Molekule did not disclose air purifier data vulnerability: Difference between revisions

← Older edit

VisualWikitext

@@ Line 10: / Line 10: @@
 |Description=Molekule had a major user data vulnerability in its smart air purifier network, and refused to inform customers of the vulnerability
 }}
-In October 2025, a security researcher discovered that Molekule's internet-connected air purifier network contained a vulnerability that could expose data from approximately 100,000 devices worldwide. The vulnerability, which stemmed from an improperly configured cloud authentication service, allowed unauthenticated parties to access real-time device data including WiFi network names, hardware identifiers, and sensor readings. The researcher reported the issue to Molekule on 30 October 2025, following a 90-day responsible disclosure timeline. Molekule appeared to have patched the vulnerability by January 2026 but did not publicly acknowledge the issue or notify customers. The researcher published his report on 30 Jan 2026.<ref name="zuernerd">{{Cite web |last=zuernerd |title=Vulnerability Report: Unauthenticated MQTT Broker Access in Molekule IoT Air Purifiers |url=https://zuernerd.github.io/blog/2026/01/30/molekule-re.html |date=2026-01-30 |access-date=2026-02-02}}</ref>
+In October 2025, a security researcher discovered that Molekule's internet-connected air purifier network contained a vulnerability that could expose data from approximately 100,000 devices worldwide. The vulnerability allowed unauthenticated parties to access real-time device data including WiFi network names, hardware identifiers, and sensor readings. The researcher reported the issue to Molekule on 30 October 2025, following a 90-day responsible disclosure timeline, however Molekule made no active attempt to disclose the vulnerability to users who may have been affected by it, and told the researcher that he did not have permission to disclose the vulnerability, even after the researcher refused to sign an NDA which would have barred him from discussing it. Molekule appeared to have patched the vulnerability by January 2026 but did not publicly acknowledge the issue or notify customers. The researcher published his report on 30 Jan 2026.<ref name="zuernerd">{{Cite web |last=zuernerd |title=Vulnerability Report: Unauthenticated MQTT Broker Access in Molekule IoT Air Purifiers |url=https://zuernerd.github.io/blog/2026/01/30/molekule-re.html |date=2026-01-30 |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20260206115639/https://zuernerd.github.io/blog/2026/01/30/molekule-re.html |archive-date=6 Feb 2026}}</ref>
 ==Background==
@@ Line 16: / Line 16: @@
 Molekule is a consumer electronics company that manufactures internet-connected air purifiers. The company's products connect to the internet via WiFi and communicate with cloud-based servers, allowing users to monitor and control their devices through a mobile application. Like many Internet of Things (IoT) devices, Molekule's air purifiers transmit operational data such as air quality readings, device status, and network information, to the company's servers on an ongoing basis.<ref name="zuernerd" />
-Molekule's backend infrastructure uses Amazon Web Services (AWS). Specifically, it uses AWS IoT Core, a managed service for device-to-server communication via the MQTT messaging protocol, and AWS Cognito, a service for managing user identity and authentication. AWS Cognito identity pools can be configured to grant temporary AWS credentials to both authenticated users and unauthenticated "guest" users who have not logged in.<ref name="aws-cognito">{{Cite web |title=Identity pools console overview |url=https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html |website=Amazon Cognito Developer Guide |publisher=Amazon Web Services |access-date=2026-02-02}}</ref> AWS's own security guidance for IoT Core states that all devices and users should have policies that only allow them to connect with known client identifiers and to publish and subscribe to a defined set of topics, following the principle of least privilege.<ref name="aws-iot-security">{{Cite web |title=Security best practices in AWS IoT Core |url=https://docs.aws.amazon.com/iot/latest/developerguide/security-best-practices.html |website=AWS IoT Core Developer Guide |publisher=Amazon Web Services |access-date=2026-02-02}}</ref>
