None of the hash values matched up. Then it dawned upon them that the value might be
a concatenation of the USER value and the date. After a few attempts, they cracked it:
$ md5 -s '[email protected]'
MD5 ("[email protected]") = a0536156e0267d5ed71a59cca90f2692To verify their findings, they confirmed that they got the previous MD5 value when they put
in the previous day’s date:
$ md5 -s '[email protected]'
MD5 ("[email protected]") = 93a4c0c0da435f4434f828c95cf70d6aBingo! The researchers then realized something they had missed previously—that the MD5
value was the password to log into the secure.lifethings.com server:
$ ssh -l [email protected] secure.lifethings.com
Password: a0536156e0267d5ed71a59cca90f2692After logging in and finding the hub command, they figured out they had access to their
own hub. But they also knew of a friend who had a LifeThings hub. Based on today’s date,
they calculated their friend’s password:
$ md5 -s '[email protected]'
MD5 ("[email protected]") = b6ebb2b704bc66c2d50b5d5ed2425e5cThey were then able to log in as their friend and control his devices remotely, just like
customer service agents could. Having tried to report the spoofing issue previously and been
called “unprofessional” by LifeThings, the researchers decided to expose the issue at the secu-
rity conference, showing how attackers could remotely gain access to all devices connected to
a LifeThings hub as long as they knew the target’s email address.
The Demise of LifeThings
A week after the researchers presented their findings, investigative journalist Stan Goodin
wrote an article correlating their findings to multiple cases in which the insecure design of the
LifeThings infrastructure had recently been exploited:
260 CHAPTER 9: TWO SCENARIOS—INTENTIONS AND OUTCOMES