Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

While at a gym, the author noticed a WiFi symbol on a scale. Upon doing further research, they realized that all of the products on Amazon were made by the same OEM with marginally different codebases. The mobile apps were even the same. So, the author decided to try to remotely hack these devices.

Before even buying a device, they reverse engineered the mobile app to find APIs. To their horror, the firmware update APIs suffered from simple SQL injections. This let them enumerate devices and their authentication secrets, without having the physical box for it. They required some fun SQLi WAF bypasses to make this work.

From there, they decided to get a shell on the device for further testing. This was done via connecting via UART on one of the scales. This was useful for debugging the linking flow of the scale. In particular, they wanted to know how the API servers communicated with the scale itself and through the phone app of the user.

The scale would receive credentials for the WiFi via Bluetooth. The device uses mTLS to get a session token for authentication. The user-device association could be done in two ways: one initiated by the user and another by the scale. All of these properly checks the deviceid against the session token and other fields, making this pretty solid.

While messing around with the parameters, they were intrigued by the multiple ways to do auth. Eventually, they tried mixing-and-matching the two flows for tying the user and device together. By providing a user session token but using a deviceid in the headers that we don't own, the request authenticates us but believes it's a device initiated request because of the header. So, it assumes that the device is valid but it's really not. The explanation and the code snippet they provide helps a lot with this.

Several good bugs! From a blackbox perspective, multiple authentication schemes coming together is tricky to get right. The SQL injection bug was trivial but they had to put other work in order to find these APIs. You always need to put in the work but it's just in different areas sometimes, such as reverse engineering.