Skip to main content

hackable connected locks due to zipalto vulnerabilities travellingall

Blackmarble security researchers have found three vulnerabilities in Zipalto's home automation controllers that can allow hackers to unlock connected locks installed in homes. Chase Dardaman and Jason Wheeler discovered these flaws, which potentially allow hackers to take control of the ZipaMicro ZM.ZWUS and 2AAU7-ZBZWUS controller models and unlock connected locks. Two of the vulnerabilities are in the authentication mechanism's design and implementation in Zipalto's API, while the third vulnerability is the embedded SSH private key for ROOT, which is not unique and can be extracted. More than 112,000 Zipato connected devices and modules are installed in nearly 20,000 homes across 89 countries. These vulnerabilities have put the security of these homes at risk.

The ZM.ZWUS controller enables remote management and control of Z-Wave and IP devices, including locks and sensors, while the 2AAU7-ZBZWUS controller manages the connection of additional modules that can be connected remotely. Blackmarble researchers warned that the three critical vulnerabilities could allow cyber attackers to take control of the connected objects in homes, such as locks, and jeopardize the security of 20,000 homes. Zipato connected devices and modules are currently used in 89 countries. Therefore, the scale of the issue is significant, and the risks are high, given that Zipato is popular among homeowners worldwide.

One of the vulnerabilities is the design and implementation of the authentication mechanism in Zipato's API. The authentication mechanism is fundamental in protecting against unauthorized access to systems and data. However, the design and implementation of Zipato's authentication mechanism are flawed, making it vulnerable to cyber attacks. Additionally, the third vulnerability is the embedded SSH private key for ROOT, which is not unique and can be extracted. The SSH key was found in "/etc/dropbear/" with the name "dropbear_rsa_host_key," which is password-protected when using this format. Still, the researchers found that it was still possible to extract the private and public keys. The extracted private key could allow a cyber attacker to execute remote commands on the device.

These vulnerabilities emphasize the importance of securing connected devices and systems. Connected devices are a potential gateway to personal data and physical infrastructure, and vulnerabilities such as these can result in loss of property and privacy. Home automation systems, such as the one developed by Zipato, are supposed to simplify people's lives and make them more convenient. Still, they can also make them more vulnerable to cyber attacks, which can lead to significant security concerns. Therefore, the security of home automation systems must be taken seriously, and manufacturers must ensure that their products are secure and up-to-date with the latest security patches. Consumers must also play their part by ensuring that they change their default passwords and keep their systems updated. By doing so, they can reduce the risks of falling victim to cyber attacks that exploit the vulnerabilities of connected devices.