So i'm upgrading a few of the lights from 'hack-mode' IP-enablement to MQTT. The 'hack-mode' was a small json cgi running on them, below. This allowed HomeAssistant to set/read their state. It reads their state by polling. So far so good right?

But the problem is scaling this out. What if they have more to say than light on/off? What if other things want to know? What if i want a faster reaction to them being manually turned on?

Turns out there is an answer. MQTT. Its a publish/subscribe message bus, and u run a broker (mosquitto, purposely mispelled to get the second 't'). OK, great. So now your lights 'publish' to a topic their state changes, and listen to a topic for commands. Perfect, lower latency, better automation.

OK, so how do I secure this? The username/password is in the clear! Well, TLS is the answer. But some of these devices are very tiny. Lets look @ the sonoff. $5 gets u a wifi-enabled relay, very simple to reprogram. You can install 'atom' and 'platform.io' and you then do a git clone of 'Sonoff-Tasmota'. Connect your usb-serial widget to the board, and jam some software in. Its that easy. Since we are using TLS, we would not dream of self-signed certs right? I mean, "Let's Encrypt" has made this so simple Pauly Shore can get a cert. But, hold that thought.

Turns out the ESP8266 in here is a super-powerful SoC for the $1 price point. But, it would struggle to do a real CRL etc. So to save ram, they put the certificate hash in the compiled code. This works great if you have a permanent certificate (this is for the widget to certify the server, not the username/password). However, Let's Encrypt is going to give me a 90-day cert. So every 90 days I recompile and reinstall my lights? Hmmm.

Another option, this code supports Over-The-Air updates. On boot it will look for a magic URL and, if found, fetch + install the firmware there. Great, sounds like my answer right? Well, lets go back to the sous-vide. Turns out that just find+fetch a file is not that secure a means. I mean, its kind of like letting a strange woman in a lake distributing swords form a basis of government.

So... What do i do? Do i not use TLS? Do I use TLS and let the widgets OTA new firmware with new SHA? Do i yank them out and serial-port update them quarterly? Hmmm... Suggestions?

Oh yeah, the 'hack-mode'. Well, its below.  Its running on the more mighty switches (which use the atheros AR9330). This is running Linux, and cost $10. Moving to the ESP8266 necessitates this problem.

root@office-smartplug-1:/# cat /www/cgi-bin/json.cgi
#!/bin/sh
VERSION=0.0.3
RELAY_CTRL=/sys/class/leds/tp-link:blue:relay/brightness
IP_ADDRESS=`ifconfig wlan0 | sed ':a;N;$!ba;s/\n/","/g' | grep -E -o '[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+' | head -n 1`
TZ=`cat /etc/TZ`
SSID=`iw dev wlan0 link | grep SSID | awk '{ print $2 }'`
WIFI_SIGNAL=`iw dev wlan0 link | grep signal | awk '{ print $2 }'`
WIFI_CHANNEL=`iw dev wlan0 info | grep channel | awk '{ print $2 }'`
MACADDR=`iw dev wlan0 info | grep addr | awk '{ print $2 }'`
UPTIME=`uptime | awk -F , '{ print $1 }'`
LWRAPPER=""
RWRAPPER=""
CURRENT_STATE=`cat $RELAY_CTRL`

get=$(echo "$QUERY_STRING" | sed -n 's/^.*get=\([^&]*\).*$/\1/p' | sed "s/%20/ /g")
set=$(echo "$QUERY_STRING" | sed -n 's/^.*set=\([^&]*\).*$/\1/p' | sed "s/%20/ /g")
mins=$(echo "$QUERY_STRING" | sed -n 's/^.*mins=\([^&]*\).*$/\1/p' | sed "s/%20/ /g")
canceljob=$(echo "$QUERY_STRING" | sed -n 's/^.*canceljob=\([^&]*\).*$/\1/p' | sed "s/%20/ /g")

callback=$(echo "$QUERY_STRING" | sed -n 's/^.*callback=\([^&]*\).*$/\1/p' | sed "s/%20/ /g")

if [ ! -z $callback ]; then
 LWRAPPER="("
 RWRAPPER=")"
fi

if [ ! -z $callback ]; then
 echo "Content-Type: application/javascript"
else
 echo "Content-Type: application/json"
fi
echo "Cache-Control: no-cache, must-revalidate"
echo "Expires: Sat, 26 Jul 1997 05:00:00 GMT"
echo

case "$get" in
 state)
 case "$CURRENT_STATE" in
 0) echo "$callback$LWRAPPER{\"state\":\"off\"}$RWRAPPER"
 ;;
 1) echo "$callback$LWRAPPER{\"state\":\"on\"}$RWRAPPER"
 ;;
 esac
 ;;
 jobs) # list all the scheduled jobs
 i=0
 echo "$callback$LWRAPPER{\"jobs\":["
 atq | while read line; do
 job_id=$(echo $line | awk '{ print $1 }')
 job_date=$(echo $line | awk '{ print $5, $2, $3, $4, $6 }')
 job_queue=$(echo $line | awk '{ print $7 }')
 joblist="{\"jobid\":$job_id,\"queue\":\"$job_queue\",\"date\":\"$job_date\"}"
 if [ $i -ne 0 ]; then
 echo ",";
 fi
 i=1
 echo "$joblist"
 done
 echo "]}$RWRAPPER"
 ;;
esac

