[Security Risk] Able to Claim Pre-claimed Photon/P1s Without Owner Permission

I ran a few tests today and discovered that apparently anyone with a particle account can claim a pre-claimed P1 without original owner’s permission. The process is the same as setting up a Photon on the Particle app. With the core it used to be one has to ask permission of the original owner via e-mail or resolve through hello@particle.io.

This discovery seems to be a rather great security risk. For instance, I was able to use my Particle account to claim the P1 on an on-the-shelf product (so now I have to contact the company to resolve this).

Is there any firmware mechanism or account settings that prevent this from happening? If so, I don’t see the option. We cannot ship products with a security risk like this.

Any advice here is appreciated!

That was changed a long time back, due to the fact that people just claimed their devices to a wrong account (e.g. due to typos) and as there were more and more devices in peoples hands Particle had to jump through hoops to establish the legitimate owners and transfer ownership much too often.

But I think if you got a PRODUCT_ID set in your product, claiming such a device should not be that easy.

There was a longish discussion about this in the background after this decission, but the outcome was that the risk would be managable :wink:

Maybe @zachary can chime in on this.


Great question @bing1106, but @ScruffR is correct, this was a very intentional decision.

With the Core, the inability to transfer device ownership caused huge pains for :particle: users and for us internally. We made the decision when moving to the Broadcom architecture and soft AP setup that physical access equals virtual access. This means, for instance, that if you lend a Photon to your friend, she can claim it and use it, and when she gives it back to you, you can claim it and use it, all without issue.

There is more to the story though.

If you create a product on the :particle: platform, normal Particle users can not claim the device. Only your customers can claim the device. Also, the whole setup and claiming process only works if the device is in setup mode. You can’t wirelessly claim any random nearby device after it’s been set up. You have to be able to physically touch it to put it into setup mode. Product creators can decide how they want customers to put their devices into setup mode. It doesn’t have to be a button like on the Photon, but that’s a common way.

As for the device on the shelf that contained a P1 that you claimed — if that was possible, then the product creator hasn’t done a good job of using our platform and probably has not read the How to Build a Product guide! (It’s also possible that you were able to get the device online but weren’t actually successful in claiming it to your account.) In any case, it’s not a problem — the person who later buys the product will be able to claim the device without issue when they take it home.

Hope that helps explain things!


Thanks @ScruffR and @zachary for the explanations. I remember back in my Core days I had indeed run into some device ownership transfer issues (don’t recall what exactly :slight_smile: )

It makes sense with the product claiming when only the customer can claim the device. However, if the product is to be put in an office or classroom it would be physically accessible to anyone (besides the customer). I will just have to verify that it works in the production setting. I guess the on the shelf product I mentioned might have missed some steps in setting up the product since I was able to not only setup WiFi but also claim the P1 under a non-registered customer email :particle: account. Strangely enough I was able to add an unclaimed P1 to their service…

I was not able to find a specific passage in the How to Build a Product page that explains unauthorized claiming though much of the claiming and authentication process happens behind the scene.

I will dig deeper into this and do some experiments. Thanks for the help guys!