Skip to main content

Researchers discover a worrying security flaw in Zipato smart home hubs

In light of recent discussion surrounding smart home security, researchers Chase Dardaman and Jason Wheeler began to look into popular smart home hubs to discover just how secure the devices actually were. What they found is unsettling at best, TechCrunch reports. The two researchers hacked into a ZipaMicro, a smart home hub produced by the Croatian company Zipato. Their research revealed three specific security flaws that, when used in conjunction with one another, could open a smart lock connected to the hub.

Dardaman and Wheeler discovered a secure shell key (SSH), a standard part of most modern network security, had been hardcoded into every hub. This key could be extracted from the memory card on the device. What’s more, anyone with a private key could access the device without the master password.

In other words, every home with the same hub was vulnerable to attack. The Zipato hub uses a type of security authentication called “pass the hash.” When a password is entered into a device, it normally scrambles the password upon entry and stores it that way so only someone or something with the right encryption code can access it. “Pass the hash”  means the Zipato hub does not need to unscramble the password to use it; the device grants access even if the scrambled (hashed) version is used, which allowed Dardaman and Wheeler access.

While this vulnerability only applies to Zipato hubs, any device operating under the same account is open to attack. Many apartment buildings have begun to install smart locks in units to offer potential renters more convenience, but this exploit means any apartment under the same account could be opened at will.

The ZipaMicro is designed to grant homeowners easy control of all their devices through a central point, but these findings show how a hub can potentially create vulnerabilities that bypass other security measures.

Of course, there are obstacles in the way. Any attacker would need to have access to the same Wi-Fi network as the smart hub in question. If a device is connected to the internet, however, that is no longer an issue — an attacker could gain remote access.

According to Zipato, it has 112,000 devices across 20,000 households, but the exact number of vulnerable systems is not yet known. Zipato released a statement after the researcher’s findings were made public that multiple security improvements have been made, but the existence of such a vulnerability brings security advocate’s concerns front and center: Smart home technology needs more protection.

Patrick Hearn
Patrick Hearn writes about smart home technology like Amazon Alexa, Google Assistant, smart light bulbs, and more. If it's a…
The Yale Code is a unique alternative to traditional smart locks
The Yale Code installed on a door.

The Yale Code is a new electronic lock that borrows many features from smart locks like the Assure Lock 2, yet it isn't technically a smart lock. It lacks support for Google Home, Amazon Alexa, Apple Home, and Matter. There's no mobile companion app. It can't even connect to Wi-Fi or Bluetooth. Instead, it lets users customize "smart" features directly on the lock itself -- positioning the Yale Code as a unique combination of smart and traditional lock.

This non-connected keypad lock can be manipulated with either a physical key or via its digital keypad. Passwords can be created and edited directly from the keypad itself, eliminating the need to download companion mobile apps or connect to third-party smart home platforms. That should appeal to anyone looking for a quick install process or less inclined to use their smartphone to manage their front door. Despite its lack of traditional smarts, the Yale Code still offers features typical of smart locks -- including an Auto Lock feature that locks the deadbolt after a certain period of inactivity as passed.

Read more
The best smart home tech of IFA 2024
The IFA 100 sign outside the South Hall in Berlin.

IFA 2024 is in full swing, with cutting-edge companies across the globe showing off their hottest new releases. The smart home industry is out in force at the event, with hundreds of cool products spread out across the massive show grounds. From robot vacuums and smart refrigerators to robot lawnmowers and more, the future of your home is on display at IFA 2024.

After perusing hundreds of booths and going hands-on with tons of different electronics, here are the best smart home products of IFA 2024.
Roborock Qrevo Curv

Read more
Aqara shows off new smart home lineup with Matter support
A collage of the new Aqara products from IFA 2024.

Aqara offers a variety of smart home products, running the gamut from smart locks and sensors to smart lights and smart curtains. The brand is now ready to expand its catalog even further, with the reveal of several new smart home gadgets at IFA 2024. A common thread throughout the reveal was support for Matter -- making it easy for shoppers to integrate the devices with the rest of their home.

The Camera Hub G5 Pro is the standout product, as it's Aqara's first security camera built for outdoor use. Its 4MP camera captures color night vision and uses onboard AI to identify people, pets, vehicles, and packages, allowing for more accurate notifications when motion is detected. And since it's officially rated for outdoor use, you should have no problem finding a good spot for it on your property.

Read more