A Better Way To Hack The Wink

If you’re looking for Home Automation appliances, you might want to check out the Wink Hub. It’s fifty bucks, and has six radios on board: WiFi, Bluetooth, Z-Wave, Zigbee, and 433MHz Lutron and Kidde. That’s an insane amount of connectivity in a very cheap package. It’s been pwnzor3d before, but dinnovative has a much better solution for getting root on this device.

Earlier methods of rooting the Wink involved passing commands via URLs – something that’s not exactly secure. The new method leverages what’s already installed on the Wink, specifically Dropbear, to generate public keys on the Wink hub and getting that key onto another computer securely. The complete exploit is just a few lines in a terminal, but once that’s done you’ll have a rooted Wink hub.

Even though the Wink hub has been rooted a few times before, we haven’t seen anything that leverages the capabilities of this hardware. There isn’t another device with a bunch of IoT radios on the market for $50, and we’re dying to see what people can come up with. If you’ve done something with your Wink, send it in on the tip line.

33 thoughts on “A Better Way To Hack The Wink

  1. Anyone know if you can get an actual weight/force measurement out of the “Refuel” module? Measuring more than just Propane level would be nice, and I can think of a lot of cool applications for it.

  2. I’m using a similar setup. My wink hub is on my LAN, and I use Raspberry Pi running OpenHAB (a home automation program) to turn things on/off/dimm. So I no longer need Wink server, and OpenHAB insulates the Wink hub from the rest of the internet for security. I have a lot of other sensors integrated into OpenHAb, so now these sensors can interact with the Zigbee and Z-wave lights.

    https://electronichamsters.wordpress.com/2014/12/31/hacking-the-wink-hub-to-work-with-openhab-for-local-control/

    1. It’s a sort of battle cry that < 16 year olds shout when they deface a random website with a downloaded exploit tool that actually just turned their gaming rig into a minion bot for some Russian hacker group.

  3. Meh, he’s still using the set_dev_value.php (*GLARING EYE-STABBING*) vulnerability on a factory-default device. It’s a vulnerabilty where you can trivially execute commands as root by just accessing a URL. Once you’ve got that, your different next steps are really just nitpicks, so this post isn’t as interesting as I initially hoped.

    If you make the mistake of updating the firmware before hacking it, they removed that PHP script, and disabled dropbear and getty listening on serial, so at that point it’s nothing but a kinda-big gateway for Wink’s cloud to control your devices for you. It’d be more interesting if someone finds other vulnerabilities to hack it then. It’s running PHP after all… ;)

    Is the actual goal of this post to rekindle interest in the community for this fantastic cheap and powerful box? I appreciate that sentiment! I only started fooling with mine last weekend, and it deserves more community attention.

    1. Not sure if the hubs still come with the base-hackable firmware. But if they continue to ship it that way, this hub is a great deal. I’ve been able to integrate z-wave wall switches and zigbee GE link bulbs, all controlled locally, blocking access to Wink servers. It’s super reliable for the last couple weeks it’s been running. And I have all the automation features that Wink has, or at lease the ones I care about.

      1. This appears to have been fixed in the device that I purchased at HD earlier this month. Oh well. Looks like I’ll have to open it up, attach an FTDI USB to TTL UART to the serial console, and hold the flash in reset while I power-cycle to force U-Boot to bail to a command prompt.

        1. I can confirm that this works, with the exception that I had to also append “ubi.mtd=database” to the kernel boot arguments. Trying to attach mtd3 (the database partition) after booting was failing with the error that UBI wasn’t present in the system (???). Also, the dropbear ssh options file is in /etc/default, not /tmp/rootfs/etc/default/.

          When you get the command prompt in U-Boot, it’s helpful to add a delay before booting the kernel, in case you want to play with the bootloader later without the paperclip trick:

          => setenv bootdelay
          => saveenv

    1. Why? Why did you report it, man? Did it not occur to you that some of us want to root the device? Now I have to wait until Monday to go in to work to fetch my USB to TTL UART dongle and go about it the “hard” way.

    2. still works great you did nothing at all! All you did is wast tons of time trying to be a grumpy old fart who’s mad at the kids who can still get enough blood to fill there fun sticks!

  4. Also check you local Home-De-Pot as they are always running a deal if you buy a few device with the wink. I think the current deal is get the Wink for $20 if you buy two devices. Thanks for the post HAD!

  5. Hey those of you looping through a Raspberry PI for home automation should take a look at the Raspbee (yeah I know, and NO I don’t work for them). It’s a daughterboard that speaks raw Zigbee, Jason libraries and a graphical management interface if you’re into that sort of thing. I even have Kodi/XBMC bolted onto it. It’s pretty nice, range is terrific.

  6. Another possibility is running Virtual Wiring (see http://www.catalinacomputing.com) on a Raspberry Pi. It turns your Pi into a hub which supports Z-Wave, ZigBee (XBees), and Arduinos, too. You can add your own devices as well.

    Virtual Wiring runs standalone (doesn’t use or need a cloud server). There’s an article on a home automation project in Raspberry Pi Geek Magazine (pointed to by the Catalina Computing website), and Virtual Wiring is freely downloadable and free for non-commercial use.

    Full disclosure – I work for Catalina Computing.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.