Skip to main content

Researchers discover a worrying security flaw in Zipato smart home hubs

In light of recent discussion surrounding smart home security, researchers Chase Dardaman and Jason Wheeler began to look into popular smart home hubs to discover just how secure the devices actually were. What they found is unsettling at best, TechCrunch reports. The two researchers hacked into a ZipaMicro, a smart home hub produced by the Croatian company Zipato. Their research revealed three specific security flaws that, when used in conjunction with one another, could open a smart lock connected to the hub.

Dardaman and Wheeler discovered a secure shell key (SSH), a standard part of most modern network security, had been hardcoded into every hub. This key could be extracted from the memory card on the device. What’s more, anyone with a private key could access the device without the master password.

In other words, every home with the same hub was vulnerable to attack. The Zipato hub uses a type of security authentication called “pass the hash.” When a password is entered into a device, it normally scrambles the password upon entry and stores it that way so only someone or something with the right encryption code can access it. “Pass the hash”  means the Zipato hub does not need to unscramble the password to use it; the device grants access even if the scrambled (hashed) version is used, which allowed Dardaman and Wheeler access.

While this vulnerability only applies to Zipato hubs, any device operating under the same account is open to attack. Many apartment buildings have begun to install smart locks in units to offer potential renters more convenience, but this exploit means any apartment under the same account could be opened at will.

The ZipaMicro is designed to grant homeowners easy control of all their devices through a central point, but these findings show how a hub can potentially create vulnerabilities that bypass other security measures.

Of course, there are obstacles in the way. Any attacker would need to have access to the same Wi-Fi network as the smart hub in question. If a device is connected to the internet, however, that is no longer an issue — an attacker could gain remote access.

According to Zipato, it has 112,000 devices across 20,000 households, but the exact number of vulnerable systems is not yet known. Zipato released a statement after the researcher’s findings were made public that multiple security improvements have been made, but the existence of such a vulnerability brings security advocate’s concerns front and center: Smart home technology needs more protection.

Editors' Recommendations

Patrick Hearn
Former Digital Trends Contributor
Patrick Hearn writes about smart home technology like Amazon Alexa, Google Assistant, smart light bulbs, and more. If it's a…
Arlo enhances home security offerings with new Arlo Total Security plans
The Arlo Total Security package on a blue background.

Arlo is expanding its home security offerings with the new Arlo Total Security subscriptions. These plans start at $10 per month and provide members with not just professional monitoring services, but also all the hardware they need to secure their property.

Not to be confused with the existing Arlo Secure lineup, Arlo Total Security plans are an entirely new set of monthly subscriptions. There are three tiers to choose from, though all include professional monitoring, hardware (such as sensors and cameras), and free shipping. The cheapest tier is Starter at $10 per month, featuring a security keypad, All-In-One Sensor, and Yard Sign. The Advanced with Video plan is the most expensive at $50 per month and is loaded with cameras and sensors.

Read more
Emporia resolves issue with Smart Plugs that spurred recall
The Emporia Smart Plug with a cable attached.

Update (November 7, 2023): Emporia has resolved the issue with its Emporia Smart Plugs and they're once again available for sale. Keep in mind the previous recall still applies, and if you've purchased products between the dates listed below, you should look into returning your smart plugs.

Original story: If you purchased an Emporia Smart Plug between July 1, 2022, and August 1, 2023, there’s a good chance your product is defective. The company has issued a voluntary recall of smart plugs purchased from Amazon and the Emporia website during that period, as they may have a mechanical issue making them “potentially unsafe.”

Read more
Arlo Essential XL 2nd Gen vs. Arlo Pro 4: Which is the better security camera?
Arlo Pro 4 Spotlight Camera

Offering impressive video capture, easy installation processes, and an intuitive smartphone app, Arlo stands out as one of the best manufacturers of security cameras. Its catalog has grown a bit larger recently with the launch of its Arlo Essential XL 2nd Gen -- but how does this new arrival stack up to the iconic Arlo Pro 4?

Here's a look at the Arlo Essential XL 2nd Gen and Arlo Pro 4 to help you determine which is best for your security system.
Pricing and monthly fees

Read more