+Molekule's backend infrastructure uses Amazon Web Services (AWS). Specifically, it uses AWS IoT Core, a managed service for device-to-server communication via the MQTT messaging protocol, and AWS Cognito, a service for managing user identity and authentication. AWS Cognito identity pools can be configured to grant temporary AWS credentials to both authenticated users and unauthenticated "guest" users who have not logged in.<ref name="aws-cognito">{{Cite web |title=Identity pools console overview |url=https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html |website=Amazon Cognito Developer Guide |publisher=Amazon Web Services |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20251222022721/https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html |archive-date=22 Dec 2025}}</ref> AWS's own security guidance for IoT Core states that all devices and users should have policies that only allow them to connect with known client identifiers and to publish and subscribe to a defined set of topics, following the principle of least privilege.<ref name="aws-iot-security">{{Cite web |title=Security best practices in AWS IoT Core |url=https://docs.aws.amazon.com/iot/latest/developerguide/security-best-practices.html |website=AWS IoT Core Developer Guide |publisher=Amazon Web Services |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20260209134515/https://docs.aws.amazon.com/iot/latest/developerguide/security-best-practices.html |archive-date=9 Feb 2026}}</ref>
 ==Vulnerability discovery and details==
@@ Line 49: / Line 49: @@
 ===Regulatory significance of exposed data===
-The researcher asserted that several categories of the exposed data constitute personal data under major privacy regulations. Under the European Union's General Data Protection Regulation (GDPR), Article 4(1) defines personal data broadly as any information relating to an identified or identifiable natural person, including by reference to an "online identifier."<ref name="gdpr-art4">{{Cite web |title=Art. 4 GDPR – Definitions |url=https://gdpr-info.eu/art-4-gdpr/ |website=General Data Protection Regulation (GDPR) |access-date=2026-02-02}}</ref> Recital 30 of the GDPR elaborates that natural persons may be associated with identifiers provided by their devices, such as internet protocol addresses and radio frequency identification tags, which may be used to create profiles and identify individuals.<ref name="gdpr-recital30">{{Cite web |title=Recital 30 – Online Identifiers for Profiling and Identification |url=https://gdpr-info.eu/recitals/no-30/ |website=General Data Protection Regulation (GDPR) |access-date=2026-02-02}}</ref> Legal analyses have concluded that MAC addresses of personal devices are to be considered personal data under the GDPR, following the reasoning of the Court of Justice of the European Union in ''Breyer v. Bundesrepublik Deutschland'' (Case C-582/14), which held that dynamic IP addresses can constitute personal data when a controller has the means to identify an individual.<ref name="techgdpr">{{Cite web |title=WiFi-Tracking and Retail Analytics under the GDPR |url=https://techgdpr.com/blog/wifi-tracking-retail-analytics-gdpr/ |website=TechGDPR |access-date=2026-02-02}}</ref>
+The researcher asserted that several categories of the exposed data constitute personal data under major privacy regulations. Under the European Union's General Data Protection Regulation (GDPR), Article 4(1) defines personal data broadly as any information relating to an identified or identifiable natural person, including by reference to an "online identifier."<ref name="gdpr-art4">{{Cite web |title=Art. 4 GDPR – Definitions |url=https://gdpr-info.eu/art-4-gdpr/ |website=General Data Protection Regulation (GDPR) |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20260206212130/https://gdpr-info.eu/art-4-gdpr/ |archive-date=6 Feb 2026}}</ref> Recital 30 of the GDPR elaborates that natural persons may be associated with identifiers provided by their devices, such as internet protocol addresses and radio frequency identification tags, which may be used to create profiles and identify individuals.<ref name="gdpr-recital30">{{Cite web |title=Recital 30 – Online Identifiers for Profiling and Identification |url=https://gdpr-info.eu/recitals/no-30/ |website=General Data Protection Regulation (GDPR) |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20251209021409/https://gdpr-info.eu/recitals/no-30/ |archive-date=9 Dec 2025}}</ref> Legal analyses have concluded that MAC addresses of personal devices are to be considered personal data under the GDPR, following the reasoning of the Court of Justice of the European Union in ''Breyer v. Bundesrepublik Deutschland'' (Case C-582/14), which held that dynamic IP addresses can constitute personal data when a controller has the means to identify an individual.<ref name="techgdpr">{{Cite web |title=WiFi-Tracking and Retail Analytics under the GDPR |url=https://techgdpr.com/blog/wifi-tracking-retail-analytics-gdpr/ |website=TechGDPR |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20251007021401/https://techgdpr.com/blog/wifi-tracking-retail-analytics-gdpr/ |archive-date=7 Oct 2025}}</ref>
