Rapid7 offers IoT Security Testing Services as part of our portfolio of assessment services, and as a result, from time to time, our researchers uncover IoT vulnerabilities in hardware, mobile apps, and cloud infrastructure as part of ongoing academic efforts. This disclosure represents one such independent, non-contracted project.
The Hickory Smart BlueTooth Enabled Deadbolt IoT ecosystem (which includes mobile applications as well as a cloud-hosted web and MQTT infrastructure) has several vulnerabilities, as detailed in the table below. As of the initial release of this vulnerability disclosure, the vendor has not acknowledged these vulnerabilities, nor has it offered a software update to address these issues.
What is the Hickory Smart Bluetooth Enabled Deadbolt?
The Hickory Smart Bluetooth Enabled Deadbolt (Model H076388-SN, which contains electronic components with FCC ID 2AEHJSRU233) is the base IoT device that was the focus of this testing. It is supported by mobile applications for Android and iPhone/iPad devices, as well as cloud-based, hosted web applications and a hosted MQTT broker/server. The mobile applications under test were version 01.01.43 for Android and 01.01.07 for iOS. Both are called "Hickory Smart," in the Google Play store and the Apple App store. In addition, the Hickory Smart Ethernet Bridge H077646 (Model SRR533) was used in testing.
These devices are products provided by Hickory Hardware, a Belwith Products brand, although it appears that another company, Delphian Systems, ..
Support the originator by clicking the read the rest link below.
