TODAY: 1 NEW BREACH·LAST 30 DAYS: 4·RECORDS THIS YEAR: 5.6M·MOST TARGETED: GOVERNMENT·TOP ORIGIN: France·LARGEST BREACH: MedCore Systems — S3 Bucket Exposure (4.2M)·GLOBAL THREAT LEVEL: NORMAL·TODAY: 1 NEW BREACH·LAST 30 DAYS: 4·RECORDS THIS YEAR: 5.6M·MOST TARGETED: GOVERNMENT·TOP ORIGIN: France·LARGEST BREACH: MedCore Systems — S3 Bucket Exposure (4.2M)·GLOBAL THREAT LEVEL: NORMAL
BR-2024-11-0811[MEDIUM][IOT]PUBLIC

EcoTech Smart Home Vulnerability

Records: 85K
Date: 2024-11-08
Origin: Germany
Author: A. SCHEIN

INCIDENT REPORT

A critical API vulnerability in EcoTech Industries smart home platform allowed unauthorized access to home temperature logs and device location metadata for approximately 85,000 devices.

The flaw was an unauthenticated endpoint in the device management API that returned raw sensor data without requiring a valid session token. Researchers at Sec-Research GmbH discovered the vulnerability during routine IoT security auditing.

EcoTech patched the endpoint within 48 hours of responsible disclosure. No financial data or personally identifying information beyond home geolocation was exposed.

EXPOSED DATA TYPES

Device Location
Home Temperature Logs
Device Identifiers
Usage Patterns

RAW LOG EXTRACTION [TRUNCATED]

// API: GET /v2/devices/{device_id}/telemetry — NO AUTH REQUIRED

{"device_id": "ECO-4421-DE", "lat": 52.52, "lon": 13.40, "temp_history": [...], "last_seen": "2024-11-08T09:12:00Z"}

[WARN: 85,000 devices enumerable via sequential device_id scan]

Were you impacted?

Help the community understand the real-world impact of this breach.

ACTIONS // BR-SYS

SHARE