Abstract
The authors were presented with the task of reviewing a product by Zipato, which has a sizable user base (20,000 households by Zipato according to an article from TechCrunch). The Cyber-Living team is assessing products in the smart home and cybersecurity realms to help consumers make more informed choices. This is the first part of their risk assessment series on Zipato's smart home solutions. It also expands upon existing reporting by other security researchers. Two articles were found most informative out of what is out there for similar products by Zipato. Some of these articles have appeared multiple times because they were picked up by news sites. They often refer themselves to other researchers' discoveries. Part 2 and 3 are for education and research particularly focusing on firmware update vulnerabilities and possibilities of man-in-the-middle attacks that exploit devices. That will be the authors' contribution to the work. They will review other teams in this first part.
TopPart One: Other Teams Find Vulnerabilities
Disclaimer
We will probably sound pessimistic, but we are not saying don't buy Zipato, instead, we are trying to research for you. It is up to you to read onward to get a measure of the risks of using a Zipabox or other product that could easily be worse – like an RPi (Raspberry Pi) based one for example that is probably even easier to attack. The more you know the terminology the better you can search the internet for keywords to see if the company is on its game and transparent about security flaws or countermeasures. Zipato does support several types of devices and IoT (internet of things) related communication modules, so one might assume they have a very comprehensive investment in their own research and development. We began to wonder if Zipato is spreading themselves very thin to win by the “feature-rich” category or have the “most supported devices”. Maybe you have a diverse set of IoT devices you want to manage and Zipato has come to your attention because of this. If you are building a new system you might only need a very simple setup and want to find a product with best practice for your needs.
Key Terms in this Chapter
MiTM: Man in the middle. A term for some software or hack that redirects sensitive communications to a spoofed or masqueraded service (computer, node) for the purposes of a hack or crack or simply for monitoring. If one routes the data onward as expected by the originating programs and doesn’t block returning information, then a compromised system can continue to function without awareness of the existence of the man in the middle. The MiTM attack would involve changing or switching data to enable further compromise and control of a target computer or device.
Mender: A software toolkit for downloading and applying updates and patches “over the air” - it is a client-server architecture.
SSH: Secure shell. A remote shell that has a lot of features and is security minded. Typically used in Linux/Unix system environments.
API: Application programming interface. Any software or hardware mix can be integrated using an API that uses a common communication protocol to pass specific calls/requests and retrieve or monitor the resulting output.
IoT: Internet of things. Small microcontrollers or microcomputers generally single-board small factor aimed at being teamed with devices to make a smart home or smart factory device that can be queried, probed, or controlled via LAN or WAN. The small computer may use ethernet/TCP-IP to be native internet or one of many other protocols via an IoT Hub that translated internet communications to other wireless management protocols. It is a loose term - more of a buzzword.