Consumer Rights Wiki

Molekule did not disclose air purifier data vulnerability: Difference between revisions

← Older editNewer edit →
VisualWikitext
No edit summary
Bananabot (talk | contribs)
Bots, confirmed
1,114 edits
Added archive URLs for 6 citation(s) using CRWCitationBot
Line 16: Line 16:
Molekule is a consumer electronics company that manufactures internet-connected air purifiers. The company's products connect to the internet via WiFi and communicate with cloud-based servers, allowing users to monitor and control their devices through a mobile application. Like many Internet of Things (IoT) devices, Molekule's air purifiers transmit operational data such as air quality readings, device status, and network information, to the company's servers on an ongoing basis.<ref name="zuernerd" />
Molekule is a consumer electronics company that manufactures internet-connected air purifiers. The company's products connect to the internet via WiFi and communicate with cloud-based servers, allowing users to monitor and control their devices through a mobile application. Like many Internet of Things (IoT) devices, Molekule's air purifiers transmit operational data such as air quality readings, device status, and network information, to the company's servers on an ongoing basis.<ref name="zuernerd" />


Molekule's backend infrastructure uses Amazon Web Services (AWS). Specifically, it uses AWS IoT Core, a managed service for device-to-server communication via the MQTT messaging protocol, and AWS Cognito, a service for managing user identity and authentication. AWS Cognito identity pools can be configured to grant temporary AWS credentials to both authenticated users and unauthenticated "guest" users who have not logged in.<ref name="aws-cognito">{{Cite web |title=Identity pools console overview |url=https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html |website=Amazon Cognito Developer Guide |publisher=Amazon Web Services |access-date=2026-02-02}}</ref> AWS's own security guidance for IoT Core states that all devices and users should have policies that only allow them to connect with known client identifiers and to publish and subscribe to a defined set of topics, following the principle of least privilege.<ref name="aws-iot-security">{{Cite web |title=Security best practices in AWS IoT Core |url=https://docs.aws.amazon.com/iot/latest/developerguide/security-best-practices.html |website=AWS IoT Core Developer Guide |publisher=Amazon Web Services |access-date=2026-02-02}}</ref>
Molekule's backend infrastructure uses Amazon Web Services (AWS). Specifically, it uses AWS IoT Core, a managed service for device-to-server communication via the MQTT messaging protocol, and AWS Cognito, a service for managing user identity and authentication. AWS Cognito identity pools can be configured to grant temporary AWS credentials to both authenticated users and unauthenticated "guest" users who have not logged in.<ref name="aws-cognito">{{Cite web |title=Identity pools console overview |url=https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html |website=Amazon Cognito Developer Guide |publisher=Amazon Web Services |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20251222022721/https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html |archive-date=22 Dec 2025}}</ref> AWS's own security guidance for IoT Core states that all devices and users should have policies that only allow them to connect with known client identifiers and to publish and subscribe to a defined set of topics, following the principle of least privilege.<ref name="aws-iot-security">{{Cite web |title=Security best practices in AWS IoT Core |url=https://docs.aws.amazon.com/iot/latest/developerguide/security-best-practices.html |website=AWS IoT Core Developer Guide |publisher=Amazon Web Services |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20260209134515/https://docs.aws.amazon.com/iot/latest/developerguide/security-best-practices.html |archive-date=9 Feb 2026}}</ref>


==Vulnerability discovery and details==
==Vulnerability discovery and details==
Line 49: Line 49:
===Regulatory significance of exposed data===
===Regulatory significance of exposed data===


