Email or username:

Password:

Forgot your password?
Top-level
Foone🏳️‍⚧️

well I'm putting this away so I don't accidentally hack them.

58 comments
Polychrome :clockworkheart: replied to Foone🏳️‍⚧️
@foone this thread just slowly became worse and worse as I was reading it :blobcatsweat:​
Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

this is one of the many reasons I'm not a security researcher.

it's a target rich environment.

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

Also I'm a reverse engineer. There's no reverse engineering here!
I unscrewed the box, pulled out the raspi, pulled the SD card out, put it in my laptop, and it automounted. I then looked at some files while making a disgusted face.

That's not reverse engineering! That's just lookin'

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

Also this isn't the only opsec failure they've made but if I say what the other one is, you might be able to figure out what company this is. And if you can do that, they can too, and they might get mad at me

Wouter Verhelst replied to Foone🏳️‍⚧️
@foone
Pretty sure they already can with the info you've just written down if they want.

Pretty sure they also don't want, because it would be embarrassing to the extreme for them to come forward after what you just wrote down 😂
Billie Thompson 🦊 replied to Foone🏳️‍⚧️

@foone oh my god, this is the real life example of the old joke "it works on my machine" "ok box it up and send it to the data center"

janet_catcus replied to Foone🏳️‍⚧️

@foone sounds like a classic "hey guys, im done with the prototype/proof of concept, how is your prese- why is there a desk _between_ our chairs?" scenario

Tony Hoyle replied to Foone🏳️‍⚧️

@foone
Companies get mad because their security failings are pointed out all the time.. doesn't mean we shouldn't do it.

Kevin Karhan :verified: replied to Tony

@tony @foone if necessary just anonymize the findings and create a throwaway account so you don't get the #ShootTheMessenger experience like @Lilith did multiple times...

- Also feel free to send an anonymous tip to the necessary #ITsec regulators / #CERT|s or contact some journos like @heisec ...

Json Doh replied to Bhushan Shah 🤷‍♂️🤖👀📱

@bshah that matters little. The cloned iot devices are still in use in the wild.

@foone

Pseudo Nym replied to Foone🏳️‍⚧️

@foone

As always, you are my hero.

This is jaw-dropping bad.

Play some old Lode Runner on an Apple ][ emulator for brain bleach.

Nice find.

#infosec

See if they have a bug bounty program. They won't, given these kinds of findings, but clearly they should.

BenBE replied to Foone🏳️‍⚧️

@foone As they say: The S in IoT is for Security …

Deborah Hartmann Preuss, pcc 🇨🇦 replied to Foone🏳️‍⚧️

@foone I'm imagining the dev said "hey, it works!" and five minutes later found himself laid off. Five minutes after that, they were cloning this card. 🤦‍♀️🙅‍♀️🙎‍♀️

Foone🏳️‍⚧️ replied to Foone🏳️‍⚧️

I just noticed this is how they heatsinked that raspberry pi I yanked the SD card out of.

void *ada; replied to Foone🏳️‍⚧️

@foone@digipres.club i love that the left heatsink is also not the appropriate size at all

kate 🏳️‍🌈 🏳️‍⚧️ replied to Foone🏳️‍⚧️

@foone was it vertically mounted? I wonder if the adhesive started to fail and it tipped over
Either way, it’s *disgusting* how they treated their product and customers.

Marcus Müller replied to Foone🏳️‍⚧️

@foone well, I don't want to say it, but, if I read your posts, I might come to the conclusion that this device was not carefully designed nor built at all!

Marcus Müller replied to Marcus

@foone You mean just it's a shoddy IoT product?
You really think someone would do that?
Go ahead and just built an IoT product with no forethought, diligence or afterthought at all?

Solarbird :flag_cascadia: replied to Foone🏳️‍⚧️

@foone the fact that it's stayed on is by itself kind of impressive

🌕💀🔮🐦‍⬛ replied to Foone🏳️‍⚧️

@foone Secretly terrified this is a former employer's handiwork

RyanSquared replied to 🌕💀🔮🐦‍⬛

@jordan @foone this thread is also making me wonder if this was my former employer.

Hugo Mills replied to Foone🏳️‍⚧️

@foone The heatsink is tilted like that to ensure that the caloric fluid runs off properly.

lukas wirz replied to Foone🏳️‍⚧️

@foone I'd also be slightly surprised if the heat sink on the EMI shield was required ...

