Gardyn Home Kit and Studio Unauthenticated Access Vulnerability

A vulnerability exists in the Gardyn Home Kit and Gardyn Studio ecosystems, allowing unauthenticated users to access and control edge devices. This includes management functions through an administrative endpoint, as well as access to cloud-based devices and user information. The issue arises from specific administrative endpoints that are accessible without proper authentication, exposing device management functions. Successful exploitation could also allow pivoting to other edge devices managed in the Gardyn cloud environment.

Impact

Exploitation of this vulnerability could lead to unauthorized access and control over Gardyn edge devices, allowing manipulation of device functions such as lighting and watering. Additionally, it could enable access to personal information, including names, addresses, phone numbers, and email addresses, as well as plant photos. In the context of the Gardyn ecosystem, this vulnerability could also allow unauthorized access to other edge devices managed in the Gardyn cloud environment.

Remediation

Users are advised to update their Gardyn Home Kit and Studio devices to firmware version master.622 or later. For the Gardyn mobile application, users should update to version 2.11.0 or later. Further information on Gardyn security can be found on the Gardyn security webpage. Customer support is available through the Gardyn Help Center or via email.