Update: Temporarily removed

06/29/2025:

Loftie reached out to me when they became aware of this vulnerability; they are taking it very seriously, have put mitigations in place, and are working around the clock on a comprehensive fix. I agreed to remove the technical details on this page until after their update is rolled out.

Update: Mitigation

01/05/2025:

At the time of this update there was no official fix. I patched my clock to use an MQTT broker on my network, and my notes on this can be found here: https://github.com/iank/alarmclock-firmware.

This also gets me Home Assistant integration, which was my original goal..

Last modified on 2025-06-30