![]() ![]() “You said they are encoded, you meant encrypted, isn’t it?”īack in 2013 Texas Instruments started using the SmartConfig protocol on the CC3000 module and George Hawkins, a Particle.io community member, pointed out for the first time how insecure this procol is. The configurator’s smartphone detects the IoT device connection.The IoT device advertises itself with mDNS / Bonjour.The IoT device connects to the WiFi network.The IoT device reads the length of the captured packet (they are encrypted, but the length is still readable since encryption adds a fixed 40 bytes) and decodes the WiFi information.The application encodes the WiFi information in the length field of some UDP multicast packets sent to the WiFi AP.The configurator starts the activation process.The configurator sets the WiFi BSSID (network name) and the WiFi password in the App.The configurator opens the IoT device’s App on her smartphone.The IoT device stats capturing every WiFi (encrypted) packet Over-The-Air.The IoT device sets itself in WiFi monitor mode.This is how a standard activation procedure works: We have found an interesting and very detailed paper “Discovering and Understanding the Security Hazards in the Interactions between IoT Devices, Mobile Apps, and Clouds on Smart Home Platforms” describing how the protocol works and which are its security implications.Īfter the end of the Penetration Test I chose to spend part of my research time offered by Shielder on the SmartConfig protocol, also called ESPTouch in the ESP environment, to write a tool able to intercept WiFi credentials Over-The-Air. The idea behind the SmartConfig protocol is to allow an unconfigured IoT device to connect to a WiFi network without requiring a direct connection between the configurator and the device itself – I know, it’s scary. While assessing the activation procedure we faced for the first time a beautiful yet dangerous protocol: SmartConfig. ![]() If you're curious, the app we are using is Keybase, which I highly recommend.NotSoSmartConfig: broadcasting WiFi credentials Over-The-Airĭuring one of our latest IoT Penetration Tests we tested a device based on the ESP32 SoC by EspressIF. Note the square brackets around the otherwise illegal object identifier (VBA identifiers are not allowed to start with an underscore character).Īs Stephen says in the linked forum post, "you never know what you might find" when you start looking through an object's hidden members.īelow is a copy of the original exchange I had with one of my developers. Private WithEvents mSectionPageFooter As Access. Private WithEvents mSectionPageHeader As Access. Here's a sample of Stephen's code that I ended up incorporating into one of my event-handling class modules: Private WithEvents mSection As Access. ![]() I first learned about the "Show Hidden Members" setting from Access legend Stephen Lebans, when I was trying to sink events to report sections. You can display hidden members by right-clicking in the Object Browser window and checking the box to show hidden members:Īs for why the Array() function is tucked away in the _HiddenModule.I have no idea. I followed up with this answer: It's a part of the VBA standard library's _HiddenModule, which is hidden by default. ![]() Error, "Cannot jump to 'Array' because it is hidden." The Solution One of my junior developers got the following error message when trying to go the definition of the VBA Array() function: Cannot jump to 'Array' because it is hidden. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |