Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

The author decided to review the security of internet connected sex devices. The device is controlled via a bluetooth from an Android application, where other people can control the device.

The interesting part of the post is how the authentication works for the API. When starting the authentication process the user creates the initial Json Web Token (JWT) with the ROLE_ANONYMOUS_CLIENT. After this, the API returns a JWT with the ROLE_USER to interact with the API. Why does the client sign the JWT to start with?

The builders of the application clearly did not understand how the security of JWTs worked. By using the JWT signing functionality of the client, the key can be used to sign it for other purposes! For instance, using the ROLE_USER for any other user on the application. The client and server share the same key for signing! This JWT is hardcoded into the application.

Using the forged JWT allows for becoming any other user on the application. An attacker could now hijack this and control the Satisfyer of another person or takeover the account.

To mitigate this vulnerability, the server-side could use a different key for signing JWTs. Even though this flow is still janky, it would be secure without major changes to the application.

Satisfyer also uses WebRTC to send file attachments and control of the other devices. The second feature relies on the TURN protocol from Coturns implementation. Instead of the server generating temporary passwords, they used their hardcoded admin credentials for the communication. This could allow for the viewing of other communication of people... Yikes!

Key and password management is a hard problem on cellular phones or game consoles. An attacker has access to everything; how can we stop them for escalating privileges. This is not the way to do it for sure.