vpnMentor has revealed that nearly 2.7 billion records belonging to Mars Hydro, a China-based company specializing in IoT grow lights and remote control applications, are unprotected.
The database, lacking encryption or password protection, contained 2.7 billion records, totaling 1.17 TB, cybersecurity researcher Jeremiah Fowler reported.
The exposed information included logging, monitoring, and error records for IoT devices globally. Upon closer analysis, over 100 million records contained sensitive details such as Wi-Fi network names (SSIDs), passwords, IP addresses, and device ID numbers. Furthermore, records linked to control devices such as smartphones running the IoT application specified operating systems, including iOS and Android.
The leaked data was also traced to a California-registered company, LG-LED Solutions, alongside API details and URLs associated with Mars Hydro, Spider Farmer, and LG-LED Solutions, which produce grow lights, fans, and cooling systems.
Several records labeled with identifiers such as “Mars-pro-iot-error” and “SF-iot-error” suggested connections to IoT error logging. The presence of SSID credentials and additional log details, such as tokens, app versions, device types, and IP addresses, posed serious security concerns. According to Made in China, Mars Hydro is a Shenzhen-based LED grow light manufacturer with warehouses in the UK, US, and Australia.
Upon discovering the breach, Jeremiah Fowler Fowler issued a disclosure notice to LG-LED Solutions and Mars Hydro. The database was secured within hours, preventing further public access, though no official response was received.
A follow-up inquiry to Mars Pro’s customer support confirmed that the application belonged to Mars Hydro, yet it remains unclear if the database was managed by LG-LED Solutions or a third-party contractor. The duration of exposure is unknown, and only an internal forensic audit could determine whether unauthorized access occurred before its discovery.
The Mars Pro application, available on iOS and Android, supports multiple languages, including English, French, German, and Chinese. However, its privacy policy on the Google Play and Apple App Store states that it does not collect user data, raising concerns about why connectivity details and credentials were found in logs.
One potential explanation is that IoT devices automatically capture and store this information upon connection to a local network. Regardless of how it was gathered, the exposed data raises significant questions regarding IoT security and network privacy. Additionally, the privacy policy links to LG-LED Solutions and provides access to the Android application’s APK file via Mars Hydro’s official website.
The exposed Mars Hydro database suggests that connected devices and applications collect extensive user information. In a worst-case scenario, this data could be exploited for surveillance, man-in-the-middle attacks, network mapping, and other cyber threats.
While there is no evidence that Mars Hydro or its affiliated companies have malicious intent, storing this information in an unprotected format presents significant risks. Cybercriminals could manipulate IoT devices remotely, adjusting settings for lights, fans, or temperature controls, potentially disrupting agricultural operations.
Remote network intrusions through unsecured Wi-Fi networks are a well-documented risk. In November 2024, Russian military hackers from the GRU’s Unit 26165, also known as APT28 or Fancy Bear, executed a “nearest neighbor attack” in Washington, D.C., targeting an organization supporting Ukraine.
By compromising a nearby organization’s Wi-Fi network, attackers gained access to the target’s infrastructure. This method allows cybercriminals to exploit weak network security and jump between trusted connections, making detection challenging without active monitoring.
The exposure of Wi-Fi SSID credentials in the Mars Hydro incident presents security risks. Attackers with access to network names, passwords, MAC addresses, and IP addresses could potentially connect to networks remotely and carry out cyberattacks.
By infiltrating a device, hackers could intercept data, perform packet sniffing, or deploy malware. Additionally, IoT devices with known firmware vulnerabilities could be hijacked for botnets and large-scale distributed denial-of-service (DDoS) attacks.
Baburajan Kizhakedath
