When is a smart home not so smart? When it can be hacked. That’s exactly what security researchers Chase Dardaman and Jason Wheeler did with one of the Zipato smart hubs.
In new research Dardaman and Wheeler found three security flaws which, when chained together, could be abused to open a front door with a smart lock. Dardaman and Wheeler began looking into the ZipaMicro, a popular smart home hub developed by Croatian firm Zipato, some months ago, but only released their findings once the flaws had been fixed.
The researchers found they could extract the hub’s private SSH key for “root” — the user account with the highest level of access — from the memory card on the device. Using that private key, the researchers downloaded a file from the device containing scrambled passwords used to access the hub. They found that the smart hub uses a “pass-the-hash” authentication system, which doesn’t require knowing the user’s plaintext password, only the scrambled version. By taking the scrambled password and passing it to the smart hub, the researchers could trick the device into thinking they were the homeowner.
Read More at TechCrunch
Read the rest at TechCrunch