Consumer Rights Wiki

Molekule did not disclose air purifier data vulnerability: Difference between revisions

← Older edit
VisualWikitext
No edit summary
Bananabot (talk | contribs)
Bots, confirmed
1,114 edits
Added archive URLs for 3 citation(s) using CRWCitationBot
 
(5 intermediate revisions by 2 users not shown)
Line 1: Line 1:
{{Incomplete|Issue 1 = Currently the only source discussing this is the researcher's vulnerability report.}}
{{Incomplete|Issue 1 = Currently the only source discussing this is the researcher's vulnerability report.}}
{{IncidentCargo
{{IncidentCargo
|Company=Molekule
|Company=Molekule
Line 11: Line 10:
|Description=Molekule had a major user data vulnerability in its smart air purifier network, and refused to inform customers of the vulnerability
|Description=Molekule had a major user data vulnerability in its smart air purifier network, and refused to inform customers of the vulnerability
}}
}}
 
In October 2025, a security researcher discovered that Molekule's internet-connected air purifier network contained a vulnerability that could expose data from approximately 100,000 devices worldwide. The vulnerability allowed unauthenticated parties to access real-time device data including WiFi network names, hardware identifiers, and sensor readings. The researcher reported the issue to Molekule on 30 October 2025, following a 90-day responsible disclosure timeline, however Molekule made no active attempt to disclose the vulnerability to users who may have been affected by it, and told the researcher that he did not have permission to disclose the vulnerability, even after the researcher refused to sign an NDA which would have barred him from discussing it. Molekule appeared to have patched the vulnerability by January 2026 but did not publicly acknowledge the issue or notify customers. The researcher published his report on 30 Jan 2026.<ref name="zuernerd">{{Cite web |last=zuernerd |title=Vulnerability Report: Unauthenticated MQTT Broker Access in Molekule IoT Air Purifiers |url=https://zuernerd.github.io/blog/2026/01/30/molekule-re.html |date=2026-01-30 |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20260206115639/https://zuernerd.github.io/blog/2026/01/30/molekule-re.html |archive-date=6 Feb 2026}}</ref>
 
 
In October 2025, a security researcher discovered that Molekule's internet-connected air purifier network contained a vulnerability that could expose data from approximately 100,000 devices worldwide. The vulnerability, which stemmed from an improperly configured cloud authentication service, allowed unauthenticated parties to access real-time device data including WiFi network names, hardware identifiers, and sensor readings. The researcher reported the issue to Molekule on 30 October 2025, following a 90-day responsible disclosure timeline. Molekule appeared to have patched the vulnerability by January 2026 but did not publicly acknowledge the issue or notify customers. The researcher published his report on 30 Jan 2026.<ref name="zuernerd">{{Cite web |last=zuernerd |title=Vulnerability Report: Unauthenticated MQTT Broker Access in Molekule IoT Air Purifiers |url=https://zuernerd.github.io/blog/2026/01/30/molekule-re.html |date=2026-01-30 |access-date=2026-02-02}}</ref>


==Background==
==Background==


Molekule is a consumer electronics company that manufactures internet-connected air purifiers. The company's products connect to the internet via WiFi and communicate with cloud-based servers, allowing users to monitor and control their devices through a mobile application. Like many Internet of Things (IoT) devices, Molekule's air purifiers transmit operational data such as air quality readings, device status, and network information to the company's servers on an ongoing basis.<ref name="zuernerd" />
Molekule is a consumer electronics company that manufactures internet-connected air purifiers. The company's products connect to the internet via WiFi and communicate with cloud-based servers, allowing users to monitor and control their devices through a mobile application. Like many Internet of Things (IoT) devices, Molekule's air purifiers transmit operational data such as air quality readings, device status, and network information, to the company's servers on an ongoing basis.<ref name="zuernerd" />


