Categories
nBlog

Chili Insecure

::: nBlog :::

A couple of months ago I ordered LED growth lights for my small chili plantation, which has somewhat suffered during dark winter months. They finally arrived a day before Christmas eve, which was perfect as I tend to relax by setting up and fixing things. The units are in form of small floodlights, with open-ended wiring so I had some patch cabling to do.

Plants need periodic darkness too, so I found an old mechanical timer socket that I had used to heat our car when we didn’t have a garage. Unfortunately, its plastic had become brittle, so I decided to buy a new one.

So I happened to visit verkkokauppa.com, nowadays a Finnish Costco equivalent, on the same day. A timer socket with WiFi, branded by Verkkokauppa as Network (yes, really) caught my eye. For only 29 Euros, the thing boasted multiple timer settings configurable with an Android or iOS mobile app. I decided to give it a try.

The device itself is sturdy and has only one button, which by default switches the socket on and off. User manual is a 7-box comic strip.

The very simple mobile app wants every possible authorization from the phone, including last dialed numbers and photo gallery access. Normally I’d stop here, but I had an empty spare phone so I installed the app to that, just out of curiosity.

After starting the app, it asks to reset the socket by pressing its button for five seconds. The phone then sends an Ethernet broadcast query (yes I sniffed it from the start) to discover any sockets in the WiFi domain. After discovering one, it asks the WiFi encryption key to be assigned for the socket. Then, lo and behold, the socket reboots and acquires an IPv4 address.

Then it gets interesting. The app now shows the socket state upon starting, and controls it by sending plain, unencrypted UDP packets directly to the socket. It can request the socket state and can switch it on and off – the traffic pattern is like an open book. No user IDs, passwords, keys. Nothing. It took me 15min to replicate the on/off switch packet.

The manual says that the device is controllable ‘from the Internet’ too. This feature did not initially work for me, but the reason is not only interesting, but quite alarming: The device sends several updates per minute to an unknown Chinese server, with the same unencrypted and undocumented protocol. And when the app is connected via phone’s mobile internet instead of local WiFi, it talks only to this Chinese server, which in turn tries to relay commands to the socket – again with the same simplistic protocol. Remember, there was no registration, no usernames, no passwords, no certificates. My firewall settings naturally blocked these attempts by default.

So I bought a product that sits in my network and takes commands from an unknown Chinese company I have no relation with? Charming. In practice, this socket can be turned into a network sniffer or DDoS amplifier by the Chinese company simply by replacing its firmware remotely.

When people are offered this kind of services, it should be mandatory that manufacturers describe where their products actually communicate to and for which reason. Furthermore, consumers must be given service level agreements when large parts of the service (like the timer function here) are performed elsewhere (like in China). Things must have basic security and auditing features, readily accessible for the end user.

Selling 29 Euros horribly insecure and undocumented products risks that we’ll end up with a cornucopia of hacked and purposefully maliciously used consumer products.

This is very dangerous in this time of hybrid warfare. While authorities are inherently slow in regulating these things, retailers (like Verkkokauppa) should pay close attention.

//Pasi

Leave a Reply

Your email address will not be published. Required fields are marked *