Molekule did not disclose air purifier data vulnerability: Difference between revisions
oops |
No edit summary |
||
| Line 1: | Line 1: | ||
{{Incomplete|Issue 1 = Currently the only source discussing this is the researcher's vulnerability report.}} | {{Incomplete|Issue 1 = Currently the only source discussing this is the researcher's vulnerability report.}} | ||
{{IncidentCargo | {{IncidentCargo | ||
|Company=Molekule | |Company=Molekule | ||
| Line 11: | Line 10: | ||
|Description=Molekule had a major user data vulnerability in its smart air purifier network, and refused to inform customers of the vulnerability | |Description=Molekule had a major user data vulnerability in its smart air purifier network, and refused to inform customers of the vulnerability | ||
}} | }} | ||
In October 2025, a security researcher discovered that Molekule's internet-connected air purifier network contained a vulnerability that could expose data from approximately 100,000 devices worldwide. The vulnerability, which stemmed from an improperly configured cloud authentication service, allowed unauthenticated parties to access real-time device data including WiFi network names, hardware identifiers, and sensor readings. The researcher reported the issue to Molekule on 30 October 2025, following a 90-day responsible disclosure timeline. Molekule appeared to have patched the vulnerability by January 2026 but did not publicly acknowledge the issue or notify customers. The researcher published his report on 30 Jan 2026.<ref name="zuernerd">{{Cite web |last=zuernerd |title=Vulnerability Report: Unauthenticated MQTT Broker Access in Molekule IoT Air Purifiers |url=https://zuernerd.github.io/blog/2026/01/30/molekule-re.html |date=2026-01-30 |access-date=2026-02-02}}</ref> | In October 2025, a security researcher discovered that Molekule's internet-connected air purifier network contained a vulnerability that could expose data from approximately 100,000 devices worldwide. The vulnerability, which stemmed from an improperly configured cloud authentication service, allowed unauthenticated parties to access real-time device data including WiFi network names, hardware identifiers, and sensor readings. The researcher reported the issue to Molekule on 30 October 2025, following a 90-day responsible disclosure timeline. Molekule appeared to have patched the vulnerability by January 2026 but did not publicly acknowledge the issue or notify customers. The researcher published his report on 30 Jan 2026.<ref name="zuernerd">{{Cite web |last=zuernerd |title=Vulnerability Report: Unauthenticated MQTT Broker Access in Molekule IoT Air Purifiers |url=https://zuernerd.github.io/blog/2026/01/30/molekule-re.html |date=2026-01-30 |access-date=2026-02-02}}</ref> | ||