Molekule's backend infrastructure uses Amazon Web Services (AWS). Specifically, it uses AWS IoT Core, a managed service for device-to-server communication via the MQTT messaging protocol, and AWS Cognito, a service for managing user identity and authentication. AWS Cognito identity pools can be configured to grant temporary AWS credentials to both authenticated users and unauthenticated "guest" users who have not logged in.<ref name="aws-cognito">{{Cite web |title=Identity pools console overview |url=https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html |website=Amazon Cognito Developer Guide |publisher=Amazon Web Services |access-date=2026-02-02}}</ref> AWS's own security guidance for IoT Core states that all devices and users should have policies that only allow them to connect with known client identifiers and to publish and subscribe to a defined set of topics, following the principle of least privilege.<ref name="aws-iot-security">{{Cite web |title=Security best practices in AWS IoT Core |url=https://docs.aws.amazon.com/iot/latest/developerguide/security-best-practices.html |website=AWS IoT Core Developer Guide |publisher=Amazon Web Services |access-date=2026-02-02}}</ref>
Molekule's backend infrastructure uses Amazon Web Services (AWS). Specifically, it uses AWS IoT Core, a managed service for device-to-server communication via the MQTT messaging protocol, and AWS Cognito, a service for managing user identity and authentication. AWS Cognito identity pools can be configured to grant temporary AWS credentials to both authenticated users and unauthenticated "guest" users who have not logged in.<ref name="aws-cognito">{{Cite web |title=Identity pools console overview |url=https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html |website=Amazon Cognito Developer Guide |publisher=Amazon Web Services |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20251222022721/https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html |archive-date=22 Dec 2025}}</ref> AWS's own security guidance for IoT Core states that all devices and users should have policies that only allow them to connect with known client identifiers and to publish and subscribe to a defined set of topics, following the principle of least privilege.<ref name="aws-iot-security">{{Cite web |title=Security best practices in AWS IoT Core |url=https://docs.aws.amazon.com/iot/latest/developerguide/security-best-practices.html |website=AWS IoT Core Developer Guide |publisher=Amazon Web Services |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20260209134515/https://docs.aws.amazon.com/iot/latest/developerguide/security-best-practices.html |archive-date=9 Feb 2026}}</ref>


==Vulnerability discovery and details==
==Vulnerability discovery and details==
Line 53: Line 49:
===Regulatory significance of exposed data===
===Regulatory significance of exposed data===


The researcher asserted that several categories of the exposed data constitute personal data under major privacy regulations. Under the European Union's General Data Protection Regulation (GDPR), Article 4(1) defines personal data broadly as any information relating to an identified or identifiable natural person, including by reference to an "online identifier."<ref name="gdpr-art4">{{Cite web |title=Art. 4 GDPR – Definitions |url=https://gdpr-info.eu/art-4-gdpr/ |website=General Data Protection Regulation (GDPR) |access-date=2026-02-02}}</ref> Recital 30 of the GDPR elaborates that natural persons may be associated with identifiers provided by their devices, such as internet protocol addresses and radio frequency identification tags, which may be used to create profiles and identify individuals.<ref name="gdpr-recital30">{{Cite web |title=Recital 30 – Online Identifiers for Profiling and Identification |url=https://gdpr-info.eu/recitals/no-30/ |website=General Data Protection Regulation (GDPR) |access-date=2026-02-02}}</ref> Legal analyses have concluded that MAC addresses of personal devices are to be considered personal data under the GDPR, following the reasoning of the Court of Justice of the European Union in ''Breyer v. Bundesrepublik Deutschland'' (Case C-582/14), which held that dynamic IP addresses can constitute personal data when a controller has the means to identify an individual.<ref name="techgdpr">{{Cite web |title=WiFi-Tracking and Retail Analytics under the GDPR |url=https://techgdpr.com/blog/wifi-tracking-retail-analytics-gdpr/ |website=TechGDPR |access-date=2026-02-02}}</ref>
The researcher asserted that several categories of the exposed data constitute personal data under major privacy regulations. Under the European Union's General Data Protection Regulation (GDPR), Article 4(1) defines personal data broadly as any information relating to an identified or identifiable natural person, including by reference to an "online identifier."<ref name="gdpr-art4">{{Cite web |title=Art. 4 GDPR – Definitions |url=https://gdpr-info.eu/art-4-gdpr/ |website=General Data Protection Regulation (GDPR) |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20260206212130/https://gdpr-info.eu/art-4-gdpr/ |archive-date=6 Feb 2026}}</ref> Recital 30 of the GDPR elaborates that natural persons may be associated with identifiers provided by their devices, such as internet protocol addresses and radio frequency identification tags, which may be used to create profiles and identify individuals.<ref name="gdpr-recital30">{{Cite web |title=Recital 30 – Online Identifiers for Profiling and Identification |url=https://gdpr-info.eu/recitals/no-30/ |website=General Data Protection Regulation (GDPR) |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20251209021409/https://gdpr-info.eu/recitals/no-30/ |archive-date=9 Dec 2025}}</ref> Legal analyses have concluded that MAC addresses of personal devices are to be considered personal data under the GDPR, following the reasoning of the Court of Justice of the European Union in ''Breyer v. Bundesrepublik Deutschland'' (Case C-582/14), which held that dynamic IP addresses can constitute personal data when a controller has the means to identify an individual.<ref name="techgdpr">{{Cite web |title=WiFi-Tracking and Retail Analytics under the GDPR |url=https://techgdpr.com/blog/wifi-tracking-retail-analytics-gdpr/ |website=TechGDPR |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20251007021401/https://techgdpr.com/blog/wifi-tracking-retail-analytics-gdpr/ |archive-date=7 Oct 2025}}</ref>


