Audit of a WIFI controlled smart switch especially for smartphone app and firmware.

cozyswan_smart_switch.md

1. First Look

• app functions
• switch functions

2. Acess over Wireless Interfaces and Network

• use interfaces in intended manner and dump network exchange information
• scan network services on cam and servers

3. Reversing Android App

• finding firmware and keys for further access encryption
• vulnerabilities

Used this tool for creating AP the first time after struggling again using hostapd and missmatching PSK: https://github.com/oblique/create_ap

Initial Communication

Logical Link Layer

Without connected to any device in pairing mode it will broadcast XID ( Logical Link Layer Packets 802.2 ).

IEEE 802.3 Ethernet 
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
    Source: Espressi_1d:68:7f (60:01:94:1d:68:7f)
    Length: 6
Logical-Link Control
    DSAP: NULL LSAP (0x00)
        0000 000. = SAP: NULL LSAP
        .... ...0 = IG Bit: Individual
    SSAP: NULL LSAP (0x01)
    Control field: U, func=XID (0xAF)
        101. 11.. = Response: Exchange identification (0x2b)
        .... ..11 = Frame type: Unnumbered frame (0x3)
Logical-Link Control Basic Format XID
    XID Format: LLC basic format (0x81)
    LLC Types/Classes: Type 1 LLC (Class I LLC) (0x01)
    Receive Window Size: 0

https://www.savvius.com/networking-glossary/llc_overview/type1_commands/

ADwin config

When trying to configure the smart plug the protocol ADwin config is used. The phone will broadcast the config of the last used access point. That isn't a real good choice to do this in plain and broadcast. It's the only packet, it will use for configuration.

Ethernet II, Src: SamsungE_17:a0:fa (84:2e:27:17:a0:fa), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol Version 4, Src: 192.168.4.2, Dst: 255.255.255.255
User Datagram Protocol, Src Port: 6670, Dst Port: 6669
ADwin configuration protocol
    Pattern: Unknown (0x000055aa)
    Version: 0
    Scan ID: 0x00000001
    Status: 0x0000004c
    Timeout: 2065854561
    File name: {"passwd":"secret_psk","ssid":"test_create","token":"EU5A15GMdUAlAA"}
    MAC address: 3a:22:74:65:73:74 (3a:22:74:65:73:74)
    Unused

https://wiki.wireshark.org/Protocols/adwin_config

The token will change on every new configuration attempt. On another capture it uses a simple UDP with the same JSON to port 6669 and broadcast address.

In pairing mode only this ports are open.

nmap 192.168.4.1 -p 1-10000 -T5

Starting Nmap 7.60 ( https://nmap.org ) at 2017-12-09 22:42 CET
Warning: 192.168.4.1 giving up on port because retransmission cap hit (2).
Nmap scan report for 192.168.4.1
Host is up (0.0043s latency).
Not shown: 9997 closed ports
PORT     STATE    SERVICE
2088/tcp filtered ip-blf
7539/tcp filtered unknown
8852/tcp filtered unknown
MAC Address: 62:01:94:1D:68:7F (Unknown)

HTTP communication

SmartphoneIP 192.168.178.28 -> 140.205.163.87

• happens very often
• seems like kind of SDK api for the app

Request

Transmission Control Protocol, Src Port: 40577, Dst Port: 80, Seq: 1, Ack: 1, Len: 785
Hypertext Transfer Protocol
    POST /amdc/mobileDispatch?platform=android&v=3.1&deviceId=&appkey=umeng%3Agoogle1 HTTP/1.1\r\n
    Host: amdc.m.taobao.com\r\n
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8\r\n
    Connection: close\r\n
    Accept-Encoding: gzip\r\n
    User-Agent: Dalvik/2.1.0 (Linux; U; Android 7.1.1; SM-G800F Build/NMF26V)\r\n
    Content-Length: 464\r\n
    \r\n
    [Full request URI: http://amdc.m.taobao.com/amdc/mobileDispatch?platform=android&v=3.1&deviceId=&appkey=umeng%3Agoogle1]
    [HTTP request 1/1]
    [Response in frame: 68]
    File Data: 464 bytes
    
    
HTML Form URL Encoded: application/x-www-form-urlencoded
    Form item: "bssid" = "c8:0e:14:de:d3:40"
        Key: bssid
        Value: c8:0e:14:de:d3:40
    Form item: "sign" = "1249e3e114fb9b5ba0db061756fe2ce3f9535890c8cccdd60fbf3a666c9e600f"
    Form item: "domain" = "upload.m.taobao.com g.tbcdn.cn mobilegw.alipay.com umengacs.m.taobao.com wwc.alicdn.com img.alicdn.com api.m.taobao.com h5.m.taobao.com amdc.m.taobao.com g.alicdn.com dorangesource.alicdn.com ynuf.alipay.com gw.alicd
    Form item: "appName" = "umeng"
    Form item: "platformVersion" = "7.1.1"
    Form item: "signType" = "noSec"
    Form item: "cv" = "0"
    Form item: "t" = "1511821280411"
    Form item: "preIp" = ""
    Form item: "netType" = "WIFI"
    Form item: "channel" = "android"

Response

Hypertext Transfer Protocol
    HTTP/1.1 200 OK\r\n
        [Expert Info (Chat/Sequence): HTTP/1.1 200 OK\r\n]
            [HTTP/1.1 200 OK\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Version: HTTP/1.1
        Status Code: 200
        Response Phrase: OK
    Server: Tengine\r\n
    Date: Mon, 27 Nov 2017 22:21:20 GMT\r\n
    Transfer-Encoding: chunked\r\n
    Connection: close\r\n
    Cache-Control: no-cache\r\n
    pragma: no-cache\r\n
    x-am-sign: \r\n
    x-am-id: amdc011182073154.center.et2_1511821280979_79195164\r\n
    x-am-code: 1006\r\n
    X-Powered-By: m.taobao.com\r\n
    \r\n
   
    Data (60 bytes)
        Data: 65794a6a6232526c496a6f784d4441324c434a6b626e4d69...
        [Length: 60]    
    

Data --> show packet bytes reveals base64:

$ echo "eyJjb2RlIjoxMDA2LCJkbnMiOltdLCJpcCI6Ijg5LjI0NC4yMDMuMTMzIn0=" | base64 -d
{"code":1006,"dns":[],"ip":"89.244.203.133"}

The protocol IPDC (IP device control) and simple TCP are the only protocols that occur between phone and switch. This protocol is intended to be used for VoIP communication but when looking at live capture it seems to be the command for the switch. It will communicate via port 6668.

nmap 192.168.178.78

Starting Nmap 7.60 ( https://nmap.org ) at 2017-11-30 22:27 CET
Nmap scan report for ESP-1D687F.fritz.box (192.168.178.78)
Host is up (0.0084s latency).
Not shown: 999 closed ports
PORT     STATE SERVICE
6668/tcp open  irc