case "$set" in
 on)
 if [ ! -z $mins ]; then
 echo "echo 1 > $RELAY_CTRL" | at now + $mins minute -M -q b
 else
 echo 1 > $RELAY_CTRL
 fi
 echo "$callback$LWRAPPER{\"ok\":true}$RWRAPPER"
 ;;
 off)
 if [ ! -z $mins ]; then
 echo "echo 0 > $RELAY_CTRL" | at now + $mins minute -M -q c
 else
 echo 0 > $RELAY_CTRL
 fi
 echo "$callback$LWRAPPER{\"ok\":true}$RWRAPPER"
 ;;
 toggle)
 case "$CURRENT_STATE" in
 0)
 if [ ! -z $mins ]; then
 echo "echo 1 > $RELAY_CTRL" | at now + $mins minute -M -q d
 else
 echo 1 > $RELAY_CTRL
 fi
 ;;
 1)
 if [ ! -z $mins ]; then
 echo "echo 0 > $RELAY_CTRL" | at now + $mins minute -M -q d
 else
 echo 0 > $RELAY_CTRL
 fi
 ;;
 esac
 echo "$callback$LWRAPPER{\"ok\":true}$RWRAPPER"
 ;;
esac


if [ "$canceljob" -ge 0 ] 2> /dev/null; then
 atrm "$canceljob"
 echo "$callback$LWRAPPER{\"ok\":true}$RWRAPPER"
fi

if [ -z "$get" ] && [ -z "$set" ]; then
 echo "$callback$LWRAPPER{\"info\":{\"name\":\"kankun-json\",\"version\":\"$VERSION\",\"ipAddress\":\"$IP_ADDRESS\",\"macaddr\":\"$MACADDR\",\"ssid\":\"$SSID\",\"channel\":\"$WIFI_CHANNEL\",\"signal\":\"$WIFI_SIGNAL\",\"timezone\":\"$TZ\",\"uptime\":\"$UPTIME\"},\"links\":{\"meta\":{\"state\":\"http://$IP_ADDRESS/cgi-bin/json.cgi?get=state\"},\"actions\":{\"on\":\"http://$IP_ADDRESS/cgi-bin/json.cgi?set=on\",\"ondelay\":\"http://$IP_ADDRESS/cgi-bin/json.cgi?set=on&mins=60\",\"off\":\"http://$IP_ADDRESS/cgi-bin/json.cgi?set=off\",\"offdelay\":\"http://$IP_ADDRESS/cgi-bin/json.cgi?set=off&mins=60\"}}}$RWRAPPER"
fi

d

So on last nights security scan of my home, I found a new and interesting thing. Specifically, a TFTP server running. Huh. That is normally something I bring up to rescue some widget that is old-school almost-bricked.

Now, where is it. Its on the ring1. (ring0 is the hard-wire between my 3 larger servers, doesn't go anywhere. ring1 is the things my wife and I use, ring2 is the guests who come over, and ring3 is the evil crap that got bought in a moment of weakness).

Hmm, ok. What is it? Its an asustek tablet. One of the nexus 7's. My nexus 7 is semi-retired and currently in hard-off state, so must be Sonya's. But its pretty unlikely she has purposely installed TFTP server, right? Turns out this is indeed correct. One of the apps she has installed has gone rogue... Someone lost control of their account, or sold it, or whatever, and an update was pushed, and the update has some means of trying to get control of my network. The TFTP server would be how they get some new firmware to a device if they can crash it. And there are still some devices that can be crashed (previous hardening runs have improved my lot, but there are still a good chunk of devices that i'm not sure what to do with).

OK, so what should I do? Well, i reflashed her tablet and yanked the offending app. I could demote her tablet to ring2 or ring3 (but then it can't drive the chromecasts, sonos, remote, plex, ...). Hmm.

I could make some more complex firewall rules, a ring 1.5 maybe, but ugh. So much work. That mud thing, well, its just not there.

Suggestions? Maybe its the sorceror's apprentice syndrome?

Another day, another Internet widget dissected. This time its the Kankun smart plug. Now with English APP. For between $10-$20 you can make any electrical outlet in your home into a smart one, and turn it off via the power of the Internet!

Sounds easy. And there was some Eglish's good clicky here! in the app.

So the usual process. Bring it up in a closed environment. Try to ssh/telnet/web in w/ the usual passwords. Here I was able to ssh in without trouble. And find lots of info online (e.g. here).

But what no one mentioned is the 'calling home' bit. It looks up 'wis.huafeng.com' and does some UDP activity there. A bit of firewall, a bit of DNS etc, and that is gone. (no Internet is needed so just blocked that, no outbound is needed from it, so blocked that too). I suspect (?) its so that I can control it from anywhere in the world. Or that someone can. Neither seemed needed.

A bit more work and I was able to compile and upload my own OpenWRT from source, so that risk is gone.

But its amazing for ~$10 you can get a widget, delivered to your home, which has enough ram/flash to run a decent linux (OpenWRT). And control your lamps. What an age we live in.

They have a video (for a similar model) here, i'll let you eyeball it before you place the big order.

The smart hair brush. You know you need to live-stream the wetness of your hair, the amount of brush strokes it takes, but you are just too lazy to keep a log? The hair coach is for you. it provides a holistic hair assessment. You know the shark is jumped when you can't even convince me to buy a gadget. I'm assuming that it is full of security flaws and will destroy your life if you connect it to your home network. But i've insufficient time and hair to find out.

and now back to the kitten academy live stream

Tagged with: , ,

Continued from the earlier post (guess this stream burn my house down)

The user manual is hf-lpb100u_user_manual-v1-1 . You can make it fetch and execute a new firmware from anywhere in the world (over http only of course). without authentication.

You can also cause it to become a WiFi STA (access point) and generally hijack other wifi traffic. Or just ARP poison it to come here. So its a general telemtry point in the house.

To 'increase the security' they removed the / page of the web, but all the sub pages are there (http://172.16.0.128/iweb.html for example).

Sigh. Tin-foil hat don't fail me now, i got some internal firewall changes to make.