Another day, another Internet-connected gadget that gets abandoned by its creators. This time it’s Jooki — a screen-free audio player that let kids listen to music and stories by placing specific tokens on top of it. Parents would use a smartphone application to program what each token would do, and that way even very young children could independently select what they wanted to hear.
Well, until the company went bankrupt and shutdown their servers down, anyway. Security researcher [nuit] wrote into share the impressive work they’ve done so far to identify flaws in the Jooki’s firmware, in the hopes that it will inspire others in the community to start poking around inside these devices. While there’s unfortunately not enough here to return these devices to a fully-functional state today, there’s several promising leads.
It probably won’t surprise you to learn the device is running some kind of stripped down Linux, and [nuit] spends the first part of the write-up going over the partitions and peeking around inside the filesystem. From there the post briefly covers how over-the-air (OTA) updates were supposed to work when everything was still online, which may become useful in the future when the community has a new firmware to flash these things with.
Where things really start getting interesting is when the Jooki starts up and exposes its HTTP API to other devices on the local network. There are some promising endpoints such as /flags which let’s you control various aspects of the device, but the real prize is /ll, which is a built-in backdoor that runs whatever command you pass it with root-level permissions! It’s such a ridiculous thing to include in a commercial product that we’d like to think they originally meant to call it /lol, but in any event, it’s a huge boon to anyone looking to dig deeper in to the device.
But wait, there’s more! The Jooki runs a heartbeat script that regularly attempts to check in with the mothership. The expected response when the box pings the server is your standard HTTP 200 OK, but in what appears to be some kind of hacky attempt at implementing a secondary OTA mechanism, any commands sent back in place of the HTTP status code will be executed as root.
Now as any accomplished penguin wrangler will know, if you can run commands as root, it doesn’t take long to fire up an SSH server and get yourself an interactive login. Either of these methods can be used to get into the speaker’s OS, and as [nuit] points out, the second method means that whoever can buy up the Jooki domain name would have remote root access to every speaker out there.
Long story short, it’s horrifyingly easy to get root access on a Jooki speaker. The trick now is figuring out how this access can be used to restore these devices to full functionality. We just recently covered a project which offered a new firmware and self-hosted backend for an abandoned smart display, hopefully something similar for the Jooki isn’t far off.
More proof that the S in IoT stands for security.
Nice to see yet another cloud based service collapse and leave the users high n dry too
(obvs sarcasm for the “nice” bit)
But wait, there is no S in IoT. Oh yeah, there’s no security either.
is that security with an F? oh wait… there is no F in security.
There are MANY Fs in security.
This is terrible even by IoT standards. Good job, Jooki software devs. You’ve somehow managed to drop the expectations for bad IoT security even lower.
And more trash for the landfill for an average users who aren’t able to hack stuff. The T in IoT should stand for trash
People always hate on IoT except when it involves Arduino or Espressif.
Maybe if this thing had used an ESP-32 people would be gushing over it instead of complaining.
Fun thing: it uses an esp32 as the heart of operations. the base linux only controls the esp32
Using the HTTP 200 payload to send commands is just brutal genius hacking ignorance. I might use the idea for something useful (and harmless).
This is why i hate IOT device that i not can control with my own server.
WIthout having one of these devices, it does seem like it would be quite trivial to fake a DNS entry on your local network and control it quite easily.
I talk in general.
Better build your own next time:
https://github.com/biologist79/ESPuino
I wish someone would do this for the Philips Streamium.
It kind of seems like the role of that device is better served by a stereo and a raspberry pi with an audio hat.
That said, if you want to send me a device to poke around in I’m up for that, I’m a software developer looking for a project. It looks like even the older models have ARM processors.