A Better Way To Hack The Wink

If you’re looking for Home Automation appliances, you might want to check out the Wink Hub. It’s fifty bucks, and has six radios on board: WiFi, Bluetooth, Z-Wave, Zigbee, and 433MHz Lutron and Kidde. That’s an insane amount of connectivity in a very cheap package. It’s been pwnzor3d before, but dinnovative has a much better solution for getting root on this device.

Earlier methods of rooting the Wink involved passing commands via URLs – something that’s not exactly secure. The new method leverages what’s already installed on the Wink, specifically Dropbear, to generate public keys on the Wink hub and getting that key onto another computer securely. The complete exploit is just a few lines in a terminal, but once that’s done you’ll have a rooted Wink hub.

Even though the Wink hub has been rooted a few times before, we haven’t seen anything that leverages the capabilities of this hardware. There isn’t another device with a bunch of IoT radios on the market for $50, and we’re dying to see what people can come up with. If you’ve done something with your Wink, send it in on the tip line.

Rooting The Nest Thermostat

nest-300x293 A few months ago, Google bought a $3.2 billion dollar thermostat in the hopes it would pave the way for smart devices in every home. The Nest thermostat itself is actually pretty cool – it’s running Linux with a reasonably capable CPU, and adds WiFi to the mix for some potentially cool applications. It can also be rooted in under a minute,

As [cj] explains, the CPU inside the Nest has a Device Firmware Update mode that’s normally used for testing inside the Nest factory. This DFU mode can also be used to modify the device without any restrictions at all.

With a simple shell script, [cj] plugs the Nest into his laptop’s USB port, puts the device into DFU mode, and uploads a two-stage booloader to enable complete control over the Linux-powered thermostat.

As a bonus, the shell script also installs an SSH server and enables a reverse SSH connection to get around most firewalls. This allows anyone to remotely control the Nest thermostat, a wonderful addition to the Nest that doesn’t rely on iPhone apps or a cloud service to remotely control your Internet enabled thermostat.

Video of the rooting process below.

Continue reading “Rooting The Nest Thermostat”

Controlling a terminal with Google Voice


For how awesome Google Voice is, we’re surprised we haven’t seen this before. [Steve] is using Google Voice to run commands on just about any Linux box.

Google Voice doesn’t have an official API, and existing unofficial APIs weren’t up to snuff for [Steve]’s project. He ended up writing his own that checks his unread message inbox every minute and looks for new text messages beginning with the phrase, ‘Cmd’. If a series of checks pass – the text coming from a known phone number and a proper terminal command – the command runs and sends the a text back indicating success or failure.

While [Steve] probably won’t be playing nethack or Zork via SMS anytime soon, we can see this being very useful for a Raspi home automation task. Just send a text message and a properly configured Linux box can open your garage door, turn on the lights, or even start a webcam.

Rogue Pi: A RPi Pentesting Dropbox

Rogue Pi

A pentesting dropbox is used to allow a pentester to remotely access and audit a network. The device is dropped onto a network, and then sets up a connection which allows remote access. As a final project, [Kalen] built the Rogue Pi, a pentesting dropbox based on the Raspberry Pi.

The Rogue Pi has a few features that make it helpful for pentesting. First off, it has a power on test that verifies that the installation onto the target network was successful. Since the install of a dropbox needs to be inconspicuous, this helps with getting the device setup without being detected. A LCD allows the user to see if the installation was successful without an additional computer or external display.

Once powered on, the device creates a reverse SSH tunnel, which provides remote access to the device. Using a reverse tunnel allows the device to get around the network’s firewall. Aircrack-ng has been included on the device to allow for wireless attacks, and a hidden SSID allows for wireless access if the wired network has issues. There is a long list of pentesting tools that have been built to run on the Pi.

Check out a video demonstration of the dropbox after the break.

Continue reading “Rogue Pi: A RPi Pentesting Dropbox”

Using a Mac and XCode as a Linux development platform

[Ricard Dias] wrote in to tell us about his guide for developing Linux applications on a Mac. He really enjoys the development environment provided by XCode, and it doesn’t take much to make it work as an all-in-one solution for Linux development.

The real trick here is the use of SSH to access a Linux environment. In this example he uses Ubuntu running as a virtual machine, but also mentions that the same thing can be done just as easily with a separate box as long as it is on the same network as the Mac. SSHFS (the SSH Filesystem) lets him mount the development directory on the Linux box locally. This is where the XCode project and files will be stored, but building the program will be done by the Linux machine via a script calling the make comand via SSH. To test out the newly built program, [L] tunnels in using X11 forwarding for ssh, and the application will be shown as a window in OSX, even though it is running on the Ubuntu machine.

We love SSH and use it all the time. It’s amazing how hand it can be.

Installing OpenSSH on the HP TouchPad


[Russ] was lucky enough to get his hands on a deeply discounted HP TouchPad, and after hearing about the huge bounty being offered for getting Android up and running on the device, he decided to poke around and see if he could make some headway.

He started off by making a full backup copy of his file system using a tool HP has on their WebOS site, just in case anything unfortunate happened to his device in the process. He grabbed a copy of the ARM cross-compiler and set off to build a copy of OpenSSH for the TouchPad. Once he had the binaries in hand, he started what he thought would be the arduous process of getting SSH onto the TouchPad, but it turned out that it was a simple drag and drop operation.

After remounting the file system to allow write operations, he fired up the SSH daemon and hoped for the best. It worked like a charm, and while it’s a relatively small part of getting Android running on the TouchPad, every bit helps.

A hacker’s marginal security helps return stolen computer

Gather round and hear the story of how a hacker outsmarts a criminal. [Zoz] was robbed and they got his desktop computer. Gone, right? Nope. Because of a peculiar combination of his computer’s configuration, and the stupidity of the criminal, he got it back. He shares the tale during his Defcon 18 talk (PDF), the video is embedded after the break.

[Zoz’s] first bit of luck came because he had set up the machine to use a dynamic DNS service, updated via a script. Since the criminal didn’t wipe the hard drive he was able to find the machine online. From there he discovered that he could SSH into it, and even use VNC to eavesdrop on the new owner. This, along with a keylogger he installed, got him all the information he needed; the guy’s name, birth date, login and password information for websites, and most importantly his street address. He passed along this juicy data to police and they managed to recover the system.

Continue reading “A hacker’s marginal security helps return stolen computer”