Why it matters: A security researcher recently discovered a severe vulnerability within a popular smart home security system. Engineers quickly patched the hole, but the issue could still cause consumers to be weary of having their entire security system controlled through a mobile app.
Eaton is a company that focuses on power and electronic-related products and services. One of Eaton's most used services is SecureConnect, a cloud-based security system with a mobile app for remote control. The program allows users to govern the various security features, such as managing the system or disarming and enabling the alarms when necessary.
One unique feature allows users to assign accounts to groups from the app. The functionality is helpful for families who come and go at different times and need to disarm the security system at various hours. For example, adding one's children to the family group allows them to turn off the alarm and enter the house after school without disturbing Mom or Dad at work.
Unfortunately, security researcher Vangelis Stykas discovered a severe vulnerability within SecureConnect's grouping feature. The bug allowed an attacker to assign themselves to any possible group of users, including the company's "root" group. Stykas claimed being in this group "gave access to everything" connected to the SecureConnect cloud service.
Stykas exploited the SecureConnect app using an attack known as an insecure direct object reference (IDOR). Using a "man-in-the-middle" tool, such as Burp Suite, a hacker could easily change their group number to anything they wanted. In this case, Stykas switched his account to group 1, which is Eaton's root group. Bad actors accessing the root group can see other users' registered names, locations, and specific products. Even worse, hijackers theoretically could have remotely controlled anyone's security systems.
Eaton released a security notification claiming it located the bug in its group access authorization logic. According to Eaton spokesperson Jonathan Hart, the company patched the vulnerability last month. Hart declined to state how many customers use Eaton's security system, so estimating the number of users impacted is difficult. However, Stykas claims the number is in the "high tens of thousands."
Eaton also confirmed that the vulnerability was an isolated event, so thankfully, Stykas was the only user to have discovered the flaw. The results could have been significantly worse if black hats had found the bug instead white hats.