undefined

upvote

points

by morkalork7 hours ago |

upvote

by Aurornis6 hours ago|

[-]

The vulnerability was in their backend cloud structure. The backend wasn't restricting access to only devices associated with your account.

> Out of sheer laziness, I connected to the Mysa MQTT server and subscribed to the match-everything wildcard topic, #. I was hoping I’d see messages from a few more MQTT topics, giving me more information about my Mysa devices.

> Instead, I started receiving a torrent of messages from every single Internet-connected production Mysa device in the whole world.

The devices had unique IDs, but they were all connected to one big MQTT pub/sub system that didn't even try to isolate anything.

It's lazy backend development. This happens often in IoT products where they hire some consultant or agency to develop a proof of concept, the agency makes a prototype without any security considerations, and then they call it done because it looks like it works. To an uninformed tester who only looks at the app it appears secure because they had to type in their password.

reply

upvote

by JoshTriplett5 hours ago|

[-]

> The vulnerability was in their backend cloud structure.

The vulnerability is in having a backend cloud structure.

(There are plenty of ways to provide remote access without that, and no other feature warrants it.)

reply

upvote

by jcgrillo3 hours ago|

[-]

Not sure why this is being downvoted, it's a pervasive flaw across all these IoT products. See my description elsewhere here about how Haier "smart" controls work. It's completely insane, and pointless. For systems that can't fail--I include heating systems in the winter--this kind of "move fast and break shit" way of doing it is malpractice. The last thing in the entire world I want my furnace controls doing is an automatic OTA firmware update. Ever.

reply

upvote

by JoshTriplett3 hours ago|

[-]

Exactly. I want a "smart thermostat" that's entirely under my control, not the manufacturer's.

reply

upvote

by Neywiny7 hours ago|

[-]

I think it's about being a configuration management nightmare. If every device has a unique password, you need the decoder ring for serial number to password. However, not all processors have unique IDs. So you either need to find a way to reliably serialize each board during manufacturing and hope it stays (like a sticker/laser/printer/etc) or add a serial number chip which is cost and complexity. It's not impossible, it's just extra work that usually goes unrewarded.

reply

upvote

by HFguy6 hours ago|

[-]

I'm a long way from embedded development. But I was under the impression a lot of microcontrollers these days have some ID capability built in, even some relatively low-end ones. This strikes me more as laziness than anything.

reply

upvote

by peterus6 hours ago|

[-]

This is true, for example many stm32 series have a 96 bit unique id which is derived from the lot number, wafer id and position [1]. Even the low cost stm32g0b1 series I am using has them, but they are missing from some older series.

[1] https://community.st.com/t5/stm32-mcus/how-to-obtain-and-use...

reply

upvote

by adrian_b5 hours ago|

[-]

Moreover, on any device that is connected to Internet you already have a unique MAC address on its Ethernet or WiFi interface.

You can hash this unique MAC address, together with other data that may be shared with the other devices of the same kind, to generate unique keys or other kinds of credentials.

reply

upvote

by Neywiny5 hours ago|

[-]

Surprisingly it's not everywhere. I'm very in embedded development and cannot count the amount of time I look for "unique" "id" etc in a reference manual and come up short. It's certainly more common than not, but you often have to design systems for the lowest common denominator.

reply

upvote

by NegativeK5 hours ago|

[-]

> It's not impossible, it's just extra work that usually goes unrewarded.

That sounds like profit motivated negligence, and it sounds like a standard justification for why Europe is going to hold companies liable.

reply

upvote

by Neywiny4 hours ago|

[-]

It is indeed. And that sucks but that's what it is. Product design is about calculated risks and trades. It's a good thing regulators are here to help because companies won't do it on their own and the general public doesn't care enough.

reply

upvote

by jcgrillo2 hours ago|

[-]

We will all owe the EU a massive debt of gratitude. Hopefully USB C was just the tip of the iceberg.

reply

upvote

by Msurrow6 hours ago|

[-]

I have not knowledge of this kind of software dev/hw production, so can you please explain why the units cant just be born with a default pass and then have the setup process (which is always there) Force the owner to set a new password?

Knowledge or not, this..

> It's not impossible, it's just extra work that usually goes unrewarded.

.. is just not an acceptable way for business to think and operate i 2026, especially not when it comes to internet connected video enabled devices

reply

upvote

by Neywiny5 hours ago|

[-]

I'll answer your question with a question: how often do you see people complaining about needing setup processes vs the old way of just plug and play? There's no perfect answer that placates all sides. Things can certainly be better, but when those people win and you no longer need to have a setup process, then what?

While true that in $current_year it would be nice if things were more secure, the sad truth is that most people don't care.

reply

upvote

by Msurrow4 hours ago|

[-]

I agree that yes most just want PnP and basically don’t care about security. But it seemed on the posts above that there was an engineering complexity, and a robot vaccum needs local WiFi, so there will be a setup flow. Whats preventing a password selection just be part of that?

reply

upvote

by thenthenthen6 hours ago|

[-]

I am shocked really, i think this is actual law in China.

reply

upvote

by thenthenthen6 hours ago|

[-]

This is just people working 24/7 for 50 dollars a month? Because we want cheap shit

reply