Two security researchers have published details of vulnerabilities in communications hubs that connect to smart home locks manufactured by Zipato that can allow hackers to open doors easily.

Detailed today by Chase Dardaman and Jason Wheeler at Blackmarble, two of the vulnerabilities relate to the design and implementation of the authentication mechanism in the Zipato application programming interface. A third relates to an insecure embedded SSH private key that provides root access.

All three vulnerabilities can be exploited by hackers to gain access to doors secured by Zipato smart home locks. The researchers noted that access to the same Wi-Fi network as the hubs that communicate with the locks is required. But potentially any Zipomicro hub, the name the company gives to the hubs, with the vulnerabilities that is connected to the internet could be exploited.

Dardaman and Wheeler discovered the vulnerabilities in March but did not publish the details before now to give Zipato time to patch the vulnerabilities which they subsequently did. The company also ceased selling the Zipomicro hub devices altogether to avoid future security issues.

Just how many users of the devices are affected is unknown. The company says on its website that it has 112,000 devices in 20,000 households worldwide, but that includes all devices it has sold, meaning the number of hubs in unknown.

The SSH vulnerability in the Zipomicro hubs gained particular attention. Kevin Bocek, vice president of security strategy and threat intelligence at cybersecurity firm Venafi Inc. told SiliconANGLE that smart home controllers that use the same, hard-coded SSH machine identity everywhere are a massive security risk.

“In this case, an attacker with access to the scrambled version of the SSH key instantly gets access to every device; it’s like winning an exploit jackpot,” Bocek explained. “It can literally provide attackers with the ability to unlock your home.

Bocek added that there have been the same kinds of problems in the Emergency Response system in the U.S., and  one in four Amazon cloud setups has a backdoor with SSH keys. “The scale of this problem is enormous,” he said. “Every IoT device, cloud service and container has a key that cyber attackers are more than willing to exploit.”

The case illustrates the importance of security-focused design reviews in the software development lifecycle, said Amit Sethi, senior principal consultant at Synopsys Inc.

“These issues could have been easily identified and mitigated before the software was implemented if a security expert had been involved in the design process,” Sethi pointed out. “That would have been significantly more cost-effective than fixing the issues now.”

Photo: codelocks/Flickr