I saw a tweet today that reminded me of a quick tale from a few years ago, from before my blog existed. I’d like to think this post qualifies me as a “real hacker”™.
Dear infosec Twitter,
I'm looking for the crappiest IoT device I can buy on Amazon or anywhere in the EU. Something which can be hacked during a workshop made for non-tech people.
Any suggestions?
— Łukasz (@maldr0id) March 9, 2020
About 5 years ago, I scored an “8GB Wifi USB Flash Drive” pretty cheaply on eBay. Basically, you could copy files to it like a USB disk, and then access those files from an iPhone over WiFi. Simple idea – basically a “cloud storage” … except in your pocket, and it seemed like a handy device to have – an early “internet of things” device. However, it was both terribly clunky to use, as well as being incredibly slow to transfer files via either method. Quite a regrettable purchase overall.
I paid less than half this advertised price. The device is about the size of a pack of chewing gum.
So instead, I decided to see what else this little box could do. I pulled it apart, to find that basically, it was a bit like a smartphone just without a screen inside, complete with battery, processor and wifi. I used a simple tool (buspirate) to make a copy of (“dump”) the firmware. I then found the system files in that firmware, including the file that stored the passwords. While they were encryped, with a little educated guessing, and a reasonably high powered graphics card to do some heavy code breaking, I was able to decrypt (“crack”) the main device’s passwords in a matter of seconds – a whopping three seconds, to be precise. The brand was called “Zsun” – the product system password turned out to be “Zsun1188”.
As far as I can tell, I was the first in the world to uncover and decode this password. Though I never got any credit for it, it was so trivially easy that I have no doubt that the next person along who tried would have been able to crack this just as easily.
For me, I was already aware that there were devices like this out there, but others may not be.
The lesson here is simple: Don’t trust your personal data to any platform or device, if it is made by any company that you don’t fully trust.
Zsun is just a example. For an idea about how much Zsun cared, they went on to use the same password on their future devices as well… if you google Zsun1188 you will find many people who have gone on further to hack these devices and do other fun things with them. Anyway, till next time!