Glyph replied to Foone🏳️‍⚧️

@foone this level of both software & hardware gore is bordering on needing a CW

MenhirMike replied to Foone🏳️‍⚧️

@foone From that angle it almost looks like it's actually a Li-Ion Laptop battery bulging rather than a heatsinked chip.

sudo (but scary) replied to Foone🏳️‍⚧️

@foone the heatsink on the WiFi module shield is a nice touch

Joseph replied to Foone🏳️‍⚧️
@foone Oh you are absolutely getting a follow after this firecracker of a thread! 💞
nsfw :donor: replied to Foone🏳️‍⚧️

@foone Okay, now to the important part: how much was the RPi in a fancy plastic box, and how much per month is it to have that box scp stuff to an Azure account?

Jürgen replied to Foone🏳️‍⚧️

@foone #terrypratchett : it is not spying if you have to take few steps back in order not to turn deaf!

JP replied to Foone🏳️‍⚧️

@foone That depends a lot on the prosecutor's familiarity with technology and their desire to look tough on cyber crime.

HP van Braam :verified: replied to Foone🏳️‍⚧️

@foone half of reverse engineering is thinking to look though! 😄

Peter replied to Foone🏳️‍⚧️

@foone Showing my age here, but I will never forget seeing Andrew Tridgell do a live demo of how he reverse engineered BitKeeper during his LCA 2005 keynote.

He ran telnet to connect to the BitKeeper port, and typed "help".

Foone🏳️‍⚧️ replied to Peter

@stibbons that's always a good step: asking for help!

Glen Turner (VK5TU) replied to Peter

@stibbons @foone My favourite bit of that is he then asked the room what he should type next. The entire crowd 'reverse engineered' Biitkeeper in minutes, the entire demo undercutting all the accusations that Tridge was doing something Uber-nefarious requiring 133t hacking skills.

That was also the year of Stevens versus Sony, the High Court of Australia decision which allowed defeat of DRM and reverse engineering to achieve interoperability.

🗦new🗧 FireFly replied to Foone🏳️‍⚧️

@foone idk, *un*screwing boxes? that sounds like engineering in reverse to me,

eviloatmeal replied to Foone🏳️‍⚧️
@foone It's not breaking and entering when the house has no doors in the door frames. And no walls.
Dasha Sierra replied to Foone🏳️‍⚧️

@foone You know, I never get bored of your tech adventures. Stay awesome. 💜

Esmé Ciredutemps replied to Foone🏳️‍⚧️

@foone i don't really understand completely what is explained but i read the thread as an excellent investigation and thriller movue. Thank you.
🍿

Gabriel Pettier replied to Esmé

@ciredutempsEsme @foone well, it's as much an investigation as visiting a flat and immediately discovering the remains of a meth-lab operation, with unattended unstable chemicals.

I suspect the team for that was one dev that hacked it together and cut all the corners until they got a smooth circle.

arceuthobium replied to Gabriel

@tshirtman @ciredutempsEsme @foone sounds like they laid off their one man dev team the minute they had a working prototype, no?

Gabriel Pettier replied to arceuthobium

@theothersimo @ciredutempsEsme @foone well, or features were always too high prio for quality to happen.

I've been a one man team shipping devices with custom software to places, and yeah, times was always too short to think about small things like security (though for that business that wasn't really a concern, the worst that could happen was people stealing our code and running with it).

Ben Aveling replied to Esmé

@foone @ciredutempsEsme ask, and we shall try to answer. Any question you have, someone else has the same question but is afraid to ask.

Esmé Ciredutemps replied to Ben

@BenAveling @foone
It would be too many questions and I guess i would fond the answer looking on the internet si i won't bother you but a big thank you for thé proposition

Haelwenn /элвэн/ :triskell: replied to Foone🏳️‍⚧️
@foone Kind of thing that is so bad I kind of wonder if it's a really weird attempt at an honeypot.
#wafuposting enjoyer replied to Foone🏳️‍⚧️
@foone LOG IN TO THEIR EMAIL AND START SENDING TONS OF SPAM YOU PUSSY
Skyr replied to Foone🏳️‍⚧️

@foone is it a hack if they willingly hand over the passwords? 🤔

gunstick replied to Skyr

@skyr @foone it is a hack because using the hackertool "linux" enabled to read the SD.
The SD is not readable on a "normal" computer.
So clearly illegal hacking.

Skyr replied to gunstick

@gunstick @foone And most likely he used less! less is more than more, this is really bad!! 😂

Go Up