Bountied air purifier had a dirty data secret

Kevin O'Reilly

Kevin O'Reilly

3 min read
A Molekule air filter with a speech bubble reading: "Hey Strangers! Here is my data"
Image credit: Dominik Zürner

I wonder how much you think about your data when you decide to buy an IoT device.

If you’ve been watching Louis’ channel for long enough, you probably think about it more than the average consumer. Maybe it’s your first thought. Maybe it’s something you weigh against the possible benefits that the device might bring to your life.

If you don’t think about it at all, a recent finding by cybersecurity researcher Dominik Zürner suggests that these ideas should probably come up sooner. Dominik found that Molekule air purifiers, which we targeted with a bounty last fall, had vulnerabilities that would allow “an unauthenticated attacker [to] access Molekule’s AWS IoT Core MQTT broker and subscribe to wildcard topics, receiving real-time device shadow updates from approximately 100,000 deployed IoT devices globally.”

You don’t need to be a cybersecurity expert to know that “receiving real-time device shadow updates from approximately 100,000 IoT devices globally” is not a good thing. Those updates included device owners’ WiFi network names, MAC addresses unique to each device, device names, and sensor readings.

Cyber vulnerabilities can lead to harm IRL

To me, any knowledge that my data has been unduly accessed is a violation in its own right. But the Molekule vulnerability could lead to real-life harm if exploited by the wrong party. Tracking usage data could help a black hat hacker recognize when a user is or isn’t home. Knowledge of filter status combined with an easily identifiable WiFi name—such as one Colorado-based dentist’s office that Dominik found in the logs—could be leveraged to launch a hyper-targeted phishing scheme.

Dominik, who is a professional security analyst, will sometimes look under the hood of consumer devices in his free time. After hearing about our bounty targeting Molekule’s effort to prevent owners from using third-party filters, he borrowed his friends air purifier and got to work. Once he found the issue, he notified the company, in line with responsible disclosure practices.

Molekule’s response had some bugs as well. First, Dominik said, they offered him a $5,000 bounty for his finding. That’s a good thing—bug bounties can be an effective way to reward cybersecurity researchers for identifying problems that could lead to consumer harm so that companies can fix them before any damage is done.

The problem was that the company asked him to sign an overly-strong NDA that “basically prevent[ed] me from ever discussing this vulnerability, even after a fix,” Dominik wrote in a GitHub post. This is not how responsible disclosure should work,” so he declined the bounty.

According to Dominik, after he provided Molekule with details on how he gained access to user data, the company did not respond to his requests for updates until he posted the vulnerability 90 days after his initial disclosure. Shortly after that, the company responded and “mischaracterized the vulnerability as requiring ‘wrongful registration’ and claimed it would constitute ‘criminal trespass.’” Mischaracterization or not, the company also acknowledged that it had implemented a patch.

“It wouldn’t have been hard for them to be helpful throughout this process,” Dominik told me. “I’m not trying to do anything other than make sure their users are secure. Just be nice.”

We can’t take good behavior for granted

Being nice—or at least not being evil—is a good place to start. But our bounty program has already provided two reasons not to assume that IoT manufacturers are going to have our best interests at heart. In addition to Dominik’s cybersecurity concern, Nest bounty winner Cody Kociemba found that first and second generation Google Nest devices were phoning home with troves of user data after thermostat owners lost access to their smart features.

Protecting the cybersecurity research done by Dominik, Cody, and countless other public interest minded hackers is another reason that Sec. 1201 of the Digital Millennium Copyright Act needs reform. Whether on purpose or by accident, there is no guarantee that manufacturers will make sure that our data and our online lives are protected. Circumventing digital locks will always be necessary to ensure that they are. Researchers shouldn’t have to risk facing a maximum penalty of five years in prison and a $500,000 fine to verify that consumers are protected.

At the end of the day, ownership is about knowledge as much as it is about control. That’s why we’re continuing to push for policies that protect researchers just as much as they protect the fixers, tinkerers and owners of the digital devices that have become so central to our lives.

Read more