issuhub.com

Abusing the Internet of Things

(Rick Simeone) #1 
POST /set-wifi/ HTTP/1.1

Host: 10.0.0.1

Accept: */*

Proxy-Connection: keep-alive

Accept-Language: en-us

Accept-Encoding: gzip, deflate

Content-Type: application/x-www-form-urlencoded

Origin: http://control.littlebitscloud.cc

User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2)

AppleWebKit/600.3.18 (KHTML, like Gecko) Version/8.0.3 Safari/600.3.18

Connection: keep-alive

Content-Length: 92

Referer: http://control.littlebitscloud.cc/

DNT: 1

ssid=TOUCHOFCLASS&mac=771FA1263FEC&security=wpa2&encryption=on

&password=topsecretpassword

Here is the response from the cloudBit:

HTTP/1.1 200 OK

Access-Control-Allow-Headers: Authorization, Content-Type, If-None-Match

Access-Control-Allow-Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS

Access-Control-Allow-Origin: *

Access-Control-Expose-Headers: WWW-Authenticate, Server-Authorization

Access-Control-Max-Age: 86400

Content-Type: application/json; charset=utf-8

Date: Sun, 08 Mar 2015 05:34:07 GMT

Server: lighttpd/1.4.35

Content-Length: 20

{ "success": true }

After sending the response, the cloudBit will hop on the TouchOfClass WiFi network
using the credential topsecretpassword. This lets the cloudBit reach the littleBits cloud infra-
structure, allowing us to control the module from the http://control.littlebitscloud.cc website.
The security issue to keep in mind here is that the temporary WiFi network exposed by
the cloudBit is not secured or encrypted. This means that anyone within range of the tempo-
rary network can also join the network. Furthermore, the POST /set-wifi/ request to the
cloudBit is not encrypted using TLS or any other mechanism, allowing a rogue party that has
joined the network to easily capture the user’s home network WiFi credentials.
The risk of this issue is relatively low, since the attacker has to be within the vicinity of the
network and has to act within the window of time when the user configures his cloudBit.
However, as we have discussed in previous chapters, any computing device that has been
remotely compromised and is within vicinity can continuously scan for temporary cloudBit
WiFi networks and hop onto them to capture credentials—that is, an attacker with access to a


206 CHAPTER 7: SECURE PROTOTYPING—LITTLEBITS AND CLOUDBIT
Free download pdf
Get our desktop app
Company
Features
Documentation
Resources
© ISSUHUB. 2024. All rights reserved.