-Under the California Consumer Privacy Act (CCPA), a "unique identifier" is defined as a persistent identifier that can be used to recognise a consumer, family, or device over time and across services, explicitly including device identifiers.<ref name="ccpa-definitions">{{Cite web |title=Section 1798.140 – Definitions |url=https://www.consumerprivacyact.com/section-1798-140-definitions/ |website=Consumer Privacy Act |access-date=2026-02-02}}</ref>
+Under the California Consumer Privacy Act (CCPA), a "unique identifier" is defined as a persistent identifier that can be used to recognise a consumer, family, or device over time and across services, explicitly including device identifiers.<ref name="ccpa-definitions">{{Cite web |title=Section 1798.140 – Definitions |url=https://www.consumerprivacyact.com/section-1798-140-definitions/ |website=Consumer Privacy Act |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20250209233904/https://www.consumerprivacyact.com/section-1798-140-definitions/ |archive-date=9 Feb 2025}}</ref>
 ==Timeline of detection, patching, and disclosure==
-The researcher followed a 90-day responsible disclosure process, as is common practice within the cybersecurity industry.<ref name="pz-faq">{{Cite web |title=Vulnerability Disclosure FAQ |url=https://projectzero.google/vulnerability-disclosure-faq.html |website=Project Zero |publisher=Google |access-date=2026-02-02}}</ref>
+The researcher followed a 90-day responsible disclosure process, as is common practice within the cybersecurity industry.<ref name="pz-faq">{{Cite web |title=Vulnerability Disclosure FAQ |url=https://projectzero.google/vulnerability-disclosure-faq.html |website=Project Zero |publisher=Google |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20260213213804/https://projectzero.google/vulnerability-disclosure-faq.html |archive-date=13 Feb 2026}}</ref>
 Within his report, the researcher presented the following timeline of events:
@@ Line 106: / Line 106: @@
 No public information is currently available regarding whether Molekule has conducted an investigation into potential prior exploitation of the vulnerability, or whether the company intends to notify affected users.
-In October 2025, a security researcher discovered that Molekule's internet-connected air purifier network contained a vulnerability that potentially exposed data from approximately 100,000 devices worldwide. The vulnerability, which stemmed from an improperly configured cloud authentication service, allowed unauthenticated parties to access real-time device data including WiFi network names, hardware identifiers, and sensor readings. The researcher reported the issue to Molekule on 30 October 2025, following a 90-day responsible disclosure timeline. Molekule appeared to have patched the vulnerability by January 2026 but did not publicly acknowledge the issue or indicate whether affected customers had been notified.<ref name="zuernerd">{{Cite web |last=zuernerd |title=Vulnerability Report: Unauthenticated MQTT Broker Access in Molekule IoT Air Purifiers |url=https://zuernerd.github.io/blog/2026/01/30/molekule-re.html |date=2026-01-30 |access-date=2026-02-02}}</ref>
+In October 2025, a security researcher discovered that Molekule's internet-connected air purifier network contained a vulnerability that potentially exposed data from approximately 100,000 devices worldwide. The vulnerability, which stemmed from an improperly configured cloud authentication service, allowed unauthenticated parties to access real-time device data including WiFi network names, hardware identifiers, and sensor readings. The researcher reported the issue to Molekule on 30 October 2025, following a 90-day responsible disclosure timeline. Molekule appeared to have patched the vulnerability by January 2026 but did not publicly acknowledge the issue or indicate whether affected customers had been notified.<ref name="zuernerd">{{Cite web |last=zuernerd |title=Vulnerability Report: Unauthenticated MQTT Broker Access in Molekule IoT Air Purifiers |url=https://zuernerd.github.io/blog/2026/01/30/molekule-re.html |date=2026-01-30 |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20260206115639/https://zuernerd.github.io/blog/2026/01/30/molekule-re.html |archive-date=6 Feb 2026}}</ref>