The hub tool located on secure.lifethings.com allowed the service agents to easily check
and change the status of devices connected to the LifeThings hub. This made it easy for them
to quickly assist customers who were having trouble with certain devices, and even help in
cases where the customers were locked out of their homes.
Total Ownership
Exactly a year after exposing the caller ID spoofing security issue, the researchers were sched-
uled to present at a security conference. They wondered if they could analyze the LifeThings
system further. After unscrewing the top cover of their LifeThings hub, they located a micro
SD card on which they found a filed called /etc/config with the following contents:
SSH_REMOTE=secure.lifethings.com
[email protected]
MD5=93a4c0c0da435f4434f828c95cf70d6aThey were able to quickly find out that secure.lifethings.com was running an SSH ser-
vice they could use to log in to the server. They assumed the username was research
[email protected] since it was assigned to the string USER in the /etc/config file and it was their
own email address that they had used to sign up for their LifeThings account. However, at
this stage it did not occur to them that the MD5 hash value might actually be the password.
After tinkering around for the evening, they decided to replace the card, call it a night, and
investigate further the next day.
The following morning, they pulled out the SD card again and took another look at
the /etc/config file:
SSH_REMOTE=secure.lifethings.com
[email protected]
MD5=a0536156e0267d5ed71a59cca90f2692The value of MD5 had changed. They put the SD card back into the hub for a few hours,
then removed it again later the same day. The value of MD5 this time was still
a0536156e0267d5ed71a59cca90f2692. This meant that the value was changing daily and was
likely to be associated with the date. The date was June 10, 2015, so they tried various date
strings in an attempt to replicate the hash:
$ md5 -s "June 10, 2015"
MD5 ("June 10, 2015") = 21c0f5e21aea63e9c1e3055a3eda6cb9
$ md5 -s "06102015"
MD5 ("06102015") = 14e2234a4c2d9ba4490b548972d6b794
$ md5 -s "06-10-2015"
MD5 ("06-10-2015") = 579949533abab20c4b07f5ed7d56b70dA CASE OF ANGER, DENIAL, AND SELF-DESTRUCTION 259