Consumer Rights Wiki

Molekule did not disclose air purifier data vulnerability: Difference between revisions

← Older editNewer edit →
VisualWikitext
No edit summary
No edit summary
Line 18: Line 18:
==Background==
==Background==


Molekule is a consumer electronics company that manufactures internet-connected air purifiers. The company's products connect to the internet via WiFi and communicate with cloud-based servers, allowing users to monitor and control their devices through a mobile application. Like many Internet of Things (IoT) devices, Molekule's air purifiers transmit operational data such as air quality readings, device status, and network information to the company's servers on an ongoing basis.<ref name="zuernerd" />
Molekule is a consumer electronics company that manufactures internet-connected air purifiers. The company's products connect to the internet via WiFi and communicate with cloud-based servers, allowing users to monitor and control their devices through a mobile application. Like many Internet of Things (IoT) devices, Molekule's air purifiers transmit operational data such as air quality readings, device status, and network information, to the company's servers on an ongoing basis.<ref name="zuernerd" />


Molekule's backend infrastructure uses Amazon Web Services (AWS). Specifically, it uses AWS IoT Core, a managed service for device-to-server communication via the MQTT messaging protocol, and AWS Cognito, a service for managing user identity and authentication. AWS Cognito identity pools can be configured to grant temporary AWS credentials to both authenticated users and unauthenticated "guest" users who have not logged in.<ref name="aws-cognito">{{Cite web |title=Identity pools console overview |url=https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html |website=Amazon Cognito Developer Guide |publisher=Amazon Web Services |access-date=2026-02-02}}</ref> AWS's own security guidance for IoT Core states that all devices and users should have policies that only allow them to connect with known client identifiers and to publish and subscribe to a defined set of topics, following the principle of least privilege.<ref name="aws-iot-security">{{Cite web |title=Security best practices in AWS IoT Core |url=https://docs.aws.amazon.com/iot/latest/developerguide/security-best-practices.html |website=AWS IoT Core Developer Guide |publisher=Amazon Web Services |access-date=2026-02-02}}</ref>
Molekule's backend infrastructure uses Amazon Web Services (AWS). Specifically, it uses AWS IoT Core, a managed service for device-to-server communication via the MQTT messaging protocol, and AWS Cognito, a service for managing user identity and authentication. AWS Cognito identity pools can be configured to grant temporary AWS credentials to both authenticated users and unauthenticated "guest" users who have not logged in.<ref name="aws-cognito">{{Cite web |title=Identity pools console overview |url=https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html |website=Amazon Cognito Developer Guide |publisher=Amazon Web Services |access-date=2026-02-02}}</ref> AWS's own security guidance for IoT Core states that all devices and users should have policies that only allow them to connect with known client identifiers and to publish and subscribe to a defined set of topics, following the principle of least privilege.<ref name="aws-iot-security">{{Cite web |title=Security best practices in AWS IoT Core |url=https://docs.aws.amazon.com/iot/latest/developerguide/security-best-practices.html |website=AWS IoT Core Developer Guide |publisher=Amazon Web Services |access-date=2026-02-02}}</ref>
Retrieved from "https://consumerrights.wiki/w/Molekule_did_not_disclose_air_purifier_data_vulnerability"