According to Stykas, he found a bug in the system’s access authorization logic that allowed him to sign up as a new user and then assign that account to a “root” group. The root group had access to all of the security systems that were connected to Eaton’s cloud. Essentially, Stykas could use his new user account to access other users’ accounts.
How many smart security alarm systems were exposed by a simple bug?
Answer: Thousands.
Shutterstock/deepadesigns
Fortunately, the researcher who discovered it wasn’t interested in exploiting it. Security researcher Vangelis Stykas reportedly discovered a significant vulnerability recently in power and electronics company Eaton’s SecureConnect platform. SecureConnect allows customers to remotely access their security systems from their smartphones.
According to Stykas, he found a bug in the system’s access authorization logic that allowed him to sign up as a new user and then assign that account to a “root” group. The root group had access to all of the security systems that were connected to Eaton’s cloud. Essentially, Stykas could use his new user account to access other users’ accounts.
He could see everything from a user’s name and email address to the locations of all their connected devices. He was concerned that a hacker could have easily used this access to take control of other users’ security systems. Eaton says it has since repaired the bug.
According to Stykas, he found a bug in the system’s access authorization logic that allowed him to sign up as a new user and then assign that account to a “root” group. The root group had access to all of the security systems that were connected to Eaton’s cloud. Essentially, Stykas could use his new user account to access other users’ accounts.