Under the California Consumer Privacy Act (CCPA), a "unique identifier" is defined as a persistent identifier that can be used to recognise a consumer, family, or device over time and across services, explicitly including device identifiers.<ref name="ccpa-definitions">{{Cite web |title=Section 1798.140 – Definitions |url=https://www.consumerprivacyact.com/section-1798-140-definitions/ |website=Consumer Privacy Act |access-date=2026-02-02}}</ref>
Under the California Consumer Privacy Act (CCPA), a "unique identifier" is defined as a persistent identifier that can be used to recognise a consumer, family, or device over time and across services, explicitly including device identifiers.<ref name="ccpa-definitions">{{Cite web |title=Section 1798.140 – Definitions |url=https://www.consumerprivacyact.com/section-1798-140-definitions/ |website=Consumer Privacy Act |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20250209233904/https://www.consumerprivacyact.com/section-1798-140-definitions/ |archive-date=9 Feb 2025}}</ref>




==Timeline of detection, patching, and disclosure==
==Timeline of detection, patching, and disclosure==


The researcher followed a 90-day responsible disclosure process, as is common practice within the cybersecurity industry.<ref name="pz-faq">{{Cite web |title=Vulnerability Disclosure FAQ |url=https://projectzero.google/vulnerability-disclosure-faq.html |website=Project Zero |publisher=Google |access-date=2026-02-02}}</ref>  
The researcher followed a 90-day responsible disclosure process, as is common practice within the cybersecurity industry.<ref name="pz-faq">{{Cite web |title=Vulnerability Disclosure FAQ |url=https://projectzero.google/vulnerability-disclosure-faq.html |website=Project Zero |publisher=Google |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20260213213804/https://projectzero.google/vulnerability-disclosure-faq.html |archive-date=13 Feb 2026}}</ref>  


Within his report, the researcher presented the following timeline of events:
Within his report, the researcher presented the following timeline of events:
Line 110: Line 106:


No public information is currently available regarding whether Molekule has conducted an investigation into potential prior exploitation of the vulnerability, or whether the company intends to notify affected users.
No public information is currently available regarding whether Molekule has conducted an investigation into potential prior exploitation of the vulnerability, or whether the company intends to notify affected users.
In October 2025, a security researcher discovered that Molekule's internet-connected air purifier network contained a vulnerability that potentially exposed data from approximately 100,000 devices worldwide. The vulnerability, which stemmed from an improperly configured cloud authentication service, allowed unauthenticated parties to access real-time device data including WiFi network names, hardware identifiers, and sensor readings. The researcher reported the issue to Molekule on 30 October 2025, following a 90-day responsible disclosure timeline. Molekule appeared to have patched the vulnerability by January 2026 but did not publicly acknowledge the issue or indicate whether affected customers had been notified.<ref name="zuernerd">{{Cite web |last=zuernerd |title=Vulnerability Report: Unauthenticated MQTT Broker Access in Molekule IoT Air Purifiers |url=https://zuernerd.github.io/blog/2026/01/30/molekule-re.html |date=2026-01-30 |access-date=2026-02-02}}</ref>
In October 2025, a security researcher discovered that Molekule's internet-connected air purifier network contained a vulnerability that potentially exposed data from approximately 100,000 devices worldwide. The vulnerability, which stemmed from an improperly configured cloud authentication service, allowed unauthenticated parties to access real-time device data including WiFi network names, hardware identifiers, and sensor readings. The researcher reported the issue to Molekule on 30 October 2025, following a 90-day responsible disclosure timeline. Molekule appeared to have patched the vulnerability by January 2026 but did not publicly acknowledge the issue or indicate whether affected customers had been notified.<ref name="zuernerd">{{Cite web |last=zuernerd |title=Vulnerability Report: Unauthenticated MQTT Broker Access in Molekule IoT Air Purifiers |url=https://zuernerd.github.io/blog/2026/01/30/molekule-re.html |date=2026-01-30 |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20260206115639/https://zuernerd.github.io/blog/2026/01/30/molekule-re.html |archive-date=6 Feb 2026}}</ref>
 
==Background==
 
Molekule is a consumer electronics company that manufactures internet-connected air purifiers. The company's products connect to the internet via WiFi and communicate with cloud-based servers, allowing users to monitor and control their devices through a mobile application. Like many Internet of Things (IoT) devices, Molekule's air purifiers transmit operational data — such as air quality readings, device status, and network information — to the company's servers on an ongoing basis.<ref name="zuernerd" />
 
Molekule's backend infrastructure uses Amazon Web Services (AWS). Specifically, it uses AWS IoT Core, a managed service for device-to-server communication via the MQTT messaging protocol, and AWS Cognito, a service for managing user identity and authentication. AWS Cognito identity pools can be configured to grant temporary AWS credentials to both authenticated users and unauthenticated "guest" users who have not logged in.<ref name="aws-cognito">{{Cite web |title=Identity pools console overview |url=https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html |website=Amazon Cognito Developer Guide |publisher=Amazon Web Services |access-date=2026-02-02}}</ref> AWS's own security guidance for IoT Core states that all devices and users should have policies that only allow them to connect with known client identifiers and to publish and subscribe to a defined set of topics, following the principle of least privilege.<ref name="aws-iot-security">{{Cite web |title=Security best practices in AWS IoT Core |url=https://docs.aws.amazon.com/iot/latest/developerguide/security-best-practices.html |website=AWS IoT Core Developer Guide |publisher=Amazon Web Services |access-date=2026-02-02}}</ref>
 
