Email or username:

Password:

Forgot your password?
Top-level
Foone🏳️‍⚧️

oh cool you can pull the GPS history of a truck from azure without any login, you just need to know the device ID.

119 comments
Foone🏳️‍⚧️

this might be UPS trucks. I should probably not query any of these GPS histories

Foone🏳️‍⚧️

also they're spamming 9 lines to syslog every minute.

this is a microsd card in a raspi, guys! you are going to fry your fucking card by running out of write cycles. That's not a good idea in any raspi application, especially not an IoT one

Gerhard D.

@foone Please stop. It's too damn depressing. Or wait .... SHARE IT!

Foone🏳️‍⚧️

oh sweet jesus they logged into slack from this machine('s image)

I have their chrome profile, with history and cookies and shit!

Foone🏳️‍⚧️

@cadey nah. I didn't get this device legitimately, so I can't really report any security holes in it.

Arne Babenhauserheide replied to Foone🏳️‍⚧️

@foone that’s why we need protection for people who report this stuff.

You may want to talk to folks from @CCC to find the right process to get this off the road before it causes bodily harm.

@cadey

Foone🏳️‍⚧️

this is deeply embarrassing. I have lists of their duckduckgo and google searches for the programming problems they were having building this product.

no programmer should ever have that personal shame shared with the world. let alone included on every microSD card your company ships!

Foone🏳️‍⚧️

oh sweet jesus

they automatically scp up some logs to a server somewhere. Did they set up keys so that authorized devices could log in automatically without passwords?

NOPE THEY USED SSHPASS

Foone🏳️‍⚧️

I have a file here with multiple lines like:

sudo sshpass -p PASSWORDHERE scp /path/system/network.log USERNAME@IPADDRESS:/home/manufacturing/

Foone🏳️‍⚧️

well I'm putting this away so I don't accidentally hack them.

Polychrome :clockworkheart: replied to Foone🏳️‍⚧️
@foone this thread just slowly became worse and worse as I was reading it :blobcatsweat:​
Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

this is one of the many reasons I'm not a security researcher.

it's a target rich environment.

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

Also I'm a reverse engineer. There's no reverse engineering here!
I unscrewed the box, pulled out the raspi, pulled the SD card out, put it in my laptop, and it automounted. I then looked at some files while making a disgusted face.

That's not reverse engineering! That's just lookin'

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

Also this isn't the only opsec failure they've made but if I say what the other one is, you might be able to figure out what company this is. And if you can do that, they can too, and they might get mad at me

Wouter Verhelst replied to Foone🏳️‍⚧️
@foone
Pretty sure they already can with the info you've just written down if they want.

Pretty sure they also don't want, because it would be embarrassing to the extreme for them to come forward after what you just wrote down 😂
Billie Thompson 🦊 replied to Foone🏳️‍⚧️

@foone oh my god, this is the real life example of the old joke "it works on my machine" "ok box it up and send it to the data center"

Joseph replied to Foone🏳️‍⚧️
@foone Oh you are absolutely getting a follow after this firecracker of a thread! 💞
nsfw :donor: replied to Foone🏳️‍⚧️

@foone Okay, now to the important part: how much was the RPi in a fancy plastic box, and how much per month is it to have that box scp stuff to an Azure account?

Jürgen replied to Foone🏳️‍⚧️

@foone #terrypratchett : it is not spying if you have to take few steps back in order not to turn deaf!

Dasha Sierra replied to Foone🏳️‍⚧️

@foone You know, I never get bored of your tech adventures. Stay awesome. 💜

Esmé Ciredutemps replied to Foone🏳️‍⚧️

@foone i don't really understand completely what is explained but i read the thread as an excellent investigation and thriller movue. Thank you.
🍿

Gabriel Pettier replied to Esmé

@ciredutempsEsme @foone well, it's as much an investigation as visiting a flat and immediately discovering the remains of a meth-lab operation, with unattended unstable chemicals.

I suspect the team for that was one dev that hacked it together and cut all the corners until they got a smooth circle.

Haelwenn /элвэн/ :triskell: replied to Foone🏳️‍⚧️
@foone Kind of thing that is so bad I kind of wonder if it's a really weird attempt at an honeypot.
#wafuposting enjoyer replied to Foone🏳️‍⚧️
@foone LOG IN TO THEIR EMAIL AND START SENDING TONS OF SPAM YOU PUSSY
Glyph

@foone this is truly amazing. it's very unfortunate that you can't just post it all because the individual engineers will get blamed, rather than their incandescently irresponsible management

propapanda :verified:

@foone it would have made very little difference if they shipped a key instead of a password, but these people clearly don't know what they are doing

Foone🏳️‍⚧️ replied to propapanda

@panda could have individual keys per device and revoke them as the devices leave service. as it is, they can't do that without changing the passwords on every device

propapanda :verified: replied to Foone🏳️‍⚧️

@foone they totally could have and instead of ssh they could have used mqtt with some basic acls which would have prevent reading other people's location, but also save the overhead of the ssh handshake

Asta [AMP]

@foone@digipres.club ohhhhh no

no no no no

no to all of this but no to this

Randagodron

@foone lol better not talk about a company who sells emmbedded circuits for satellites, a friend checked two recently, boards where dirty as ***, covered in flux residue, lots of solder microballs hanging around (meaning they used too much solder paste and didn't follow their supplier's recommendations on solder masks) and bad solders making the board not functional without rework. Top space-grade shit, everything is fine 😅
If we find products this bad on aerospace devices, I am not surprised that it's even worse in IoT ...

@foone lol better not talk about a company who sells emmbedded circuits for satellites, a friend checked two recently, boards where dirty as ***, covered in flux residue, lots of solder microballs hanging around (meaning they used too much solder paste and didn't follow their supplier's recommendations on solder masks) and bad solders making the board not functional without rework. Top space-grade shit, everything is fine 😅
If we find products this bad on aerospace devices, I am not surprised that...

Foone🏳️‍⚧️

@randagodron they've got the excuse that no one will be able to tell, because their shit will be hiding in orbit

Randagodron

@foone yeah, with the microballs floating around 😛 if only it was not bad enough that it did not work at all and the customer was forced to check the boards before launch ...

t3rminus

@foone holy dang that sounds… so bad. Just really, really bad. And Python 2??

Damn. Whatever you’re looking at I pray I don’t own one…

Sylvhem

@foone Hate it when my employer share my Slack session with hundred of customers.

embix

@foone "leave it so and mark the 'planned obsolescence' checkbox"

Foone🏳️‍⚧️

@elronxenu yeah me too, how do you think I know this? :)

Go Up