🧠 While you are weighing yourself, someone is weighing how many scales they can crack Th…

🧠 While you are weighing yourself, someone is weighing how many scales they can crack.

I read it the other day original articles, translation which relatively recently came out on Habré. The point is: one researcher ( Spaceraccoon ) took and hacked millions of smart scales. Yes, millions. The ones that send your data to the cloud via Bluetooth and Wi-Fi, so that the application will then carefully tell you: “Today +2 kg. We should cut down on sweets." . Only now this can be seen not only by the user, but by any person who knows how to interact with the API 😳

You can read the article in detail without me ( I left all the links in this post above ), and I will tell you everything in a shorter version. Let's figure out the reasons, draw conclusions, joke... well, as usual 🤝

What actually happened?

It all started with a Wi-Fi icon on a hotel scale. It turned out that these things connect to the Internet and exchange data with servers through a mobile application. And to be more precise - through a vulnerable API. Where the most important thing happens: linking the user to the device 🧐

And this is where the magic begins ( black-haired, or rather black-hat ) 😎

The author realized that many brands (even those that seem completely unrelated to each other) use the same library - com.qingniu.heightscale. That is, if you find a bug in one application, you can be almost sure that it will be in a dozen others. 🪄

🤌 Most meat:

1⃣ Through a bug in the API, it was possible to select device serial numbers

2⃣ These serials were used not only as an identifier, but also as a key. That is, you know the MAC address of the device - you can link it to your account

3⃣ SQL injection with a tricky WAF workaround ('or\n@ @version \nlimit 1#) allowed you to pull out serial numbers of thousands of devices by simply moving offset

4⃣ There was a hole in the API logic that allowed you to send a user token instead of a device token, and the server honestly tied someone else’s device to you

Voila - you have the scales of a stranger, and now he has "Connection error" . What you do with them next is a matter of conscience. Or fantasies 😅

👍 What’s especially cool is that the author didn’t limit himself to just the API. He disassembled the Withings WBS06 scales, found debug ports, connected via UART, pulled out firmware, found TLS certificates, private keys and... got a shell. On the scales. Yes. There really was a console there. On the scales ( why? )

And all this was not for fun, but to understand how the “hardware → application → server” combination works and where in it is what hurts so much 💀

🫡 Small conclusions from me ( I'll be a moralist ):

API = entry point. Even if you have super secure hardware, everything falls apart if you forgot to add validation on the backend 🤓

Serial number ≠ secret. You can't build security on something that's easy to find out. ⛔️

mTLS is not armor if logic fails 💯

Good manufacturers fix bugs even on January 3rd. Respect to those who listen to such researchers ( yes, the developers quickly fixed everything during the New Year holidays ) 🎅

I wouldn’t say that after this story I want to urgently stop weighing myself on smart scales. But it’s definitely worth remembering: if a device connects to the Internet, sooner or later someone will connect to it too. And it’s not a fact that it will be you 😉

#internet_things
#information_security