==Vulnerability discovery and details==


On 25 October 2025, a security researcher identified a vulnerability in Molekule's cloud infrastructure while analysing the code contained within the company's official Android application.<ref name="zuernerd" />
===Hardcoded credentials in the mobile application===
According to the researcher's report, the Molekule Android application contained hardcoded configuration details — including cloud service identifiers, API endpoints, and third-party service keys — embedded directly within the application's source code. The researcher stated that these details were accessible to anyone who downloaded and examined the application file, and included configurations for the company's production, integration, and development environments.<ref name="zuernerd" />
===Unauthenticated access to device data===
The researcher reported that Molekule's AWS Cognito Identity Pool was configured to permit access without any form of authentication. AWS documentation describes this as "guest access," a feature intended for applications that allow users to interact without logging in.<ref name="aws-cognito" /> In Molekule's case, according to the researcher, this meant that any party could obtain temporary server credentials and connect to Molekule's device communication system without providing a username, password, or any other identifying information.<ref name="zuernerd" />
Once connected, the researcher stated that it was possible to subscribe to "wildcard" topics — a configuration that, in this case, permitted a single connection to receive data updates from all connected devices globally, rather than being restricted to a specific user's own devices. AWS's security best practices documentation recommends that IoT policies should restrict each user to publishing and subscribing only to a defined and limited set of topics.<ref name="aws-iot-security" /> The researcher attributed the vulnerability in part to the absence of such per-device restrictions in Molekule's IoT policy configuration.<ref name="zuernerd" />
The researcher noted that the vulnerability was limited to read-only access; the exposed credentials did not permit an attacker to send commands to, or otherwise control, devices remotely. The researcher classified the vulnerability as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and described the exploitation as straightforward, requiring only basic programming knowledge and publicly available software tools.<ref name="zuernerd" />
===Data exposed===
According to the researcher's report, the vulnerability potentially exposed the following categories of data from approximately 100,000 devices:<ref name="zuernerd" />
* WiFi network names (SSIDs), which the researcher noted often contained street addresses or business names
* MAC addresses (unique hardware identifiers for each device)
* User-assigned device names, which sometimes contained personal information such as room locations
* Real-time sensor readings including air quality, temperature, and humidity data
* Device operational data including firmware versions, serial numbers, and usage patterns
* Network signal strength and connection diagnostics
The researcher stated that the combination of WiFi network names, device names, and usage timestamps could allow a third party to infer a device owner's physical location and daily routines.
===Regulatory significance of exposed data===
The researcher asserted that several categories of the exposed data constitute personal data under major privacy regulations. Under the European Union's General Data Protection Regulation (GDPR), Article 4(1) defines personal data broadly as any information relating to an identified or identifiable natural person, including by reference to an "online identifier."<ref name="gdpr-art4">{{Cite web |title=Art. 4 GDPR – Definitions |url=https://gdpr-info.eu/art-4-gdpr/ |website=General Data Protection Regulation (GDPR) |access-date=2026-02-02}}</ref> Recital 30 of the GDPR elaborates that natural persons may be associated with identifiers provided by their devices, such as internet protocol addresses and radio frequency identification tags, which may be used to create profiles and identify individuals.<ref name="gdpr-recital30">{{Cite web |title=Recital 30 – Online Identifiers for Profiling and Identification |url=https://gdpr-info.eu/recitals/no-30/ |website=General Data Protection Regulation (GDPR) |access-date=2026-02-02}}</ref> Legal analyses have concluded that MAC addresses of personal devices are to be considered personal data under the GDPR, following the reasoning of the Court of Justice of the European Union in ''Breyer v. Bundesrepublik Deutschland'' (Case C-582/14), which held that dynamic IP addresses can constitute personal data when a controller has the means to identify an individual.<ref name="techgdpr">{{Cite web |title=WiFi-Tracking and Retail Analytics under the GDPR |url=https://techgdpr.com/blog/wifi-tracking-retail-analytics-gdpr/ |website=TechGDPR |access-date=2026-02-02}}</ref>
