U.S. power and electronics giant Eaton has fixed a security vulnerability that allowed a security researcher to remotely access thousands of smart security alarm systems.
Security researcher Vangelis Stykas said he found the vulnerability in Eaton’s SecureConnect, a cloud-based system that allows customers to remotely access, manage, and arm and disarm their security alarm systems from a mobile app.
Stykas said the vulnerability allowed anyone to sign up as a new user and assign that account to any other group of users, including a “root” group, which has access to all of the smart alarm systems connected to Eaton’s cloud.
The vulnerability is known as an insecure direct object reference, or IDOR, a class of security bug that allows unchecked access to files, data, or user accounts because of weak or lacking access controls on a server. Stykas said the bug was easy to exploit using adversary-in-the-middle tools like Burp Suite by intercepting the new user’s group number and swapping it with the number of the root group, which was simply “1”.
Stykas said adding a user to the root group “gave access to everything,” including the registered user’s name and email address, and the location of every connected security alarm system. Stykas said that the access could have allowed a potential attacker to remotely control security alarm systems connected to Eaton’s cloud — though he did not attempt this.
In a security notification published to its website, Eaton confirmed the bug was discovered in its group access authorization logic.
Jonathan Hart, a spokesperson for Eaton, said the vulnerability was fixed in May. Hart declined to say how many smart alarm customers it has, though Stykas said the number of Eaton connected smart alarm systems was in the high tens of thousands.
Disrupt 2026: The tech ecosystem, all in one room
Your next round. Your next hire. Your next breakout opportunity. Find it at TechCrunch Disrupt 2026, where 10,000+ founders, investors, and tech leaders gather for three days of 250+ tactical sessions, powerful introductions, and market-defining innovation. Register now to save up to $400.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
Eaton declined to say if the vulnerability allowed the remote control of connected security alarm systems. Eaton said the vulnerability was “verified to be a single event,” but did not say how it came to this conclusion or if the company has the technical means, such as logging systems, to determine if the vulnerability was previously discovered or exploited.
A popular smart home security system can be remotely disarmed, researchers say
