The D-Link DSP-W215 Smart Plug, a wireless home automation device for monitoring and controlling electrical outlets has just been hacked. Even though it isn’t readily available from Amazon or Best Buy yet, the firmware is already up on D-Link’s web site. The very well detailed write-up explains all the steps that led to this exploit creation.
First, the firmware was unpacked to examine the file system contents. It was found that the smart plug doesn’t have a normal web-based interface as users are expected to configure it using D-Link’s Android/iOS app. The apps however, appear to use the Home Network Administration Protocol (HNAP) to talk to the smart plug running a lighthttpd server. A look at the latter’s configuration file revealed the functions that could be called without any authentication. Another revealed that the firmware could accept an unlimited amount of POST request bytes which were copied in a fix length buffer without any performed checks. We’ll let our readers head to the original article to see where the author went from this point.
When will the so-called engineers that write this stuff learn about security, FFS?
How long before homes are hacked, cars are crashed, and infrastructure compromised because they can’t manage even the most basics of good programming practices?
I’ve yet to see a company from 1980+ that actually care about their product that much, Everything is hype lies compounded with lies people paid off to incorporate dangerous materials to HUMAN LIFE by changing studies and such, $$ is too important.
This was an interesting read, but as far as I can tell, Craig doesn’t seem to have practiced responsible disclosure. While the limited product availability (let alone adoption) and likely concealment behind a NAT gateway make it a relatively low-risk exploit, public disclosure without first giving D-Link time to patch the vulnerability was irresponsible, unprofessional, and reckless. (I note, however, that D-Link turned around a patch within 24 hours. Good for them [though it doesn’t exactly make up for the original bug].)
Uh, yes he did. http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10027
Responsible disclosure encourages companies to be lax with security. If serious holes are reported to them ahead of being released to the wild, their PR impact is minimized and the managers have no incentive to pay out extra labor dollars for secure software. The real unprofessional entites are companies that write insecure code to save a few bucks.
If hackers everywhere started releasing expoits to the wild as soon as discovered there would be a far greater commercial incentive to write secure code in the first place. After all, the etchical hacker who reports a flaw is seldom the first hacker to have discovered it…
*ethical hacker
Withtout the threat of post release backlash no company would even respond to the courtesy FYI , good work man
Fantastic hack and a great read.
It is sad to see how little “software engineered”.these things are. Maybe they should transfer some of the marketing/coming-up-with-products departments’ funds to hiring more software engineers. I would even suggest considering non-embedded backgrounds.
‘We’ll let our readers head to the original article to see where the author went from this point.’
I’d rather you told me :(
It used to be “big brother is watching you, but now i guess it’s more, sshhh, big brother is controling you..”
In this case people only buy what they want, but when it turns to a first necessity item, things can go wrong..