IPv6. Yes its a thing, yes you want it, etc. But did you know it can add more tracking footprint to an already highly trackable world?
IPv6 is commonly allocated within a home environment using a protocol called SLAAC (stateless local address auto configuration). Its sort of a fancy way of picking an IP address that is not in use. Now, one of the methods of doing this is to use the MAC address of the Ethernet adapter and merge it into the lower bits of the IP. Great for simplicity, terrible for tracking. Because now not only are you not NAT’d to a single IP (cuz you are on IPv6), but you are handing every web site you go to your hardware address. Nice.
Turns out the grey-beards of the IETF thought about this, and invented a concept called privacy extensions (RFC 3041), with a nice commentary from the internet society on why.
OK, now imagine my surprise when I (for other reasons) checked my IPv6 connectivity today (goto http://ipv6-test.com/ to check yours) and found, horror, that my desktop was using SLAAC and no privacy extensions, and my MAC address was visible to the world.
So why was this? Its not this way on my android devices. To understand, we have to first look at how I configured it ‘on’. I set these two sysctl:
Seems like it should have worked, right? However, looking at https://bugzilla.kernel.org/show_bug.cgi?id=11655, we can see the issue. My startup is parallel. My external interface (eno1) is created *before* the sysctl.d is parsed. And setting the sysctl doesn’t go back and resolve it later.
So the solution is to add
and we are good!
Moral of the story…. ‘all’ doesn’t always mean ‘all’. I suggest you go do the test now. If you don’t have ipv6 enabled, call your service provider and complain. Its 2017 (for a few more hours), you need some modern IP.
Armed with $20 and an interest in learninghacking, I visited Canada Computers today to see what ‘extended boxing week sale’ they had. And lo and behold, it was this. A Trendnet WiFi HD Baby Cam TV-IP745SIC. $19. Sweet. Since this is designed to be in your home, monitoring your baby, with bidirectional audio, and cloud access, they must have taken pains to secure it right? They go to great pains to explain ‘designed in USA’ so one cannot use the convenient ‘but insecure consumer gadget china…’ argument if not.
It arrived with firmware 1.0.0 (always ominous!), dated 2014/1/ 03:32:55, build number 4521.
(The conclusions are at the end, hint: the cloud has no security, buy this if you want random people to see, hear, and talk to your kids while you are not around).
Presented with a forced-change of password, which must be 8-16 characters, I chose admin123 (7 characters), and it worked. Hmm.
It appears a plugin is required. As you might expect, the link is to a Windows MSI file (stored on the device).
Now the attempt at security is, although not exactly life-support-on-space-mission strong, still reasonable for a home device that is not internet-facing. By default it requires auth on http/rtsp/snapshots.
If we open vlc to it (vlc rtsp://192.168.30.30/play1.sdp), we get live video, with the *highest* quality of lens! We can also get a jpeg snapshot from http://192.168.30.30/image/jpeg.cgi.
If we hit the ‘play/pause’ button on the top, it starts to play some music-box-dancer piano song. Nice.
The default UPnP setup is enabled for discovery, but not opening the firewall. So far so good.
The default WiFi is direct, enabled, no auth, not too happy about that:
The device has a mode where it can save video to an SD card. And it conveniently will serve those files over its web interface for you.
It has sound detection, so you can cause an alert when something occurs (as well as motion and temperature).
Interestingly it has 4 profiles for RTSP, about 3 more than I figured it would have.
OK, enough looking at it in the ‘no internet mode’, time to do some captures and let it loose on the world. It gives me a URL (http://85945000.cam.trendnetcloud.com/), which is *my* cloud URL for it. As soon as the device hits the internet, this becomes live. Sadly:
Browser Compatibility Notice
The browser version you are using (Google Chrome 63.0.3239.84) is not supported by the TRENDnet Cloud service. If you are using a mobile device, please download the TRENDnet CloudVIEW mobile app. You can also use one of the following browsers on your computer to view your camera:
Internet Explorer (Windows desktop version only): IE9.0 to IE11.0 Safari (Mac version only): 5.1.7 Firefox: version 22.0 to 37.0 Google Chrome (Windows desktop version only): version 28.0 to 40.0
is what it has to say. Boo. I have firefox 58 (which is bigger than 37), and chrome on linux only.
