Wink home control9/5/2023 ![]() ![]() However, Insteon manufactures a variety of switches, light bulbs, power outlets, sensors, door locks, cameras and other devices that work with its own hub. Wink doesn't make its own peripheral devices, but instead integrates its hub with existing products from other vendors. Users are advised to use the Wink Android application v6.3.0.28 or later. So, even if users would have tried to limit the risk after losing their phones by changing their Wink passwords, the OAuth tokens stored on their devices would have continued to work.Īccording to the researcher, Wink released an update for its Android application and plans to fix the token revocation issue with a server-side change in the future. Heiland also found that Wink's service did not revoke old tokens even when new ones were generated, for example after a password change. These tokens allow the mobile applications to send commands to Wink hubs through the company's cloud service. The Android application for the Wink Hub 2 was insecurely storing the OAuth access tokens that Wink's servers use to track authenticated user sessions. The risk is even higher when those credentials are for smart home hubs because these devices often control security-related systems like door locks, garage doors, window sensors, alarms and so on. With privileged access, Android malware-which is not uncommon even on the policed Google Play store-can read other applications' data, including credentials stored in plain text. Those devices have known vulnerabilities that malicious applications can exploit to gain administrative privileges, or root access. "Anyone who wants to take 45 minutes to an hour out of their life and can use Google, can quickly find out how to pull such data out of a phone."įurthermore, due to the version fragmentation in the Android ecosystem there are millions of phones out there that are no longer supported by manufacturers and don't receive security updates. "It takes very little effort," Deral Heiland, the research lead at Rapid7, told me. If left unprotected, application data can easily be extracted from phones that have been lost or stolen and are not locked with a strong password or use full device encryption-a feature that not all Android phones support. There are various other methods for encrypting credentials in storage, but it turns out that some developers-especially those in the IoT space-don't use these mechanisms. However, there are ways for attackers to get at this data, which is why Android provides a built-in secure keystore for storing sensitive information.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |