HaxRob
@haxrob
Followers
15,602
Following
378
Media
285
Statuses
650
I enjoy breaking things. Telco / mobile and IoT security. Surfing the information super highway one keystroke at a time.
Australia
Joined April 2017
Don't wanna be here?
Send us removal request.
Explore trending content on Musk Viewer
Rio Grande do Sul
• 193799 Tweets
Madonna
• 145897 Tweets
Bucks
• 69080 Tweets
Dame
• 57177 Tweets
#虎に翼
• 49403 Tweets
Pacers
• 38376 Tweets
#ラヴィット
• 35641 Tweets
憲法記念日
• 33375 Tweets
Vitória
• 32427 Tweets
#911onABC
• 27918 Tweets
bruno mars
• 27731 Tweets
憲法改正
• 24187 Tweets
FDNY
• 23492 Tweets
Tiffany Titan Launch
• 23395 Tweets
Dua Lipa
• 21171 Tweets
Pabllo
• 20497 Tweets
Giannis
• 19063 Tweets
Anne Hathaway
• 13819 Tweets
Lillard
• 13444 Tweets
DANNY OCEAN
• 12801 Tweets
#SnowMan結成12周年
• 12306 Tweets
Bruins
• 11609 Tweets
浮所くん
• 11022 Tweets
Pinned Tweet
A friend asked me to find out why his connected lightbulb app was asking for his location, so I ducked out to Australia’s favourite hardware store, Bunnings, and grabbed one to check out.
The Android grid connect app has 500k+ downloads.
Let’s take a quick look! 🧵
(1/n)
115
2K
6K
Andres Freund, the principal software engineer at Microsoft who discovered the xz backdoor really does deserve a big pat on the back. 👏
The outcome could have been much, much worse.
@ResidentMemer
The end game would be the ability to login to every Fedora, Debian and Ubuntu box on the internet. If it isn’t a state actor it should be…
13
161
2K
49
1K
11K
Plans to literally "hack the planet" foiled due to 500ms of latency that Andres instinctually investigated.
The latency was due how the malicious code parsed symbol tables in memory.
39
785
7K
If you needed yet another reason not to trust VPN providers or proxy services...
Here Facebook partnered with a bunch of companies to have root certificates installed on people's phones so they could intercept other app's traffic.
119
2K
5K
This invasive Bluetooth car battery monitor was found to be sending the following location data to 🇨🇳
- GPS
- Wifi devices
- Cell phone towers
The Apple and Google app stores said no personal data was collected.
A new update has emerged. Let's see what was changed 👇(1/n)
67
1K
4K
A twitter user mentioned the mobile app for their “smart” wifi connected power plug was requesting their location.
The app has more then 1 million downloads.
Curious, I ordered the ‘Meross’ branded device and it’s just arrived.
What will we find? Let’s dig in ..🧵
39
382
3K
With the (fake) toothbrush botnet story still fresh, Colgate's connected Bluetooth toothbrush caught my eye on discount at the local supermarket.
"Hi there, let's get to know each other"
Sure, let's do this. What will we learn? (1/n) 👇
13
208
1K
I recently found two very interesting Linux binaries uploaded to Virustotal.
I call this malware 'GTPDOOR'.
GTPDOOR is a 'magic/wakeup' packet backdoor that uses a novel C2 transport protocol: GTP (GPRS Tunnelling Protocol), silently listening on the GRX network (1/n) 🧵
14
294
1K
The Chinese APT contractor leak contained a few interesting files; namely:
- CDRs (Call Detail Records)
- LBS (Location Based Services) db records
Threat actors compromise telcos with the aim to obtain subscriber metadata to support IC objectives.
Some background: (1/5)🧵
10
227
1K
The CA certificate that Facebook had pushed onto mobile phones as a root of trust (via the Onavo Protect app)
How many devices would still have have this cert installed?🤔
With a lifetime of 10 years, it won't be until June 6th, 2027 that it expires.
18
171
1K
Going to wrap up the live tweeting on this one.
