front and center: Smart home technology needs more protection.

Editors' Recommendations

Topics
Patrick Hearn
Patrick Hearn
Former Digital Trends Contributor
Patrick Hearn writes about smart home technology like Amazon Alexa, Google Assistant, smart light bulbs, and more. If it's a…
SimpliSafe is now using AI to prevent burglars from entering your home
A SimpliSafe outdoor camera monitoring a stranger.

SimpliSafe rolled out the Smart Alarm Indoor Camera in 2023, which coupled AI technology with live monitoring to better protect the inside of your home. The company is now looking to expand those features to outdoor cameras, with Live Guard Outdoor Protection rolling out to early access users before seeing a full-scale launch later this year.

Live Guard Outdoor Protection works much like the Smart Alarm Indoor Camera does, though it's been modified to work outside. When your system is armed, cameras equipped with Live Guard Outdoor Protection will use AI to identify threats on your property. If AI finds something suspicious, the event will be escalated to SimpliSafe's professional monitoring team, who can then intervene via two-way audio to let the intruder know they're being filmed. They can also trigger a siren or request police dispatch.

Read more
Blink Mini 2 vs. Ring Stick Up Cam Pro: Which is the best security camera?
The Ring Stick Up Cam Pro on display the 2023 Amazon Fall Devices and Services event.

The Blink Mini 2 is one of the cheapest security cameras you can buy. It's pretty well-rounded too. It's capable of filming in HD and offering support for outdoor use when paired with an optional accessory, making it a great choice for shoppers on a budget. That makes it wildly different from the Ring Stick Up Cam Pro, which carries a hefty price tag and supports both indoor and outdoor use right out of the box without the need to purchase a secondary accessory.

But is the Ring Stick Up Cam Pro a better investment than the affordable Blink Mini 2? From pricing and video resolution to the installation process and additional features, here's a look at the Blink Mini 2 and Ring Stick Up Cam Pro to help you decide which is the best choice for your home.
Pricing and monthly fees

Read more
Does the Pan-Tilt Mount work with the Blink Mini 2?
The Blink Mini installed in the Pan-Tilt Mount.

The Blink Mini 2 is a solid security camera that clocks in at a great price, making it the ideal option for shoppers on a budget. It takes everything people loved about the original Blink Mini and makes it even better, offering an affordable way to keep tabs on your home remotely. The Blink Mini eventually received a unique accessory known as the Blink Pan-Tilt Mount, allowing users to freely rotate the camera and see all corners of their home. And since the Blink hasn't yet released a Blink Mini 2 Pan-Tilt Mount, many folks are wondering if the original Pan-Tilt Mount works with the Blink Mini 2.

Unfortunately, the Pan-Tilt Mount does not work with the Blink Mini 2. If you're interested in learning more, here's a closer look at why that's the case, along with info as to whether Blink plans to launch a Pan-Tilt Mount for the Blink 2 in the future.
Why doesn't the Pan-Tilt Mount work with Blink Mini 2?

Read more