SoatDev IT Consulting
SoatDev IT Consulting
  • About us
  • Expertise
  • Services
  • How it works
  • Contact Us
  • News
  • June 16, 2023
  • Rss Fetcher

U.S. power and electronics giant Eaton has fixed a security vulnerability that allowed a security researcher to remotely access thousands of smart security alarm systems.

Security researcher Vangelis Stykas said he found the vulnerability in Eaton’s SecureConnect, a cloud-based system that allows customers to remotely access, manage, and arm and disarm their security alarm systems from a phone app.

Stykas said the vulnerability allowed anyone to sign up as a new user and assign that account to any other group of users, including a “root” group, which has access to all of the smart alarm systems connected to Eaton’s cloud.

The vulnerability is known as an insecure direct object reference, or IDOR, a class of security bug that allows unchecked access to files, data, or user accounts because of weak or lacking access controls on a server. Stykas said the bug was easy to exploit using man-in-the-middle tools like Burp Suite by intercepting the new user’s group number and swapping it with the number of the root group, which was simply “1”.

Stykas said adding a user to the root group “gave access to everything,” including the registered user’s name and email address, and the location of every connected security alarm system. Stykas said that the access could have allowed a potential attacker to remotely control security alarm systems connected to Eaton’s cloud — though he did not attempt this.

In a security notification published to its website, Eaton confirmed the bug was discovered in its group access authorization logic.

Jonathan Hart, a spokesperson for Eaton, said the vulnerability was fixed in May. Hart declined to say how many smart alarm customers it has, though Stykas said the number of Eaton connected smart alarm systems was in the high tens of thousands.

Eaton declined to say if the vulnerability allowed the remote control of connected security alarm systems. Eaton said the vulnerability was “verified to be a single event,” but did not say how it came to this conclusion or if the company has the technical means, such as logging systems, to determine if the vulnerability was previously discovered or exploited.

A popular smart home security system can be remotely disarmed, researchers say

A simple bug exposed access to thousands of smart security alarm systems by Zack Whittaker originally published on TechCrunch

Previous Post
Next Post

Recent Posts

  • Valla raises $2.7M to make legal recourse more accessible to employees
  • Console raises $6.2M from Thrive to free IT teams from mundane tasks with AI
  • Former DreamWorks CEO Jeffrey Katzenberg co-leads $15.5M Series A for AI video ad platform
  • Microsoft Bing gets a free Sora-powered AI video generator
  • Snowflake to acquire database startup Crunchy Data

Categories

  • Industry News
  • Programming
  • RSS Fetched Articles
  • Uncategorized

Archives

  • June 2025
  • May 2025
  • April 2025
  • February 2025
  • January 2025
  • December 2024
  • November 2024
  • October 2024
  • September 2024
  • August 2024
  • July 2024
  • June 2024
  • May 2024
  • April 2024
  • March 2024
  • February 2024
  • January 2024
  • December 2023
  • November 2023
  • October 2023
  • September 2023
  • August 2023
  • July 2023
  • June 2023
  • May 2023
  • April 2023

Tap into the power of Microservices, MVC Architecture, Cloud, Containers, UML, and Scrum methodologies to bolster your project planning, execution, and application development processes.

Solutions

  • IT Consultation
  • Agile Transformation
  • Software Development
  • DevOps & CI/CD

Regions Covered

  • Montreal
  • New York
  • Paris
  • Mauritius
  • Abidjan
  • Dakar

Subscribe to Newsletter

Join our monthly newsletter subscribers to get the latest news and insights.

© Copyright 2023. All Rights Reserved by Soatdev IT Consulting Inc.