Skip to main content

Researchers discover a worrying security flaw in Zipato smart home hubs

In light of recent discussion surrounding smart home security, researchers Chase Dardaman and Jason Wheeler began to look into popular smart home hubs to discover just how secure the devices actually were. What they found is unsettling at best, TechCrunch reports. The two researchers hacked into a ZipaMicro, a smart home hub produced by the Croatian company Zipato. Their research revealed three specific security flaws that, when used in conjunction with one another, could open a smart lock connected to the hub.

Dardaman and Wheeler discovered a secure shell key (SSH), a standard part of most modern network security, had been hardcoded into every hub. This key could be extracted from the memory card on the device. What’s more, anyone with a private key could access the device without the master password.

Recommended Videos

In other words, every home with the same hub was vulnerable to attack. The Zipato hub uses a type of security authentication called “pass the hash.” When a password is entered into a device, it normally scrambles the password upon entry and stores it that way so only someone or something with the right encryption code can access it. “Pass the hash”  means the Zipato hub does not need to unscramble the password to use it; the device grants access even if the scrambled (hashed) version is used, which allowed Dardaman and Wheeler access.

While this vulnerability only applies to Zipato hubs, any device operating under the same account is open to attack. Many apartment buildings have begun to install smart locks in units to offer potential renters more convenience, but this exploit means any apartment under the same account could be opened at will.

The ZipaMicro is designed to grant homeowners easy control of all their devices through a central point, but these findings show how a hub can potentially create vulnerabilities that bypass other security measures.

Of course, there are obstacles in the way. Any attacker would need to have access to the same Wi-Fi network as the smart hub in question. If a device is connected to the internet, however, that is no longer an issue — an attacker could gain remote access.

According to Zipato, it has 112,000 devices across 20,000 households, but the exact number of vulnerable systems is not yet known. Zipato released a statement after the researcher’s findings were made public that multiple security improvements have been made, but the existence of such a vulnerability brings security advocate’s concerns front and center: Smart home technology needs more protection.

Patrick Hearn
Patrick has written about tech for more than 15 years and isn't slowing down anytime soon. With previous clients ranging from…
This smart display alternative just added a powerful new feature to help track your chores
A person using the Skylight.

Skylight is responsible for a variety of smart display alternatives with a focus on organization and schedule planning. Last summer, it launched the premium Cal Max -- a 27-inch smart calendar that we called a “streamlined smart display alternative.” Since its arrival, Skylight has continued to roll out new features to the device, and now you’ll find a powerful feature called Routines available across the Skylight Calendar lineup. Designed to simplify chores and build good habits for the entire family, it’s a unique new feature that changes how you interact with the display.

The idea behind Routines is simple -- offer visual feedback and an easy-to-use interface to make it easier than ever to keep track of (and complete) all your chores. These can be set up on a recurring schedule, allowing you to program in everything from a quick 15 minutes of reading before bedtime or a few minutes each morning for your kids to brush their teeth. Routines can be customized with various emojis and color-coding to help keep track of them, and a fun confetti animation is triggered once they’re complete.

Read more
Dreo reveals new smart home devices to help you beat the summer heat
A fan from the Dreo Summer 2025 lineup.

Summer is just around the corner, and Dreo is gearing up for its arrival by launching several new smart devices. Some products are available now, while others will arrive within the next few months, though all are specifically designed to help you stay cool and improve your indoor air quality.

The Dreo Summer 2025 lineup includes fans, portable air conditioners, air purifiers, and humidifiers, most of which are bundled with useful smart features to improve their performance and give you easy ways to control their settings. The most premium of the bunch is the Dreo Portable Air Conditioner 319S -- its 10,000 BTU system is powerful, quiet, and drainage-free, making it an excellent way to cool your home. It also works with both Google and Alexa, and voice controls are supported for ease of use.

Read more
Apple’s rumored smart home hub has another set back
An Apple HomePod and HomePod Mini in front iPad on a wooden bookshelf.

There have been a number of rumors suggesting Apple is working on a smart home display to rival that of Google's Nest Hub and Amazon's Echo Show. The speculation suggested the device would be controlled by Siri and could look similar to a HomePod with an iPad as its screen. 

This device was initially expected to be revealed this year, with some of the first reports claiming it would arrive in the first half, though it was then said to be delayed towards the end of the year, possibly arriving around the same time as the iPhone 17 series.

Read more