The vulnerability was in their backend cloud structure. The backend wasn't restricting access to only devices associated with your account.

> Out of sheer laziness, I connected to the Mysa MQTT server and subscribed to the match-everything wildcard topic, #. I was hoping I’d see messages from a few more MQTT topics, giving me more information about my Mysa devices.

> Instead, I started receiving a torrent of messages from every single Internet-connected production Mysa device in the whole world.

The devices had unique IDs, but they were all connected to one big MQTT pub/sub system that didn't even try to isolate anything.

It's lazy backend development. This happens often in IoT products where they hire some consultant or agency to develop a proof of concept, the agency makes a prototype without any security considerations, and then they call it done because it looks like it works. To an uninformed tester who only looks at the app it appears secure because they had to type in their password.

▲

JoshTriplett 4 hours ago | parent [-]

> The vulnerability was in their backend cloud structure.

The vulnerability is in having a backend cloud structure.

(There are plenty of ways to provide remote access without that, and no other feature warrants it.)

▲

jcgrillo 2 hours ago | parent [-]

Not sure why this is being downvoted, it's a pervasive flaw across all these IoT products. See my description elsewhere here about how Haier "smart" controls work. It's completely insane, and pointless. For systems that can't fail--I include heating systems in the winter--this kind of "move fast and break shit" way of doing it is malpractice. The last thing in the entire world I want my furnace controls doing is an automatic OTA firmware update. Ever.

	▲	JoshTriplett 2 hours ago \| parent [-]
		Exactly. I want a "smart thermostat" that's entirely under my control, not the manufacturer's.