The LED light does not use an authentication mechanism, so if an attacker knows his MAC address and it is set to receive commands from the Internet, the attacker can control the LED.
The WIFI LED light is an LED light bulb connected by wireless WiFi. This kind of light can be used as a router, an HTTP server, an HTTP proxy server, and the like.
working principle
This LED light is controlled by the Android app. It can be connected to the network, controlled locally or remotely via the network. By default, Internet control is disabled, which is a good guarantee of security. There are three ports in the LED light: TCP port 80, TCP port 5577, and port UDP 48899. 80 ports for damaged web pages, 5577 ports for control bulbs, and 48899 ports for control routers.
The router port allows the user to perform any operation: refresh the firmware, act as a proxy, read the WiFi password, connect to a different network, and so on. However, this port is generally only connected to the internal network. The command that controls the port is the name of the command followed by the AT and optional parameters.
Although the LED light does not use the encryption algorithm when it is connected to the network, since the user's permission is only to control the illumination, it does not have much influence.
Vulnerability description
Local cyber attack
The attacker only needs to send UDP packets to port 48899, and the AT command can be used with the hard-coded password HF-A11ASSISTHREAD.
Use the AT+UPURL command to refresh the firmware:
AT+UPURL=url, filename
Use the following AT command to read the WIFI password:
AT+WSSSID
AT+WSKEY
Using the AT+HTTPDT command and related HTTP commands, the LED lights can be sent to the firewall and NAT in the network according to the attacker's will, playing a role similar to the HTTP proxy.
An attacker can use the light bulb in the same network to obtain the remote control function. This vulnerability is different from the "Internet Remote Control" vulnerability. Once an attacker knows the MAC address of the light bulb, the access rights cannot be revoked.
WIFI attack
When the LED light does not successfully connect to the access point in STA mode, configuring the AT+MDCH function will cause it to return to the wireless AP mode. The AT+MDCH function has the following configuration options:
1.off
2.on – 1 minute
3.auto – 10 minutes
4.3-120 – minutes to reset
In most cases (unless the user configures otherwise), because the program defaults to AP mode, an attacker can connect and perform any local attack.
Danger of exposure to the Internet
By scanning the network of LED lights, it is found that there are at least two management ports that have been exposed to the Internet. If the LED light is connected to the Internet, the attacker can obtain the access rights of the user network by implementing a proxy attack at any location, and can physically locate the user by using the MAC address of the router, and search in the Wigle database, using the known The wireless name and password are connected to the same access point as the LED light, or the software is used to refresh the firmware for other attacks.
Internet remote control attack
The LED light does not use an authentication mechanism, so if an attacker knows his MAC address and it is set to receive commands from the Internet, the attacker can control the LED.
The prefix of the MAC address of the lamp is ACCF23, and the last three bytes determine a device. Since the MAC address addresses are all assigned in order, the attacker can be limited if the attacker determines a MAC address. Therefore, the attacker can control the light bulb with the "remote control" function enabled in a small amount of time.
However, Hue bulbs can block such attacks by automatically discovering the device using the source IP address.
Indirect connection attack
When a mobile phone that has connected an LED light searches for a remote setting, it will find a list of authorized devices for that light, including all devices that have been authorized to connect, and the API call is GetAuthUserDevice. Then, the problem arises: the attacker can use this authorization list to get the device ID for controlling other LED lights.
Repair situation
Zengge tried to fix these vulnerabilities by obfuscating keys, but it did not succeed. Later, the company released a new version, modified the device registration process, and joined the server verification process. However, the server verification option has not been turned on yet.
Overmolding the Connectors offers significant opportunities for cable improvements with higher pull strength and waterproof issue for those parts, which without these characteristic by conventional types.Such as jst jwpf connector. Just be free to contact us if you need any wire-harness solutions or partner for your products. Our professional and experienced team would support you by satisfied skill and service.
Molded Connectors,Molded Waterproof Connector,Molded Straight Wire Connector,Jst Jwpf Connector
ETOP WIREHARNESS LIMITED , https://www.wireharness-assembling.com