Hacking the D-Link DSP-W215 Smart Plug

DSP-W215

The D-Link DSP-W215 Smart Plug, a wireless home automation device for monitoring and controlling electrical outlets has just been hacked. Even though it isn’t readily available from Amazon or Best Buy yet, the firmware is already up on D-Link’s web site. The very well detailed write-up explains all the steps that led to this exploit creation.

First, the firmware was unpacked to examine the file system contents. It was found that the smart plug doesn’t have a normal web-based interface as users are expected to configure it using D-Link’s Android/iOS app. The apps however, appear to use the Home Network Administration Protocol (HNAP) to talk to the smart plug running a lighthttpd server. A look at the latter’s configuration file revealed the functions that could be called without any authentication. Another revealed that the firmware could accept an unlimited amount of POST request bytes which were copied in a fix length buffer without any performed checks. We’ll let our readers head to the original article to see where the author went from this point.

Comments

  1. jcwren says:

    When will the so-called engineers that write this stuff learn about security, FFS?

    How long before homes are hacked, cars are crashed, and infrastructure compromised because they can’t manage even the most basics of good programming practices?

    • I’ve yet to see a company from 1980+ that actually care about their product that much, Everything is hype lies compounded with lies people paid off to incorporate dangerous materials to HUMAN LIFE by changing studies and such, $$ is too important.

  2. sneftel says:

    This was an interesting read, but as far as I can tell, Craig doesn’t seem to have practiced responsible disclosure. While the limited product availability (let alone adoption) and likely concealment behind a NAT gateway make it a relatively low-risk exploit, public disclosure without first giving D-Link time to patch the vulnerability was irresponsible, unprofessional, and reckless. (I note, however, that D-Link turned around a patch within 24 hours. Good for them [though it doesn't exactly make up for the original bug].)

  3. ds18s20 says:

    Withtout the threat of post release backlash no company would even respond to the courtesy FYI , good work man

  4. Somun says:

    Fantastic hack and a great read.

    It is sad to see how little “software engineered”.these things are. Maybe they should transfer some of the marketing/coming-up-with-products departments’ funds to hiring more software engineers. I would even suggest considering non-embedded backgrounds.

  5. StinkySteve says:

    ‘We’ll let our readers head to the original article to see where the author went from this point.’

    I’d rather you told me :(

  6. Dr_Lion says:

    It used to be “big brother is watching you, but now i guess it’s more, sshhh, big brother is controling you..”

    In this case people only buy what they want, but when it turns to a first necessity item, things can go wrong..

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 94,095 other followers