Continued from the earlier post (guess this stream burn my house down)

The user manual is hf-lpb100u_user_manual-v1-1 . You can make it fetch and execute a new firmware from anywhere in the world (over http only of course). without authentication.

You can also cause it to become a WiFi STA (access point) and generally hijack other wifi traffic. Or just ARP poison it to come here. So its a general telemtry point in the house.

To ‘increase the security’ they removed the / page of the web, but all the sub pages are there (http://172.16.0.128/iweb.html for example).

Sigh. Tin-foil hat don’t fail me now, i got some internal firewall changes to make.

So a new IP endpoint landed on my home network today, an ‘Anova sous-vide‘. Now i thought i had enough wifi radiation in the house to cook an egg, but apparently I now own a wifi-enabled egg cooker too.

So the way this thing works, you plug a stick into the wall outlet, and an app on your phone sets the temperature. Hmmm. What could go wrong?

Being the slightly suspicious tin-foil hat type, I decided to do a quick capture on the router as this came online. The chip is a ‘HF-LPB100‘ from gridconnect/high-flying.

The first thing it does is connect to some (no longer available) NTP server in china (which it keeps hammering away at, see this thread @ nanog of how I’m now contributing to this problem.

The second thing it does is connect to AWS and start yammering away in a non-encrypted protocol. I’m not sure what it is (MQTT maybe?). Its got a lot to say, this sous-vide alone would break most people’s data caps. Energy star for Internet it is not.

So i then break out nmap. Below. Port 80 is open, try a browser. Can we guess the password? admin/admin works (duh, of course it does). Great.

Now, this thing is useless without the app, and the app requires it to be on the same wifi segment as your phone, and your phone needs to be on the same wifi segment as your chromecast, you can see how its hard to make firewalls that work. What a wicked world wide web we weave (W7, I’m going to trademark that!).