If you found this interesting/helpful, feel free to like/retweet. We need as many people as we can to be encouraged to discover and call out companies that harvest location data from their devices. 15/15
A friend asked me to find out why his connected lightbulb app was asking for his location, so I ducked out to Australia’s favourite hardware store, Bunnings, and grabbed one to check out.
The Android grid connect app has 500k+ downloads.
Let’s take a quick look! 🧵
(1/n)
115
2K
6K
7
87
828
It doesn't feel complete with out a map.
Coverage map using advertised BLE device name "TY" and the mac address prefix A8:80:5 (Tuya Smart Inc.) - beaconed out from my lightbulb.
This is why Google (rightfully so) considers Bluetooth scanning "location data"
(..16/15)
32
81
834
So what do we make of all this?
The developer discloses on the app store that the precise location data collection is optional.
Is this misleading?
What we have discovered in this Twitter thread is that if you try to pair one of their devices via Bluetooth scanning, the app…
10
57
698
Let's pull the .apk from the device and take a look at the manifest. We could of course grab it from APK Pure.
Yikes! recording audio, access to camera, location..
Assume there is a legitimate functional use for all of this. Trust but verify?
(5/n)
3
36
545
Here Facebook acquired Onavo and had quite a good run before the spyware got pulled from app stores.
At a $120 million dollar price point it's clear how much value they put on having the ability to intercept user's mobile traffic.
3
47
535
Time to fire up trusty
#mitmproxy
to look at the network traffic. Traffic is going to . Familiar domain. I came across Tuya used in a Mirabella Genio Smart light I got at a supermarket.
Tuya is an IoT OEM found everywhere.
postData is encrypted.
(4/n)
6
25
501
Looks like it worked! We have visibility on any data that is passed as a parameter to encryptPostData().
No need to reverse the encryption function to figure out how to decrypt the data - we have it before it's encrypted and sent over the wire.
MASSIVE TIME SAVER. 🙏
(8/n)
1
10
448
The app has a feature where it can auto discover your BLE devices. Is locations permission needed here? It depends. From Android API SDK v31 things have improved where fine location is not needed for BLE scanning.
The app is forcing this even though we are on v31.
(2/n)
2
15
420
Probably these parameters? "lat" and "lon".
hmm.. KEY_IMEI and KEY_IMSI are probably worth looking into too at some point. 🧐🧐
But alas, we must stay on track. KEY_LAT and KEY_LON it is for now.
Live tweeting this enquiry keeping me on track🤣
(11/n)
2
9
410
Application reinstalled.
Boom! we see the exact packet where our GPS co-ordinates are sent to Tuya's remote server over the Internet.
We can identify this in packets that have the "a" field "b.m.sys.location.get".
(13/n)
2
18
410
Broadcom are signalling hostility to the VMWare community - in order to download USB Network Native Drivers for ESXi you now need to send an email to some guy named Eric @ Broadcom. Why?
ESXi, you were and are the best hypervisor, but your new owner is making many bad decisions.
27
56
389
Dynamic instrumentation with
#frida
will really speed things up. JADX can emit a boiler plate hooking .js snippet to use in Frida. We just need to modify to to convert the plaintext byte array passed into encryptPostData from signed integers into a readable string.
(7/n)
3
9
367
Our focus here is what is happening with location permission other then BLE scanning. We need quick wins as this app isn't trivial and is obfuscated. Crypto routines related to the postData appear to implemented in native arm64 within a shared library.
(6 / n)
2
11
366
Checking the archived APK listing for "Onavo Protect" from 2019, likely just before it was pulled from the Play store, the description discloses some information on what they are up to, but then proceeds to gaslight the user.
4
22
367
Let's allow it "for science". The device is paired. We also have the option to enter our Wifi credentials. I assume this is so the light can be remotely controlled over the Internet. It's automatable too. One condition is "when location changes". Let's not touch these.
(3/n)
1
8
356
Next up, Home Assistant integration for Colgate toothbrushes..... Or not.
Calling it a night. It's been fun folks.
(11/n)
5
11
352
ok, we got a match. GPS co-ordinates of where I am - although this was data *received* from the cloud server. How did my location get there in the first place? Perhaps when the application was first installed? Back to square one - but this time we know what to log.
(12/n)
2
10
347
So far no location data. Are we looking in the right place?
Remember we are after "quick wins". The minimum time investment possible to answer my friend's question "what's it doing with my location" ?
The developer's logging class seems perfect to hook into -…
2
8
340
Let’s grab a copy of Facebook’s banned VPN app from 2019 and install it to see how it manages to spy on other apps on the phone.
Note how it guides me to click invasive permissions such as allowing it to appear on top of other applications. A mobile malware technique.
3
38
338
You beauty - it worked. We now have visibility into what is encrypted in the postData form field.
We can account for the data in HTTP post towards the Tuya cloud API endpoint.
But what are we exactly looking for?
(10/n)
1
7
309
... and it worked!
We see the BSSID of the home Wifi router is being sent from the embedded plug device to the MQTT server in AWS (Japan).
Recall we have not once given any location permissions to the mobile app (yet)..
Of course the embedded plug device knows our Wifi…
7
7
305
Interesting, the app still manages to establish connectivity back to Facebook's servers. 😡
That said, once it's VPN tunnel comes up, all connectivity is lost on the handset - so it technically the service is down. 🥹
2
19
293
Before we begin the investigation, a coverage map of where these devices have been found across planet earth.
Collected Bluetooth beacon data from reveals they are everywhere. There are likely hundreds of thousands of these roaming about.
(2/n)
7
21
286
Loading up the APK into JADX to decompile the bytecode into Java, it's apparent they are still using the Qihoo packer as before.
The actual code we want to encrypted. Although Qihoo is an advanced (native) packer, there is a trivial way to obtain what we want - pull the…
4
19
283
Back onto the permissions: red flags with requests to:
- display over other apps
- access "past+deleted app usage"
- setup a VPN connection
- make and manage phone calls
All under the pretext to "stay safer" ..
We know better right? But would say, your grandmother?
2
20
267
The first thing we notice is that the 'Data safety' on the Google Play store has been updated.
Also the Apple 'App Privacy' statement.
This was done after my blog post exposing the device was published.
Coincidence?
What else was changed ?
(3/n)
2
14
247
Notice that we did not see any prompt to install a user certificate - this is really required for the claims made against Facebook to be true (intercept other app's traffic).
Decompiling an earlier version of the APK and it's quite apparent the functionality is there:
1
19
250
@moyoguichard1
The rule is: Any VPN or proxy service that is free - is almost guaranteed to be doing something shady.
As for the more common paid VPN services, the only one I ever recommend to others is Mullvad.
10
19
243
Well this is disappointing, although somewhat expected. Despite being on Android 12+, the app is forcing me to grant it precise location permissions to discover the device over BLE.
I literally cannot use the hardware unless I give it access to my location. Sinister.
(7/n)
6
15
227
I think they could only pull this off by coercing user's into installing a system-level trusted CA on the handset?
Things have improved as this is not trivial to do on Android these days - requiring a filesystem to be remounted as writable - on possible on jailbroken devices.
5
9
230
Let's see how we can pair with the minimum amount of granted permissions.
Discover "nearby devices" with Bluetooth enabled is a mandatory. It then prompts for precise and approx. location.
Hit deny.
We have to manually connect to the device - it's turned into a wifi AP.…
1
11
226
Perhaps this is how it's doing it: Sending a request to with the lat and lng values.
It's been around 9 hours straight today on this thread - will park things for now and continue on later to tie up this loose end.
(27/n)
9
6
224
Here we can see the file names of the certificates which get added to AndroidCAStore and also how it checks later if they were indeed added.
Fortunately this technique of using intents to install certs no longer works thanks to improvements in Android. 👌
3
11
217
YOU HAVE TO BE KIDDING ME ‼️
The EXACT residential address (street number, street address) of where I am sitting now is populated into the JSON string that is encrypted and sent out.
How could this have happened?
Disturbed.
(26/n)
3
30
210
When we tested the Tuya Grid Connect light bulb, it ignored that it was on a new version of Android and forced ACCESS_FINE_LOCATION to use Bluetooth. It then abused the privilege and sent my GPS co-ordinates to their cloud servers.
The Meross app so far…
Application reinstalled.
Boom! we see the exact packet where our GPS co-ordinates are sent to Tuya's remote server over the Internet.
We can identify this in packets that have the "a" field "b.m.sys.location.get".
(13/n)
2
18
410
5
7
193
The Android manifest declares permissions used - not much has changed here. Not a good look, although note that a declaration here does not mean the permission is actually used at run time.
It's a battery monitor app. Why did they leave all this in? CAMERA, RECORD_MEDIA_
(6/n)
2
7
172
Mind you, none of this is new.. Here in Australia, last year the ACCC dished out out a net $20 million dollar fine for this shadiness.
I'm just curious on the technical mechanism the app went about spying on other apps.
2
13
176
We can now communicate with the toothbrush as we like... But I'm left thinking - where are we even going with this? (10/n)
(video has 🔊)
11
10
173
I'm going to use a quick and dirty Frida script to invoke at runtime and fake the GPS location before continuing.
What latitude / longitude should we set?
Wrong answers only.
(9/10)
13
3
169
"Security update, it is recommended that all users update".
I plan to look at both the iOS and Android apps in this Twitter thread.
Android is probably going to be easier, so let's start with that, then move to iOS.
Let's update then.
(4/n)
2
7
168
Ok, well not quite - One is informed that they must now update the toothbrush's firmware before continuing to use the brush.
This of course presents the ideal opportunity to grab the firmware to look at later. (6/n)
6
5
170
Happy to see that the Android app has responsibly requested the minimum permissions for BLE scanning. I kind of was expecting it to request my location for this which it didn't. (2/n)
2
0
167
Pulling the .apk off the device, the AndroidManifest.xml indicates a few permissions that warrant further investigation. Let's assume (for now) location perms (when granted) are only for BLE scanning on older Android releases.
Still this doesn't feel quite right. (3/n)
2
1
164
Scanning BLE advertisement beacons with bettercap confirms this is the toothbrush's mac.
Will certainly be looking into the BLE interface more later. Now, time for some dinner.
(8/n)
4
1
166
Pretty standard stuff so far - Notably employing Salesforce's Marketing Cloud platform SDK and Instabug.
I guess it's time to signup... And yes if you were wondering, you can brush your teeth without doing so.🥹
(5/n)
3
4
165
To intercept HTTP/S traffic, initially went with Burp Suite which acts as a HTTP proxy.
Can't see requests to their servers. It seems that the analytics libraries used obey the global HTTP proxy server settings but not the main code.
MITMProxy solves the issue.
(10/n)
1
6
155
I'm impressed. It looks like it's following Google's improvements for Bluetooth scanning on Android SDK API v31+. 👏
Later we will grant location permissions which would be required on an older Android versions. Or if we wanted to auto-setup the pairing.
…
2
1
154
Next it wants our home Wifi login details to provision into the device so it can connect out to some cloud servers (?)
Let's MITM the traffic to see what's happening.
Problem though - to pair, the app needs to disconnect from our network. BurpSuite looses connectivity.
(6/n)
1
3
152
So, so far we have evidence of:
- Code related to the functionality to install a certificate likely for performing MITM attacks.
- Code / internal database related to collecting other app's usage
What else can we find?
Device info (nothing special):
1
9
151
For what acceptable reason would they wanted to obtain the mobile subscriber IMSI? This is particularly sensitive data.
This actually wouldn't work with the app's manifest file. Perhaps we are seeing older code not cleaned up.
Still, not a great look.
3
9
143
Finishing this thread with a disclaimer.
This is live tweeting: discovering things as we go. We don't have the full picture as of yet, there maybe inaccuracies.
No doubt more details will come to light soon enough though.
The claims are serious.
4
11
143
I get the impression the Australian fine was more about harvesting usage analytics from other running apps (see: android.permission.PACKAGE_USAGE_STATS)
Did the regulators consider the MITM (wiretapping) which is central to this new antitrust lawsuit in the USA?
1
11
141
There are a few options.
1) Bridge an inline, transparent proxy between two Wifi access points.
2) Instrument the running code on the phone and hook into http/net functions.
Let's try with 2. I have a feeling it will be quicker.
Decompilation isn't obfuscated 🙏
JADX:
(7/n)
1
0
142
It look's like you can't continue to use the app unless signing up first. The privacy policy looks well written with very specifics of what data will be shared.
@mitmproxy
has been running in the background. Wonder what the app has sent so far? (4/n)
2
2
141
Well not really great: The app reports back the toothbrush's Bluetooth device address to a backend REST API (which is Kolibree - the smart toothbrush OEM vendor).
The BLE MAC/device addresses could be considered to be location data.
Do they really need this data?
(7/n).
5
3
138
It seems that a new API endpoint has been added:
/v2/ encrypted payload? (jdata).
/v1/ sends GPS data as before to 🇭🇰
No reqs to AMap so far. This was the 3rd party lib that was sending cellid,wifi and gps data to servers in mainland 🇨🇳
Time to dig into the code.
(11/n)
1
2
131
@CyberCakeX
You are correct: In recent versions of Android, certs in the user store will not be trusted by default.
Furthermore, the method they used to install the certificate from their app has been disabled.
This is the perfect example of why Google made these security improvements.
1
9
134
One major improvement in the new "security update" version - The use of the location services SDK, AMap, appears to be completely removed.
That was the code that was turning the phone into a cell phone tower & wifi scanner and sending to 🇨🇳
Now GPS data only sent to🇭🇰?
(13/n)
1
5
128
In the video above, permissions to discover "nearby devices" was granted, yet the app refuses to pair unless precise location is granted.
Things have improved on newer devices although it's up to the developer to make the effort as demonstrated:
(8/n)
I'm impressed. It looks like it's following Google's improvements for Bluetooth scanning on Android SDK API v31+. 👏
Later we will grant location permissions which would be required on an older Android versions. Or if we wanted to auto-setup the pairing.
…
2
1
154
1
4
128
More assumptions related to the $20M fine:
If we dump the schema for the sqlite database "spaceship.db" we see what statistics it was collecting.
No need for fancy traffic inspection for the app get this data. Remember this popup ?
1
5
128
Alright, this seems to work - hook into okhttp3.RequestBody to obtain the URL and retrofit2.ServiceMethod for the POST parameters.
I'm sure there is better ways - whatever works though, right? Here is the Frida .js for those that want to play along:
(8/n)
1
0
128
Interesting. Pointed out in my blog was that the AMap location SDK had used asymmetric crypto for POST data within HTTPS, avoiding having to do cert pinning. Also code obfuscation.
The prior BM2 app lacked both of these. Now it seems they have taken note😙
(12/n)
1
1
124
This is wild. Your own Kali Linux box in the ☁️ with inbound connectivity for reverse shells - requiring no signup at all.
A honeypot? Unlikely - the
@hackerschoice
are a very reputable crew. I still wouldn't recommend committing crimes from it though!
4
28
129
It's looking pretty straight forward to reverse the "toothbrush protocol" between phone and brush. It's apparent there is no hand baked crypto over what the BLE stack offers. Static member variable names were not stripped out allowing us to work backwards a bit easier.
(9/n)
1
3
125
Our next move is to try to observe what the plug device is sending to the mqtt server(s).
There are few options here, one being old school ARP spoofing to trick the plug and Wifi gateway to forward all layer 2 traffic to via the Linux box.
A rough diagram of the setup:
(13/n)
2
1
116
As a test we tell the Android phone the mac address of the plug is the Linux box and tell the plug the mac address of the Android phone is also the Linux box.
The tcpdump from the Linux box confirms it can see the conversations between the Android and plug, aka MITM.
(14/n)
2
0
117
We can see what arguments are passed and what's returned by the encryption method o.a() in real-time.
Right mouse click in JADX and select "Copy as frida snippet" and paste into a Frida session.
It really could not be any easier.
(15/n)
1
2
108
Wifi network ssid (name), bssid (mac address) and passwd are sent to the plug device when it's being bootstrapped from the mobile app.
