Email or username:

Password:

Forgot your password?
Top-level
Foone🏳️‍⚧️

also they're spamming 9 lines to syslog every minute.

this is a microsd card in a raspi, guys! you are going to fry your fucking card by running out of write cycles. That's not a good idea in any raspi application, especially not an IoT one

117 comments
Gerhard D.

@foone Please stop. It's too damn depressing. Or wait .... SHARE IT!

Foone🏳️‍⚧️

oh sweet jesus they logged into slack from this machine('s image)

I have their chrome profile, with history and cookies and shit!

Foone🏳️‍⚧️

@cadey nah. I didn't get this device legitimately, so I can't really report any security holes in it.

Arne Babenhauserheide replied to Foone🏳️‍⚧️

@foone that’s why we need protection for people who report this stuff.

You may want to talk to folks from @CCC to find the right process to get this off the road before it causes bodily harm.

@cadey

Foone🏳️‍⚧️

this is deeply embarrassing. I have lists of their duckduckgo and google searches for the programming problems they were having building this product.

no programmer should ever have that personal shame shared with the world. let alone included on every microSD card your company ships!

Foone🏳️‍⚧️

oh sweet jesus

they automatically scp up some logs to a server somewhere. Did they set up keys so that authorized devices could log in automatically without passwords?

NOPE THEY USED SSHPASS

Foone🏳️‍⚧️

I have a file here with multiple lines like:

sudo sshpass -p PASSWORDHERE scp /path/system/network.log USERNAME@IPADDRESS:/home/manufacturing/

Foone🏳️‍⚧️

well I'm putting this away so I don't accidentally hack them.

Polychrome :clockworkheart: replied to Foone🏳️‍⚧️
@foone this thread just slowly became worse and worse as I was reading it :blobcatsweat:​
Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

this is one of the many reasons I'm not a security researcher.

it's a target rich environment.

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

Also I'm a reverse engineer. There's no reverse engineering here!
I unscrewed the box, pulled out the raspi, pulled the SD card out, put it in my laptop, and it automounted. I then looked at some files while making a disgusted face.

That's not reverse engineering! That's just lookin'

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

Also this isn't the only opsec failure they've made but if I say what the other one is, you might be able to figure out what company this is. And if you can do that, they can too, and they might get mad at me

Wouter Verhelst replied to Foone🏳️‍⚧️
@foone
Pretty sure they already can with the info you've just written down if they want.

Pretty sure they also don't want, because it would be embarrassing to the extreme for them to come forward after what you just wrote down 😂
Billie Thompson 🦊 replied to Foone🏳️‍⚧️

@foone oh my god, this is the real life example of the old joke "it works on my machine" "ok box it up and send it to the data center"

janet_catcus replied to Foone🏳️‍⚧️

@foone sounds like a classic "hey guys, im done with the prototype/proof of concept, how is your prese- why is there a desk _between_ our chairs?" scenario

Tony Hoyle replied to Foone🏳️‍⚧️

@foone
Companies get mad because their security failings are pointed out all the time.. doesn't mean we shouldn't do it.

Joseph replied to Foone🏳️‍⚧️
@foone Oh you are absolutely getting a follow after this firecracker of a thread! 💞
nsfw :donor: replied to Foone🏳️‍⚧️

@foone Okay, now to the important part: how much was the RPi in a fancy plastic box, and how much per month is it to have that box scp stuff to an Azure account?

Jürgen replied to Foone🏳️‍⚧️

@foone #terrypratchett : it is not spying if you have to take few steps back in order not to turn deaf!

Dasha Sierra replied to Foone🏳️‍⚧️

@foone You know, I never get bored of your tech adventures. Stay awesome. 💜

Esmé Ciredutemps replied to Foone🏳️‍⚧️

@foone i don't really understand completely what is explained but i read the thread as an excellent investigation and thriller movue. Thank you.
🍿

Gabriel Pettier replied to Esmé

@ciredutempsEsme @foone well, it's as much an investigation as visiting a flat and immediately discovering the remains of a meth-lab operation, with unattended unstable chemicals.

I suspect the team for that was one dev that hacked it together and cut all the corners until they got a smooth circle.

Ben Aveling replied to Esmé

@foone @ciredutempsEsme ask, and we shall try to answer. Any question you have, someone else has the same question but is afraid to ask.

Haelwenn /элвэн/ :triskell: replied to Foone🏳️‍⚧️
@foone Kind of thing that is so bad I kind of wonder if it's a really weird attempt at an honeypot.
#wafuposting enjoyer replied to Foone🏳️‍⚧️
@foone LOG IN TO THEIR EMAIL AND START SENDING TONS OF SPAM YOU PUSSY
Skyr replied to Foone🏳️‍⚧️

@foone is it a hack if they willingly hand over the passwords? 🤔

Glyph

@foone this is truly amazing. it's very unfortunate that you can't just post it all because the individual engineers will get blamed, rather than their incandescently irresponsible management

propapanda :verified:

@foone it would have made very little difference if they shipped a key instead of a password, but these people clearly don't know what they are doing

Foone🏳️‍⚧️ replied to propapanda

@panda could have individual keys per device and revoke them as the devices leave service. as it is, they can't do that without changing the passwords on every device

propapanda :verified: replied to Foone🏳️‍⚧️

@foone they totally could have and instead of ssh they could have used mqtt with some basic acls which would have prevent reading other people's location, but also save the overhead of the ssh handshake

Asta [AMP]

@foone@digipres.club ohhhhh no

no no no no

no to all of this but no to this

Randagodron

@foone lol better not talk about a company who sells emmbedded circuits for satellites, a friend checked two recently, boards where dirty as ***, covered in flux residue, lots of solder microballs hanging around (meaning they used too much solder paste and didn't follow their supplier's recommendations on solder masks) and bad solders making the board not functional without rework. Top space-grade shit, everything is fine 😅
If we find products this bad on aerospace devices, I am not surprised that it's even worse in IoT ...

@foone lol better not talk about a company who sells emmbedded circuits for satellites, a friend checked two recently, boards where dirty as ***, covered in flux residue, lots of solder microballs hanging around (meaning they used too much solder paste and didn't follow their supplier's recommendations on solder masks) and bad solders making the board not functional without rework. Top space-grade shit, everything is fine 😅
If we find products this bad on aerospace devices, I am not surprised that...

Foone🏳️‍⚧️

@randagodron they've got the excuse that no one will be able to tell, because their shit will be hiding in orbit

Randagodron

@foone yeah, with the microballs floating around 😛 if only it was not bad enough that it did not work at all and the customer was forced to check the boards before launch ...

t3rminus

@foone holy dang that sounds… so bad. Just really, really bad. And Python 2??

Damn. Whatever you’re looking at I pray I don’t own one…

Martin Hamilton

@foone Galaxy brain take: Massive screwup or highly distributed redundant backup? :blobfoxwink:

(had similar experience exploring the monitoring appliance for my solar panels)

Sylvhem

@foone Hate it when my employer share my Slack session with hundred of customers.

embix

@foone "leave it so and mark the 'planned obsolescence' checkbox"

Foone🏳️‍⚧️

@elronxenu yeah me too, how do you think I know this? :)

Chi Kim

@FreakyFwoof @foone Maybe they're trying to shorten the duration of working condition, so people buy it again. lol

mxk

@foone 😂 I thought 9 lines to syslog isn't that bad, but then I forgot, that not everyone uses a handwritten pure in memory syslogd

Pxl Phile

@foone yeah I did that once measuring temperature and while being on vacation I remembered that I left it on. On the 3rd vac day the raspis died and I only thought of a house fire 😅

sen

@foone There are 2 kinds of Embedded Linux developers, those that know about the initramfs, and those that will be buried in the ashes of eternity. 🫠

mathew

@foone I reported a bug to Synology that they spam several lines to syslog every time there’s an IPv6 router advertisement packet on the network. They didn’t seem to understand why that was a problem, even after I pointed out that it meant the sleep function on the device would never work on any network with IPv6.

Riley S. Faelan

@foone That's what jffs2 was invented, is it not?

iAmAnEngarneer

@foone planned obsolecence or support contract nonsense. Lol, soooo many people dont know this

The Doctor

@foone But then you can sell replacement "firmware modules" for half the cost of the unit.

Filene

@foone Hey, can you or somebody else give me an idea of how to make sure I'm not spamming the logs like this? I might still be doing this out-of-the-box.. Thank you for this wacky Rollercoaster of exposed information infrastructure! 🥹🫠

Go Up