Issue 19: Half of Amazon’s top-selling smart devices found vulnerable

This week, we look into the latest vulnerabilities, patches that TLS libraries require, and best practices for token management security.


You’d think casinos are at the forefront of security, after all they handle money. Apparently, this is not always the case. Atrient’s digital rewards kiosks for casinos used public unencrypted APIs to communicate with the backend servers. Thus, anyone could listen the traffic containing customers’ personal information. Attackers could even submit data, like add credit for themselves.

Turns out the smart Electric Scooter by Xiaomi (M365) has unprotected APIs. Although the mobile app has password protection, behind the scenes, the application is invoking APIs with no authentication required.

Smartwatches from well-known brands can have vulnerable APIs, too. The APIs behind Lenovo Watch X do not use encryption at all. Information (such as username, password, and location) is sent as cleartext. Knowing the username is all it takes to take control over someone’s watch. See also our earlier smartwatch breach reports in Issue 18 and Issue 7.

Patch Required

There has been a new successful Bleichenbacher attack on TLS v3. Attackers can cause TLS to downgrade to v2 and get exploited. If your TLS/SSL library is older than November 2018, upgrade it asap!


Researchers from University of Michigan and Universidade Federal Rural de Pernambuco have looked into the security of top-selling smart devices on Amazon.  They took 96 Wi-Fi and Bluetooth-enabled devices, and analyzed the smartphone apps that control these devices. The basic API and network security of these apps turned out to be quite bad:

  • 31% of the apps had no encryption at all.
  • 19% of the apps had hard-coded keys.

Best Practices

Isabelle Mauny from 42Crunch has published her Token Management Security Best Practices. Here’s a quick overview on the table of contents :

  • Trust no one
  • Obtaining tokens and API keys
  • Token management
  • Don’t hardcode secrets
  • OAuth is not for authentication
  • JWT content and access
  • JWT validation

Subscribe to API Security weekly newsletter at

Get API Security news directly in your Inbox.

By clicking Subscribe you agree to our Data Policy