Under the California Consumer Privacy Act (CCPA), a "unique identifier" is defined as a persistent identifier that can be used to recognise a consumer, family, or device over time and across services, explicitly including device identifiers.<ref name="ccpa-definitions">{{Cite web |title=Section 1798.140 – Definitions |url=https://www.consumerprivacyact.com/section-1798-140-definitions/ |website=Consumer Privacy Act |access-date=2026-02-02}}</ref>
===Contributing factors===
The researcher attributed the vulnerability to multiple compounding failures: the misconfigured authentication service allowing anonymous access, the absence of restrictions limiting each user's access to only their own devices, and what the researcher described as an apparent lack of monitoring or anomaly detection on the affected systems.<ref name="zuernerd" />
==Responsible disclosure timeline==
The researcher followed a 90-day responsible disclosure process. The 90-day disclosure deadline is a widely adopted industry convention, most prominently associated with Google's Project Zero security research team. Project Zero, which has used the 90-day deadline since its founding in 2014, has stated that the policy is intended to balance giving vendors time to develop and deploy patches while ensuring that users are not left exposed to known vulnerabilities indefinitely.<ref name="pz-faq">{{Cite web |title=Vulnerability Disclosure FAQ |url=https://projectzero.google/vulnerability-disclosure-faq.html |website=Project Zero |publisher=Google |access-date=2026-02-02}}</ref> As of 2024, Project Zero reported that approximately 97% of the vulnerabilities it disclosed were fixed within the 90-day deadline.<ref name="pz-wikipedia">{{Cite web |title=Project Zero |url=https://en.wikipedia.org/wiki/Project_Zero |website=Wikipedia |access-date=2026-02-02}}</ref>
{| class="wikitable"
|-
! Date !! Event
|-
| 25 October 2025 || Researcher discovered and validated the vulnerability.
|-
| 26 October 2025 || Researcher contacted Molekule and requested a PGP key for secure communication.
|-
| 29 October 2025 || Molekule's security team responded.
|-
| 30 October 2025 || Researcher sent the full vulnerability report with a 90-day disclosure deadline.
|-
| 12 November 2025 || Researcher requested a status update from Molekule.
|-
| 13 November 2025 || Molekule offered a bounty, contingent on the researcher signing a non-disclosure agreement (NDA).
|-
| 14 November 2025 || Researcher declined the NDA and proposed continuing with the standard disclosure timeline. The researcher also suggested Molekule file for a CVE identifier.
|-
| 19 November 2025 || Molekule requested additional technical details.
|-
| 20 November 2025 || Researcher provided the requested information.
|-
| 6 January 2026 || Researcher requested a status update. No response was received.
|-
| 30 January 2026 || Researcher's testing indicated the vulnerability had been patched. The researcher published the full disclosure report.
|-
| 1 February 2026 || Molekule responded to the researcher (see ''Molekule's response'' below).
|}
==Molekule's response==
According to the researcher, Molekule initially responded to the vulnerability report within three days of the researcher's outreach, which the researcher described as promising.<ref name="zuernerd" />
On 13 November 2025, Molekule offered the researcher a bounty in exchange for signing a non-disclosure agreement. The researcher stated that the proposed NDA would have prevented any public discussion of the vulnerability, including after a fix had been implemented. The researcher declined and proposed continuing under the standard responsible disclosure timeline.<ref name="zuernerd" />
Following an exchange of additional technical details on 20 November 2025, the researcher reported that Molekule ceased communication. The researcher's request for a status update on 6 January 2026 received no response.<ref name="zuernerd" />
On 1 February 2026, one day after the researcher's public disclosure, Molekule responded. According to the researcher, Molekule characterised the exploitation of the vulnerability as requiring "wrongful registration" and stated it would constitute "criminal trespass." Molekule acknowledged having implemented a patch and offered a confidential meeting to verify the fix. The company also stated it did not consent to the public disclosure.<ref name="zuernerd" />
As of February 2026, Molekule has not issued any public statement regarding the vulnerability or indicated whether affected customers have been notified.<ref name="zuernerd" />
==Consumer impact==
The researcher stated that data from approximately 100,000 devices was potentially accessible through the vulnerability, and suggested it may have been exploitable for a period of years prior to its discovery. The researcher noted that there is no way to determine whether other parties independently discovered and exploited the vulnerability before it was reported.<ref name="zuernerd" />
No public information is currently available regarding whether Molekule has conducted an investigation into potential prior exploitation of the vulnerability, or whether the company intends to notify affected users.


==References==
==References==
Retrieved from "https://consumerrights.wiki/w/Molekule_did_not_disclose_air_purifier_data_vulnerability"