June 1, 2021

reported a security vulnerability that still isn’t fixed. Where do I go from here?

Not really a tech person, so apologies if this is the wrong place to post this. Also going to be a bit vague with details for obvious reasons.

Awhile ago I got a home automation type thing that monitors energy use. The first thing I did was poke it a bit to see how it worked and I was able to get a shell with root privileges. At first I figured it was intentionally left open (it is my device and all), but it quickly become obvious that it wasn’t intentional. I found login/passwords, encryption keys and such. This let me login to the developers’ git repo, cloud services and pretty much everything.

With all of this I am able to access every installed device which is not a good thing. These devices are connected to domestic solar installations and have full access to the inverter over modbus, essentially giving me control of a small power plant worth of electricity.

I informed the company and they were very thankful, they paid me some money and said they’d be in contact once they’d fixed everything. It’s been awhile since then, so I checked back a week or so ago and the issues are still there.

Where do I go from here? I can badger them again, but I’d be worried they’d paper over the holes and not really fix anything. I can disclose everything publicly, but they know who I am so I might get in trouble. I can also ignore it, but it’s a pretty nasty security flaw in what amounts to critical infrastructure.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.