Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

OvrC cloud is a cloud based remote management and monitoring system used by IoT devices. It's used by Control4, Wattbox and many other products. Alongside this, it can be used to integrate with third party products for management such as Roku and Sonos.

In the OvrC platform, the MAC address is used as the identifier. The MAC address has two parts - device manufacturing vendor and an organizationally unique identifier (OUI). Since the first three bytes are known, the space is 2^24 or about 16 million. Using the /v1/devices/find endpoint, it's possible to find all device MAC addresses.

Seeing MAC addresses isn't a big deal until you chain this knowledge to perform more damage. The /v1/devices/confirm API is used to register a device to a particular user. When doing this, they must know the serialNumber that must be on the IoT device itself. However, the serialNumber is checked - this allows people to register arbitrary devices.

The above attack only works if the device is unclaimed - what about already claimed devices? A hub is a device that controls multiple IoT devices at a time. Since this can be done on already registered devices, they were curious about the permission capabilities of the hub. The hubs have the ability to unclaim arbitrary devices! So, using this, it was possible to register a device and use the previous attack from before. dsUpdateFoundDevices can be used to a similar effect as well.

Using these attacks from before, it's possible to claim arbitrary devices. For instance, it's a camera, we can watch the stream. The hub has hardcoded superuser credentials. The hub has hardcoded superuser credentials that are just the mac address and ServiceTag on the account, both of which can be viewed from the cloud on a claimed device. This is accessible locally or remotely using the OvrC cloud.

The superuser account has the ability to run arbitrary bash commands on the device by design. All of these vulnerabilities are fairly simple. The interesting part was having them all paired together to go from not knowing anything about the device to executing arbitrary commands on it. Good research!