Also we see credentials to an MQTT server hosted in Tokyo provisioned into the device.
Need to figure out what the device is sending.
(12/n)
1
1
110
This is looking good.
In addition to data sent to the cloud servers, we have visibility of messages from the phone app to the Wifi plug device on our home LAN.
For example, turning power on and off from the mobile app:
(9/n)
2
0
110
Messages appear to be signed - mental note to figure how to generate a signature so we can speak directly to the device without an app - later.
I've deleted the pairing of the device and will repair it.
Although it keeps pressuring me...
Click?
Not yet.
(10/n)
1
0
106
The very first thing that stands out is that the iOS app pairs immediately to the BLE device and at the same time asks for access to your location.
It's not at all required - select don't allow and things work as normal.
Cheeky.
(19/n)
2
5
101
From earlier we know /v2/userDevice/upload might be what we are looking for. It seems o.a() encrypts the parameters with a public RSA key of 2048 bits. At least it's not 512 which is what AMap used (crackable in a few days).
(14/n)
1
0
100
The content of most HTTP POST requests have the 'params' field base64 encoded. Rather the copy and paste each string by hand, we can decode them in Frida for each HTTP POST request.
Worth the effort? Maybe..
(11/n)
1
0
102
Apple uses Fairplay DRM - Apps downloaded are encrypted with a public key associated to your Apple account.
Using a Frida script (or any other tool), the unencrypted .ipa package can be obtained. In this case, pulled from working memory.
(21/n)
1
4
98
What could trigger the location lat/lng to be sent over the Internet -
In addition to pairing, a Bluetooth characteristics event notification, such as a reported change in voltage.
And the app runs all the time, in the background. 👎
(17/n)
1
3
96
Should observe this dynamically to verify, although for now I'm kind of ready to move on from Android.
Next up is iOS !
The first thing to do is to actually grab the software - not as easy as on Android.
Time to grab a jail broken iPhone.
(18/n)
1
3
95
If these are accurate statistics, that's some serious telemetry Facebook were collecting from this app (10 million downloads)
1
12
95
One explanation why it was so short lived could be a targeted company figured out what was going on.
Imagine all those millions of requests originating from the same origin IPs and same client proxy certificates.
The MITM CA certs were in the app were out by Oct the 19th 2017.
1
7
98
Repairing the BLE device triggered the HTTP req.
Plain-text values are passed as an JSON string that includes lat/lng.
Returned value is matched with the encrypted jdata value the POST request over HTTPS to /v2/userDevice/upload.
Confirms what we already knew really.
(16/n)
2
0
93
CDRs are primarily used for postpaid billing and reporting purposes. They are generated in various network elements and consolidated in mediation systems.
It's these central databases that are often targeted. Data for a subscriber is generated in many systems:
(2/5)
1
4
96
With MITMproxy in transparent mode, intercepted packets can be forwarded to a custom handler.
Someone has written one for MQTT over TLS.
The pre-condition for success now is there is no mutual TLS or certificate pinning involved.
If there is mTLS then we would have to rip…
1
2
93
A correction on the prior post, the Android documentation on the API doesn't state it but elsewhere says the permission READ_PHONE_STATE would have been enough to obtain the subscriber IMSI.
This Android API change was made in 2019. So IMSIs may have been collected?
2
6
89
I wanted a way to test IoT devices in a way that would allow the use of Mitmproxy with a VPN, TOR or proxy (Burp) - firewalled and isolated without needing to mess with network gear.
So I created Wedgeberry: Automating this via a single interactive script
5
14
87
The app is respecting the iOS HTTP proxy settings - so back to Burp Suite for TLS MITM it is.
The new /api/v2/ endpoints are being captured with the encrypted jdata parameter. We want to see what's inside these encrypted blobs.
(20/n)
1
3
81
I have been able to find the certificates that were likely used for the MITM attacks.
There are two as first one only was valid for a year.
The second wouldn't remain in for long as some months after it was added in 2017, it (and offending code) then removed.
Wonder why? 🤔
1
5
82