When poking around for vulnerabilities, researchers often look for some particular low-hanging fruit in order to see first whether the basics in secure design have been covered, then whether they can turn a low-severity vulnerability into something more useful for an attacker.
When assessing IoT in particular, we tend to spend quite a bit of time looking at the enabling technologies around the IoT gadget, rather than the gadget itself. We often can find issues in either the mobile application that's used to control the device or the cloud-based web application that's used to mediate communications between the device and the various consuming endpoints. And, just as in traditional vulnerability research, the goal is often to find some small issue and see whether we can leverage it for something more useful.
Sometimes those small issues are just that—low-severity vulnerabilities that don't seem to lead us anywhere. But, rather than fall into the no-priority bugs trap and just never disclose these issues, we figured this would be a fine time to demonstrate some of the bugs we've come across (in accordance Rapid7's vulnerability disclosure policy), if only to outline some of the design antipatterns other IoT security researchers and IoT application developers might want to watch out for. After all, the IoT device you're looking at might have some similar issue, which you, intrepid researcher, might be able to leverage for more interesting results.
With that goal in mind, what follows is a tale of two IoT products: Eaton’s Home Lighting HALO Home Smart Lighting System and BlueCats’s investigating plumbing ecosystem fixed