Skip to main content
  1. Home
  2. Smart Home
  3. News

Researchers discover a worrying security flaw in Zipato smart home hubs

By

In light of recent discussion surrounding smart home security, researchers Chase Dardaman and Jason Wheeler began to look into popular smart home hubs to discover just how secure the devices actually were. What they found is unsettling at best, TechCrunch reports. The two researchers hacked into a ZipaMicro, a smart home hub produced by the Croatian company Zipato. Their research revealed three specific security flaws that, when used in conjunction with one another, could open a smart lock connected to the hub.

Dardaman and Wheeler discovered a secure shell key (SSH), a standard part of most modern network security, had been hardcoded into every hub. This key could be extracted from the memory card on the device. What’s more, anyone with a private key could access the device without the master password.

Recommended Videos

In other words, every home with the same hub was vulnerable to attack. The Zipato hub uses a type of security authentication called “pass the hash.” When a password is entered into a device, it normally scrambles the password upon entry and stores it that way so only someone or something with the right encryption code can access it. “Pass the hash”  means the Zipato hub does not need to unscramble the password to use it; the device grants access even if the scrambled (hashed) version is used, which allowed Dardaman and Wheeler access.

Related

While this vulnerability only applies to Zipato hubs, any device operating under the same account is open to attack. Many apartment buildings have begun to install smart locks in units to offer potential renters more convenience, but this exploit means any apartment under the same account could be opened at will.

The ZipaMicro is designed to grant homeowners easy control of all their devices through a central point, but these findings show how a hub can potentially create vulnerabilities that bypass other security measures.

Of course, there are obstacles in the way. Any attacker would need to have access to the same Wi-Fi network as the smart hub in question. If a device is connected to the internet, however, that is no longer an issue — an attacker could gain remote access.

According to Zipato, it has 112,000 devices across 20,000 households, but the exact number of vulnerable systems is not yet known. Zipato released a statement after the researcher’s findings were made public that multiple security improvements have been made, but the existence of such a vulnerability brings security advocate’s concerns front and center: Smart home technology needs more protection.

Editors’ Recommendations

Topics
Patrick Hearn
Patrick Hearn
Former Digital Trends Contributor
Patrick Hearn writes about smart home technology like Amazon Alexa, Google Assistant, smart light bulbs, and more. If it's a…
Aqara launches U100 smart lock with full Apple HomeKit support
A person unlocking the Aqara U100 smart lock with their phone.

The list of smart locks that support Apple HomeKit isn’t quite as impressive as those of Google Home and Alexa, but Aqara has officially added one more to the list with the Aqara Smart Lock U100. Clocking in at $190 and now available on Amazon, the premium smart lock offers full support for Apple HomeKit -- along with tons of cool features that should position it as a top option for smart home enthusiasts.

As you’d expect, the Aqara U100 comes with a keypad that lets you enter a passcode to unlock the deadbolt. However, you’ll also find a fingerprint scanner that can hold up to 50 unique prints and the option to set up Apple home keys to unlock it with your Apple Watch or iPhone. Aqara also tossed in a physical key in case of emergencies.

Read more
Alexa vs. HomeKit: which smart home platform is best?
Apple HomePod 2023

When it comes to building a smart home, few steps are as important as choosing your smart home platform. Pick the wrong one, and you could be left using dozens of separate smartphone apps to control all your gadgets.

Apple HomeKit and Amazon Alexa are two of the best options available today -- but which one is better for you? Here’s a comparison of the two platforms to help you decide.
What is a smart home platform?

Read more
Smart lock buying guide
Side profile view of August smart lock on a door.

Smart locks are an important part of any smart home. Not only do they give you useful features like the ability to unlock the door with a passcode or remotely with your smartphone, but they’re the first thing visitors see when coming to your home. Because of this, smart locks need to be both functional and appealing to the eye.

That’s a tall order for what’s essentially just a lock -- but there are tons of great products to consider in 2023. But if you need some help with your search, this smart lock buying guide will teach you what a smart lock is, factors you should consider when shopping for a smart lock, and everything else you need to know about these popular gadgets.
What is a smart lock?
A smart lock is not all that different from a traditional lock. What makes it smart is typically a Wi-Fi connection that allows you to link the physical lock to a companion app. The app allows for activities like remote access, geo-location features (to have your door unlock automatically when you pull into the driveway, for example), and even creating digital passkeys for other family members, friends, contractors, or visitors.

Read more