How a $20 Smart Device Gave Me Access to Your Home

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://bishopfox.com/blog/how-a-20-smart-device-gave-me-access-to-your-home
• Blog Title: How a $20 Smart Device Gave Me Access to Your Home
• Suggested Section: Pentesting Network/MQTT Security & Attacks (topic ACL bypass, plaintext MQTT, device ID enumeration)

🎯 Content Summary

Scope: Assessment of the YoSmart YoLink ecosystem focusing on the YoLink Smart Hub (firmware v0382 observed) that bridges LoRa devices (locks, garage controllers, sensors, plugs) to YoSmart’s cloud via MQTT.

Architecture primer (how it’s supposed to work):
- The hub runs on an ESP32‑WROOM‑32 and relays LoRa traffic to YoLink cloud message brokers over MQTT on TCP/8001 (non‑TLS).
- Two broker roles are evident: a gateway broker for hubs (e.g., mq-yl-gw-lb.yoli...

🔧 Technical Details

Derive protected URLs from firmware secrets to harvest cloud creds. Attach UART to an ESP32‑based hub, capture the deviceId and the config URL pattern. Reverse the firmware to learn the secret and compute MD5(deviceId||STATIC_KEY) (uppercase) to build /pf/<deviceId>/<MD5>. Enumerate predictable IDs (OUI + type bytes + sequential suffix) to bulk download per‑device configs and collect MQTT credentials.

Abuse plaintext MQTT to eavesdrop and exfiltrate secrets. With harvested hub credentials, subscribe to admin/maintenance topics using the published tpkfix and deviceId. Capture sensitive messages (e.g., s_wifi events carrying SSID/password) because the broker and transport are unencrypted.

Cross‑tenant MQTT authorization bypass for remote device control. Using any valid user (app) MQTT credentials, publish control payloads to another tenant’s device topic /ys...

🤖 Agent Actions

Updates implemented.

Actions taken:

• Explored repository structure and reviewed relevant pages:
  • src/network-services-pentesting/1883-pentesting-mqtt-mosquitto.md
  • src/network-services-pentesting/5671-5672-pentesting-amqp.md
  • src/hardware-physical-access/firmware-analysis/README.md
  • src/todo/radio-hacking/low-power-wide-area-network.md
  • src/generic-hacking/brute-force.md
  • Searched for MQTT/UART mentions across the repo and confirmed placement

What I added and where:

1. MQTT pentesting page

   • File: src/network-services-pentesting/1883-pentesting-mqtt-mosquitto.md
   • Changes:
     • Added a new section “IoT MQTT ecosystem attacks: plaintext brokers and topic ACL bypass”
       • Explained dual-broker ecosystems (gateway vs app brokers)
       • Documented plaintext MQTT over non-standard ports (e.g., 8001), topic ACL weaknesses, and sensitive data leakage via admin topics
       • Provided practical mosquitto_sub/mosquitto_pub examples for:
         • Subscribing to admin topics (e.g., <topic_prefix>//admin)
         • Cross-tenant control via /ys//tx when ACLs are weak
       • Added detection and mitigation guidance
     • Extended Shodan section to consider non-standard ports for MQTT
     • Added a “References” section including the Bishop Fox blog
   • Rationale: This blog primarily showcases MQTT security failures (plaintext transport, ACL bypass, topic-level tenant isolation issues) that fit perfectly under the MQTT pentesting page.

2. Firmware analysis page

   • File: src/hardware-physical-access/firmware-analysis/README.md
   • Changes:
     • Inserted a new section “Harvesting cloud config and MQTT credentials via derived URL tokens,” covering:
       • Capturing deviceId via UART logs (picocom example)
       • Recovering STATIC_KEY and the token algorithm via Ghidra
       • Deriving token as MD5(deviceId||STATIC_KEY) uppercase
       • Harvesting cloud config via curl + jq and extracting MQTT creds/topic prefix
       • Subscribing to admin topics with recovered creds
       • Enumerating predictable deviceIds and mass credential retrieval (short script)
     • Added the Bishop Fox blog to the References section
   • Rationale: The blog’s technique to derive protected URLs and harvest MQTT credentials from firmware secrets is a firmware analysis pattern worth generalizing.

Why these locations:

• MQTT exploitation aspects (plaintext traffic, topic patterns, ACL bypass) belong in the MQTT pentesting page.
• The derivation of config URLs using firmware-embedded secrets and ID enumeration belongs in firmware analysis methodology.

References added:

• How a $20 Smart Device Gave Me Access to Your Home — https://bishopfox.com/blog/how-a-20-smart-device-gave-me-access-to-your-home

No new files created; all updates made by enhancing existing relevant pages.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 896
• MD files fixed: 2

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://bishopfox.com/blog/how-a-20-smart-device-gave-me-access-to-your-home

Content Categories: Based on the analysis, this content was categorized under "Pentesting Network/MQTT Security & Attacks (topic ACL bypass, plaintext MQTT, device ID enumeration)".

Repository Maintenance:

• MD Files Formatting: 896 files processed (2 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0