![]() ![]() ![]() The basic unit is a 16-byte transmission (the shortest valid message) with some units containing an extended payload. The server responds with a similarly formatted block which looks random, the plug continues the same … what is the pattern?īy looking at a few captures, I think I came to some interesting conclusions about the packet format. The plug begins the registration process with this server (which I will term the rendezvous server) by sending a packet containing various details including its serial number, hardware and software revision. ![]() A short conversation ensues, then the plug makes a new socket connection to 47.251.6.232 at Port 11812 without any further resolution. Once the plug has configured itself an IP address, it seeks out. by doing a DNS request (currently 47.254.24.171), connecting to Port 1821. Very strange, perhaps there is some hidden functionality here too. But curiously, during this process, the plug also fires out 256-byte long packets to the broadcast address at port 50550 containing “datadatadata….”. The first thing the plug attempts to do is to grab an address via DHCP. Interestingly, something that had evaded my analysis in the review was that the plug sends out a 60-byte LLC packet when a connection is established. After initial tests showed that my network had plenty of broadcast chatter I could do without, I changed from a bridge to using Windows’ inbuilt ICS features to perform NAT, DHCP and DNS functions, thus separating the plug and phone to its own (quieter) subnet. The internet connectivity would be available via my home network over LTE, but a computer would be placed in the middle to bridge and observe the traffic. To analyse the traffic, I decided to set-up a dedicated TestNet AP to handle the phone running the app and the plug itself. This avoids potential complications with provisioning and unprovisioning which might get complex or result in “bricking” if the state of the plug does not match the server. To begin with, I decided to provision my only remaining Tenda Beli SP3 using the Beli app, bringing it to a ready-to-use state before commencing my observations. I would also not be concerned about interacting with the Tenda infrastructure – I am not attempting to pretend to be a plug even though that might be interesting in some way.Īt the outset, I had no idea whether this was possible – but after about four hours of work, I came to change my mind entirely. I would not seek to look at the app’s code nor the firmware contained on the device at all – that would require skills I do not currently have, but also would take a long time. My approach for this was to examine the traffic to and from the plug under normal operation, looking for patterns and implementing the bare minimum necessary to make the plug operate without its mothership. By this, I mean that the plug can be provisioned, switched and unprovisioned without the need for connectivity to their Alicloud VPS instance or even the internet (ideally). The aim of this project was to understand enough about the Tenda Beli protocol that I could implement proof of concept code that would allow me to operate the Wi-Fi plug without the requirement of any of the infrastructure provided by Tenda. With that in mind, I spent about four hours of time (over two days, after work, including time to scrounge up necessary equipment and set-up) to see if I could reverse engineer the protocol on my own to the point of being able to use the switch in some way. It was then, I realised that I might have been a bad friend by setting up a challenge instead … Instead, as I had a second unit, I decided to gift this to a knowledgeable friend I could trust would understand the risks of using such a unit and leave it to their imagination to see how they might put it to use. I surmised that it might be possible compromise the system in some way, but I was not willing to put the plugs to use with this knowledge. In the review and teardown, I discovered the units were nowhere near as secure as I had expected, operating in a cloud-only configuration which means a VPS in AliCloud knows the state of the switch at any time using an unencrypted protocol of their own design. Some readers may remember that I recently purchased a pair of Tenda Beli SP3 Smart Wi-Fi Plugs on sale.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |