Molekule did not disclose air purifier data vulnerability: Difference between revisions

← Older edit

VisualWikitext

@@ Line 10: / Line 10: @@
 |Description=Molekule had a major user data vulnerability in its smart air purifier network, and refused to inform customers of the vulnerability
 }}
-In October 2025, a security researcher discovered that Molekule's internet-connected air purifier network contained a vulnerability that could expose data from approximately 100,000 devices worldwide. The vulnerability allowed unauthenticated parties to access real-time device data including WiFi network names, hardware identifiers, and sensor readings. The researcher reported the issue to Molekule on 30 October 2025, following a 90-day responsible disclosure timeline, however Molekule made no active attempt to disclose the vulnerability to users who may have been affected by it, and told the researcher that he did not have permission to disclose the vulnerability, even after the researcher refused to sign an NDA which would have barred him from discussing it. Molekule appeared to have patched the vulnerability by January 2026 but did not publicly acknowledge the issue or notify customers. The researcher published his report on 30 Jan 2026.<ref name="zuernerd">{{Cite web |last=zuernerd |title=Vulnerability Report: Unauthenticated MQTT Broker Access in Molekule IoT Air Purifiers |url=https://zuernerd.github.io/blog/2026/01/30/molekule-re.html |date=2026-01-30 |access-date=2026-02-02}}</ref>
+In October 2025, a security researcher discovered that Molekule's internet-connected air purifier network contained a vulnerability that could expose data from approximately 100,000 devices worldwide. The vulnerability allowed unauthenticated parties to access real-time device data including WiFi network names, hardware identifiers, and sensor readings. The researcher reported the issue to Molekule on 30 October 2025, following a 90-day responsible disclosure timeline, however Molekule made no active attempt to disclose the vulnerability to users who may have been affected by it, and told the researcher that he did not have permission to disclose the vulnerability, even after the researcher refused to sign an NDA which would have barred him from discussing it. Molekule appeared to have patched the vulnerability by January 2026 but did not publicly acknowledge the issue or notify customers. The researcher published his report on 30 Jan 2026.<ref name="zuernerd">{{Cite web |last=zuernerd |title=Vulnerability Report: Unauthenticated MQTT Broker Access in Molekule IoT Air Purifiers |url=https://zuernerd.github.io/blog/2026/01/30/molekule-re.html |date=2026-01-30 |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20260206115639/https://zuernerd.github.io/blog/2026/01/30/molekule-re.html |archive-date=6 Feb 2026}}</ref>
 ==Background==
@@ Line 51: / Line 51: @@
 The researcher asserted that several categories of the exposed data constitute personal data under major privacy regulations. Under the European Union's General Data Protection Regulation (GDPR), Article 4(1) defines personal data broadly as any information relating to an identified or identifiable natural person, including by reference to an "online identifier."<ref name="gdpr-art4">{{Cite web |title=Art. 4 GDPR – Definitions |url=https://gdpr-info.eu/art-4-gdpr/ |website=General Data Protection Regulation (GDPR) |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20260206212130/https://gdpr-info.eu/art-4-gdpr/ |archive-date=6 Feb 2026}}</ref> Recital 30 of the GDPR elaborates that natural persons may be associated with identifiers provided by their devices, such as internet protocol addresses and radio frequency identification tags, which may be used to create profiles and identify individuals.<ref name="gdpr-recital30">{{Cite web |title=Recital 30 – Online Identifiers for Profiling and Identification |url=https://gdpr-info.eu/recitals/no-30/ |website=General Data Protection Regulation (GDPR) |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20251209021409/https://gdpr-info.eu/recitals/no-30/ |archive-date=9 Dec 2025}}</ref> Legal analyses have concluded that MAC addresses of personal devices are to be considered personal data under the GDPR, following the reasoning of the Court of Justice of the European Union in ''Breyer v. Bundesrepublik Deutschland'' (Case C-582/14), which held that dynamic IP addresses can constitute personal data when a controller has the means to identify an individual.<ref name="techgdpr">{{Cite web |title=WiFi-Tracking and Retail Analytics under the GDPR |url=https://techgdpr.com/blog/wifi-tracking-retail-analytics-gdpr/ |website=TechGDPR |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20251007021401/https://techgdpr.com/blog/wifi-tracking-retail-analytics-gdpr/ |archive-date=7 Oct 2025}}</ref>
-Under the California Consumer Privacy Act (CCPA), a "unique identifier" is defined as a persistent identifier that can be used to recognise a consumer, family, or device over time and across services, explicitly including device identifiers.<ref name="ccpa-definitions">{{Cite web |title=Section 1798.140 – Definitions |url=https://www.consumerprivacyact.com/section-1798-140-definitions/ |website=Consumer Privacy Act |access-date=2026-02-02}}</ref>
+Under the California Consumer Privacy Act (CCPA), a "unique identifier" is defined as a persistent identifier that can be used to recognise a consumer, family, or device over time and across services, explicitly including device identifiers.<ref name="ccpa-definitions">{{Cite web |title=Section 1798.140 – Definitions |url=https://www.consumerprivacyact.com/section-1798-140-definitions/ |website=Consumer Privacy Act |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20250209233904/https://www.consumerprivacyact.com/section-1798-140-definitions/ |archive-date=9 Feb 2025}}</ref>
@@ Line 106: / Line 106: @@
 No public information is currently available regarding whether Molekule has conducted an investigation into potential prior exploitation of the vulnerability, or whether the company intends to notify affected users.
-In October 2025, a security researcher discovered that Molekule's internet-connected air purifier network contained a vulnerability that potentially exposed data from approximately 100,000 devices worldwide. The vulnerability, which stemmed from an improperly configured cloud authentication service, allowed unauthenticated parties to access real-time device data including WiFi network names, hardware identifiers, and sensor readings. The researcher reported the issue to Molekule on 30 October 2025, following a 90-day responsible disclosure timeline. Molekule appeared to have patched the vulnerability by January 2026 but did not publicly acknowledge the issue or indicate whether affected customers had been notified.<ref name="zuernerd">{{Cite web |last=zuernerd |title=Vulnerability Report: Unauthenticated MQTT Broker Access in Molekule IoT Air Purifiers |url=https://zuernerd.github.io/blog/2026/01/30/molekule-re.html |date=2026-01-30 |access-date=2026-02-02}}</ref>
+In October 2025, a security researcher discovered that Molekule's internet-connected air purifier network contained a vulnerability that potentially exposed data from approximately 100,000 devices worldwide. The vulnerability, which stemmed from an improperly configured cloud authentication service, allowed unauthenticated parties to access real-time device data including WiFi network names, hardware identifiers, and sensor readings. The researcher reported the issue to Molekule on 30 October 2025, following a 90-day responsible disclosure timeline. Molekule appeared to have patched the vulnerability by January 2026 but did not publicly acknowledge the issue or indicate whether affected customers had been notified.<ref name="zuernerd">{{Cite web |last=zuernerd |title=Vulnerability Report: Unauthenticated MQTT Broker Access in Molekule IoT Air Purifiers |url=https://zuernerd.github.io/blog/2026/01/30/molekule-re.html |date=2026-01-30 |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20260206115639/https://zuernerd.github.io/blog/2026/01/30/molekule-re.html |archive-date=6 Feb 2026}}</ref>