OK, so I open it on my phone. And WTF, it redirects to trendcloud.com, which is owned by a domain squatter! Yes, I could buy it.
OK, while that sinks in, lets look at the capture file. Helpfully it talks to AWS without encryption, and passes its cloud credentials in the clear. Even more helpfully these cloud credentials are hard-coded to the device. Nice touch. It does a POST to /enable.html with its key.
Coming back to the cloud URL, the capture suggests the correct one is lbcam.trendnetcloud, not cam.trendnetcloud.com. Hmm. Specifically http://85945000.lbcam.trendnetcloud.com/. Lets try that. OK good, the phone at least agrees that this is ‘incompatible with modern browsers’. Trying a ‘user agent switcher’, i am presented with an option to install a windows executable in each case, no good.
OK, so I broke down and booted a windows VM. And Installed the ‘InstallTRENDnetCloud2’ msi. But it just keeps saying “did you install the plugin”? If I say yes, it says restart the browser. If i say no, it says to install. I guess because Chrome and ie are too new. Hmm. OK, install an old version of Firefox. And boom, i’m in, and watching myself.
So yes, even though I did not open my firewall, the default mode of operation is to allow anyone to see/hear/speak through my device, through my firewall, through their cloud. Interestingly from the cloud (external web interface) I can also upload new firmware directly. And since there is no use of TLS on either side (the camera to cloud, or web to cloud) the password is passed in the clear each way. Great.
Yes, sure enough, on each end, the info is passed in the clear. You can see it below:
GET /users/stream_info.cgi HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest realm="nipca", nonce="9261151863c4390bb053da7f837a6790c20010ac", qop="auth"
Date: Sat, 30 Dec 2017 20:47:26 GMT
Please enter correct account/password.
GET /users/stream_info.cgi HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Authorization: Digest username="admin", realm="nipca", qop="auth", algorithm="MD5", uri="/users/stream_info.cgi", nonce="9261151863c4390bb053da7f837a6790c20010ac", nc=00000001, cnonce="ad9d46c392d98dc66a33d083ec62b770", response="fa5c5c9fe59c8787cc74a35c2c883099"
HTTP/1.1 200 OK
OK, so what did we learn?
An attempt was made to secure the device locally. If it had no internet access, this would have been in the realm of ‘normal’ for such consumer devices.
The cloud interface is not secure. It makes no particular attempt.
The cloud interface bypasses your firewall. Without even using the port-forwarding. The device connects outbound, and allows things inbound on this, bridged in their cloud app.
No encryption is used, and hard-coded credentials.
Conclusion: buy this if you want random people to be able to see, hear, and talk, to your kids when you are not around. $20 well spent.
Earlier this week someone brought up Radon gas. He was somewhat surprised that we all knew about it, but we didn’t know enough it turns out. Health Canada has a great resource on it here, including a survey of the prevalence in homes. Radon is the leading cause of lung cancer in non-smokers, and the #2 in smokers, causing ~21000 deaths in the US last year. In a nutshell, natural uranium & thorium decays to lead, and enroute, produces Radon gas.
Now, i was of the impression that since I tested when I bought the house (home inspection), that I was not at risk. Turns out its seasonal (since it follows groundwater). Also, you need to test over a much longer period than I did (~90 days vs the 2 days I did). Ooops. The recommended maximum Radon is 200Bq/m^3, and 6.9% of Canadian homes are there!
Now, I had thought this was more of a regional thing, but it turns out its not. Your neighbour can be fine, and you can be at risk. So, we have carbon monoxide detectors, but why not Radon? The normal test is to take a box of charcoal, but it in your basement for 90days, then ship it to a lab to sniff it. Well, this is a bit of a pain for ongoing metrics.
Enter the Airthings Wave. Designed in Norway, Assembled in Tunisia, fulfilled by Amazon, and delivered by Canada Post. And now the subject of some hacking by me!
OK, so this is bluetooth only. Hmm. So it logs locally, and periodically you open an app on your phone and fetch the stats. For some reason you need an online account with a password. OK, we’ll hack the bluetooth stream later and figure out how to integrate with Home Assistant. But first lets see whats inside. Hmm, deep-recessed pentalobe security screws, obviously don’t want me in here. No problem, just need to find the right bit… we’re in.
