Mind-boggling design choices aside, I was pleasantly surprised to see that this company took the disclosure seriously. Too often small firms don't really know how to address these situations and just fire off a "how dare you hack us, we'll sue you!" response instead.
Nice response from the company, pity they made that many mistakes. Please note that this is not exceptional at all. APIs and underwater calls from web pages and apps to access some functionality are <i>rife</i> with bugs and security holes, the stuff you find makes you hair stand on end. Also, the SCADA world (which this product is a part of) is not exactly known for great focus on security, if there is security at all it's surprising, more likely it is just obscurity. These systems are used to remotely control building facilities such as heating, lighting, air-conditioning and all kinds of alarms.<p>One system I'm familiar with (I won't name any brands because this is a legacy system and imo impossible to fix without a total replacement) is based on the BASIC stamp and will accept UDP packets where every bit in the payload is the status of an output and will respond with a UDP packet detailing the inputs. Guess what happens if you start hitting those ports with payloads of 'all 1' and 'all 0' alternating every second or so...
nice to see them respond and even address some of the issues. i know security is a big craze right now, so it seems insane people would put systems online without any real meaningful controls, but the reality is until recently, most went untested and were viewed as unnecessary (https everywhere? n are you crazy? https is expensive!).<p>i think its only in the wake of these big public disclosures, and the reduction in cost for controls that people are taking notice. the problem is, we have decades upon decades of very immature software out there, and very little economic incentive to pre-emptively secure them. depending on the information they host, it may simply never be fiscally sound to properly secure them.
Good find, and pretty shocking! What's the legal status of something like this? I think in the UK it would be counted as bypassing authentication and <i>technically</i> you could be prosecuted under the CMA (happy to be corrected on that...)