Eaton – thestringdesign.in https://thestringdesign.in Inspire, Connect and Impact Sat, 17 Jun 2023 12:24:57 +0000 en-US hourly 1 https://wordpress.org/?v=6.8.3 https://thestringdesign.in/wp-content/uploads/2023/05/cropped-logo-32x32.png Eaton – thestringdesign.in https://thestringdesign.in 32 32 U.S. Power and Electronics Giant Eaton Fixes Security Vulnerability in Smart Security Alarm Systems https://thestringdesign.in/eaton-security-vulnerability-smart-alarm-systems/ Sat, 17 Jun 2023 12:21:50 +0000 https://thestringdesign.in/?p=4510 In a world where technology has become an integral part of our lives, ensuring the security of our connected devices is of paramount importance. Recently, U.S. power and electronics giant Eaton faced a security vulnerability in its smart security alarm systems. This vulnerability allowed a security researcher to remotely access thousands of these systems, raising concerns about the potential risks to users’ safety and privacy.

The security researcher who discovered the vulnerability is Vangelis Stykas. He identified the flaw in Eaton’s cloud-based system called SecureConnect, designed to enable customers to remotely manage and control their security alarm systems via a mobile app. According to Stykas, the vulnerability enabled anyone to sign up as a new user and assign that account to any user group, including the highly privileged “root” group, which had unrestricted access to all security alarm systems connected to Eaton’s cloud.

This security flaw can be categorized as an insecure direct object reference (IDOR). IDOR vulnerabilities arise when a server lacks robust access controls, allowing unauthorized access to files, data, or user accounts. Exploiting this vulnerability was relatively simple using tools like Burp Suite, a popular man-in-the-middle software. By intercepting the new user’s group number and swapping it with the number of the root group, which was “1,” an attacker could gain access to sensitive information.

Once a user was added to the root group, they gained access to a wealth of data, including registered users’ names, email addresses, and the locations of all connected security alarm systems. While Stykas did not attempt remote control of these systems, the level of access acquired through this vulnerability could have potentially enabled an attacker to manipulate security alarm systems remotely.

Eaton promptly addressed the issue and released a security notification on its website, confirming the discovery of the bug in its group access authorization logic. Jonathan Hart, a spokesperson for Eaton, revealed that the vulnerability had been fixed in May. However, the exact number of smart alarm customers affected remains undisclosed by Eaton. Stykas estimates that tens of thousands of Eaton connected smart alarm systems were potentially impacted by this security vulnerability.

Although Eaton did not explicitly confirm whether the vulnerability allowed remote control of connected security alarm systems, they stated that the vulnerability was a single event. It is unclear how Eaton arrived at this conclusion or if they possess the technical means, such as logging systems, to determine if the vulnerability had been previously exploited or discovered.

You may also like:

iPadOS 17 New features and compatible devices

ChatGPT Just Added New Features and Lowered API Prices: Enhancing User Experience with OpenAI’s Updates

]]>