OK, below some pictures, I’ll post more once I start in on it. After the pairing and the requisite firmware update for the device, we end up with a fairly nice-looking (if basic) app. It measures temperature/humidity/radon. And it syncs periodically to the device when you ask it to.
OK, lots of pictures of the naked innards. It is using a TI MSP430 as the processor and a LSR SaBLE-X for the BLE (probably this TI reference design of the TI SimpleLink CC2640). Enjoy!
OK, earlier I wrote about tire-repairs the way you were never taught in shop class, using spray-foam. The general consensus in the comments was “brilliant idea, terrible execution and outcome!”. Well, naysayers, you are wrong. Today we had a reasonable amount of snow, and I got to try my repair out. And, well, the photo speaks for itself. Tire is round-enough, stiff-enough, to mange my small snowblower. Ha! Take that. After several years of the strap+inflate method to fix the tire each time I went to use it (or the disaster of the tube experience, the even worse new-tire experience), we are in a good spot. How could this ever fail?
I left the schmoo on the side as a testament to its pure tirey-goodness inside. That scar-tissue of latex foam is the badge of honour for this tire.
The electric car charging cable standard that is going to win is called Combined Charging System. Given Tesla’ scale, they may continue for a while with their proprietary one, but eventually it will phase out somehow. Who wants an appliance that only plugs into its own manufacturer’s power system, can you imagine a GE kettle that only took GE electricity?
One of the features of this CCS system is it is smart. It runs a protocol called ISO 15118 (also called HomePlug Green Phy) which allows the car and the EVSE to converse about how much power to give, etc.
Last night was I was driving back from my inlaws, a combination of cold weather, a desire for more heat, and a not 100% full charge meant we had to take a pit stop. No problem, there are dozens of high-speed (level 3) chargers between there and here. The first one we pull into (Campbelville Country Court) has a L3 charger on the ChargePoint network. So we plug in, and, well, not much happens except a ‘Error: Fault 87’. Its cold, I’m outside, we have 10km of range, I can either plug into the L2 charger and wait a while, fix this, or… So I call the phone # listed on the charger. The technician at the other end informs me that this charger needs a software update to deal w/ our car. Now this is a brave new world of electricity delivery indeed! So I curse a bit, plug into the L2 charger for 5 min, pick up the couple km I need to backtrack to the previous L3 charger, and head there. It is on the ‘flo’ network. But it works. And it immediately starts huffing and puffing with some cooling fan (its -15C so I think this is somewhat optimistic on their part), and exchanging bits back and forth with our car. It then settles on ‘yes I will deliver you high-power DC’, and starts ramping that up (? too cold to charge fast? battery too empty? dunno). So it starts (from its app, I’ve retired to the relative warmth of the ‘we want to close, please leave’ starbucks) with the meter near the left of the ‘yellow’ for charging speed. Nice to have a meter calibrated from red to green when you really want to know more details (the outdoor screen, as you see to the right, does have some detail).
OK, after maybe ten minutes of ‘yellow’ it starts moving up towards the green, which you see below. ps, electricity is cheap to charge at home, not so much on the go!
Now, a reasonable amount of info was exchanged between car and charger. Make, model, software version, batteries installed, etc. And there is no authentication in the app per se, its just tied to the station. So I guess anyone can read this.
And this got me thinking. I’m driving my car all over, to random places, and plugging in a computer-accessible cable to random infrastructure. And this cable is delivering not just Amps, but also bits. Bidirectionally.
And normally that means that someone will find a way to abuse it. The CCS system is coming online with bidirectional charging (meaning the grid can *drain* your car battery during times of need). It has access to internal aspects of your car (onboard computer etc) which may in turn have access to the GPS (where you’ve been), speed info, home address, etc. Some cars can open your garage automatically because they’ve memorised your code. They know when you are not home. etc. To say nothing of tinkering with e.g. the brakes or speed governor or ‘self driving gadgets too numerous to list’.
So, what’s the over/under on “will there be a CCS-delivered virus that wreaks havoc on the blogsphere/tinfoil hat community in 2018”. Vote below.