Analysts at security company Rapid7 revealed that smart home device from Eaton and BlueCats have considerable security issues, reports Forbes. This prompted the firm to warn users of smart home products from these two companies.
According to Rapid7’s Deral Heiland, HALO Home Smart Lighting System by power management company Eaton are found to have vulnerabilities. Moreover, Bluetooth-operated proximity sensor AA Beacon by the Internet of Things start-up BlueCats.
Heiland clarifies that the issues ‘range from low- to medium-severity,’ which means that remote execution may be unlikely. However, the expert says that these compromise customers’ information.
For Eaton’s HALO Home Smart Lighting System, the security issue arose from Halo Home. This is the Android mobile application needed to operate the smart home product, which requires access to the device’s storage. The app needs such permission to store data, which can be personal and sensitive.
Analysts found that the application did not place encryptions for the information, allowing for security breaches. However, they clarified that any exploits would require physical usage of the device. This makes extensive campaigns against Halo Home users highly improbable.
Aside from the lack of encryption, the app also makes use of an Insecure Direct Object Reference (IDOR). This enables any individuals who have a direct link to a certain page that contains customer’s information.
Details exposed through this issue may include email addresses, a unique identifier, the device’s version and its MAC address. This is where the vulnerability becomes serious as attackers can access the lighting management device using MAC addresses.
On the other hand, BlueCats’ AA Beacon also compromised users using its mobile app for Android and iOS. Rapid7’s report says that the BC Reveal application utilizes vulnerable storage of sensitive data. To manipulate the vulnerability, attackers should have physical access to the mobile device and smart home product.
Heiland’s report says that using malicious software to access user information is a way to exploit issues on both devices.
Upon discovering the security issues, Rapid7 informed the tech companies which moved to address the issues in the soonest time. According to BlueCats, it prioritizes security and expressed appreciation of Rapid7’s endeavours.
As of today, both vendors have deployed fixes for the issues. However, the experts remind users to install any newly implemented updates. This helps guarantee the safety of their sensitive data, mobile devices and smart home products.