The researcher asserted that several categories of the exposed data constitute personal data under major privacy regulations. Under the European Union's General Data Protection Regulation (GDPR), Article 4(1) defines personal data broadly as any information relating to an identified or identifiable natural person, including by reference to an "online identifier."<ref name="gdpr-art4">{{Cite web |title=Art. 4 GDPR – Definitions |url=https://gdpr-info.eu/art-4-gdpr/ |website=General Data Protection Regulation (GDPR) |access-date=2026-02-02}}</ref> Recital 30 of the GDPR elaborates that natural persons may be associated with identifiers provided by their devices, such as internet protocol addresses and radio frequency identification tags, which may be used to create profiles and identify individuals.<ref name="gdpr-recital30">{{Cite web |title=Recital 30 – Online Identifiers for Profiling and Identification |url=https://gdpr-info.eu/recitals/no-30/ |website=General Data Protection Regulation (GDPR) |access-date=2026-02-02}}</ref> Legal analyses have concluded that MAC addresses of personal devices are to be considered personal data under the GDPR, following the reasoning of the Court of Justice of the European Union in ''Breyer v. Bundesrepublik Deutschland'' (Case C-582/14), which held that dynamic IP addresses can constitute personal data when a controller has the means to identify an individual.<ref name="techgdpr">{{Cite web |title=WiFi-Tracking and Retail Analytics under the GDPR |url=https://techgdpr.com/blog/wifi-tracking-retail-analytics-gdpr/ |website=TechGDPR |access-date=2026-02-02}}</ref>
The researcher asserted that several categories of the exposed data constitute personal data under major privacy regulations. Under the European Union's General Data Protection Regulation (GDPR), Article 4(1) defines personal data broadly as any information relating to an identified or identifiable natural person, including by reference to an "online identifier."<ref name="gdpr-art4">{{Cite web |title=Art. 4 GDPR – Definitions |url=https://gdpr-info.eu/art-4-gdpr/ |website=General Data Protection Regulation (GDPR) |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20260206212130/https://gdpr-info.eu/art-4-gdpr/ |archive-date=6 Feb 2026}}</ref> Recital 30 of the GDPR elaborates that natural persons may be associated with identifiers provided by their devices, such as internet protocol addresses and radio frequency identification tags, which may be used to create profiles and identify individuals.<ref name="gdpr-recital30">{{Cite web |title=Recital 30 – Online Identifiers for Profiling and Identification |url=https://gdpr-info.eu/recitals/no-30/ |website=General Data Protection Regulation (GDPR) |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20251209021409/https://gdpr-info.eu/recitals/no-30/ |archive-date=9 Dec 2025}}</ref> Legal analyses have concluded that MAC addresses of personal devices are to be considered personal data under the GDPR, following the reasoning of the Court of Justice of the European Union in ''Breyer v. Bundesrepublik Deutschland'' (Case C-582/14), which held that dynamic IP addresses can constitute personal data when a controller has the means to identify an individual.<ref name="techgdpr">{{Cite web |title=WiFi-Tracking and Retail Analytics under the GDPR |url=https://techgdpr.com/blog/wifi-tracking-retail-analytics-gdpr/ |website=TechGDPR |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20251007021401/https://techgdpr.com/blog/wifi-tracking-retail-analytics-gdpr/ |archive-date=7 Oct 2025}}</ref>


Under the California Consumer Privacy Act (CCPA), a "unique identifier" is defined as a persistent identifier that can be used to recognise a consumer, family, or device over time and across services, explicitly including device identifiers.<ref name="ccpa-definitions">{{Cite web |title=Section 1798.140 – Definitions |url=https://www.consumerprivacyact.com/section-1798-140-definitions/ |website=Consumer Privacy Act |access-date=2026-02-02}}</ref>
Under the California Consumer Privacy Act (CCPA), a "unique identifier" is defined as a persistent identifier that can be used to recognise a consumer, family, or device over time and across services, explicitly including device identifiers.<ref name="ccpa-definitions">{{Cite web |title=Section 1798.140 – Definitions |url=https://www.consumerprivacyact.com/section-1798-140-definitions/ |website=Consumer Privacy Act |access-date=2026-02-02}}</ref>
Line 56: Line 56:
==Timeline of detection, patching, and disclosure==
==Timeline of detection, patching, and disclosure==


The researcher followed a 90-day responsible disclosure process, as is common practice within the cybersecurity industry.<ref name="pz-faq">{{Cite web |title=Vulnerability Disclosure FAQ |url=https://projectzero.google/vulnerability-disclosure-faq.html |website=Project Zero |publisher=Google |access-date=2026-02-02}}</ref>  
The researcher followed a 90-day responsible disclosure process, as is common practice within the cybersecurity industry.<ref name="pz-faq">{{Cite web |title=Vulnerability Disclosure FAQ |url=https://projectzero.google/vulnerability-disclosure-faq.html |website=Project Zero |publisher=Google |access-date=2026-02-02 |archive-url=http://web.archive.org/web/20260213213804/https://projectzero.google/vulnerability-disclosure-faq.html |archive-date=13 Feb 2026}}</ref>  


Within his report, the researcher presented the following timeline of events:
Within his report, the researcher presented the following timeline of events:
Retrieved from "https://mirror.consumerrights.wiki/w/Molekule_did_not_disclose_air_purifier_data_vulnerability"