Hacking a Smart Home Device (2024)

Posted by walterbell 4/15/2025

Hacking a Smart Home Device (2024)(jmswrnr.com)

318 points | 79 commentspage 2

smjburton 4/15/2025|

> For better or worse, the engineers behind the service decided not to implement a standard protocol like DTLS.

> We're not certain if each device has its own unique private key, but whether it does or not, both have downsides ... If all devices share the same firmware private key, the attacker needs to reverse engineer just a single device to MITM attack any other devices.

If anything, this article further highlights that security on these type of devices isn't as rigorous as other consumer electronics like laptops or smartphones. Anyone using smart devices should look into DD-WRT, OpenWrt, Tomato, or Asuswrt-Merlin and isolate these devices in their own VLAN away from the rest of your private network.

vsviridov 4/15/2025|

If anything, devices of that nature should have local control via Bluetooth LE, and not require some crappy proprietary cloud

smjburton 4/15/2025||

Agreed, the ideal solution would be to control these devices without being on your home network at all.

hxii 4/15/2025||

I’ve got a power station (Ugreen) with an ESP32 that I’d also love to connect to HomeAssistant, instead of their app which provides me no benefit.

This is definitely beyond my capabilities at this point but it could be interesting to go through a similar process once mentally ready.

walterbell 4/15/2025||

Imagine a mental price tag alongside IoT cybersecurity label, https://arstechnica.com/information-technology/2023/07/the-c...

blitzar 4/15/2025||

"US Cyber Trust Mark" - I can trust the server is in Room 641A and they added microphones and cameras to my smart plug.

NoMoreNicksLeft 4/15/2025||

It's not. Get a usb-serial cable. Open it up, attach that, load Tasmota firmware. Takes a little bit of fiddling to figure out which gpio goes to which relay sometimes, but once you've gotten the pattern you can upload it so others don't have to figure it out next time.

stavros 4/15/2025||

This is a great article, but I really hate the fact that we have to rely on weak security to make our devices consumer-friendly/usable. I'm looking forward to the EU passing some law that says that devices should work locally as well, and then everything can just be Zigbee. I love Zigbee.

Oxodao 4/15/2025||

For initial RE, I'd highly suggest jadx-gui over dex2jar+jd-gui it has a lot of nice feature

grishka 4/15/2025|

Not only that, jadx operates on dex files directly and the conversion from dex to regular JVM classes can sometimes be lossy. So you tend to get better decompilation with jadx vs dex2jar and any regular Java decompiler.

robertlagrant 4/15/2025||

> No Cap device found!

Of course, in 2025 this means "I really did find a device!"

CommenterPerson 4/15/2025||

Top notch work and writeup. Many Thanks.

I couldn't do 10% of this, and don't wish to spend a part of my life wrestling with gadgets like this. Simply will not buy. Also simply will avoid most all social media.

paranoidrobot 4/15/2025||

As far as I can tell it doesn't mention which air purifier.

Knowing that might help influence purchasing decisions for those also interested in a "sleek" air purifier that contains an ESP32.

deanc 4/15/2025||

I highly suspect that this is a Levoit air purifier. I recently purchased a Levoit 300S and had the same issue. The VeSync app connects the device directly over the internet and you can control it via an API on their domain with a username and password. Your air purifier is then a backdoor to your home network. I just put it on a guest network now rather than go through this.

rx_tx 4/15/2025|||

I suspect hiding the manufacturer/model was very much on purpose, they blurred the markings on the PCB and hid the domain name for the manufacturer's API calls (and in the console logs as well).

timc3 4/15/2025||

I agree, hopefully it helps not getting the article taken down because its a very good primer on getting any ESP based device locally working.

rickdeckard 4/15/2025||

I guess that is on purpose. After all the article could easily be rewritten as a successful attack on the manufacturer infra using a private key extracted from a device.

So the Authors Home Assistant Integration could be at risk to stop working quite quickly...

Havoc 4/15/2025||

The recent drama around the unitree robot being effectively a beachhead on network has made me much more wary of connecting anything. Think I’ll stick to tasmota and zigbee going forward

simonjgreen 4/15/2025|

Can you tell me more about the Unitree drama?

walterbell 4/15/2025||

https://news.ycombinator.com/item?id=43604706

  Upon gaining access to the CloudSail API, which they did using a recovered API key, they could:

    List all connected devices and their IP addresses
    Establish remote tunnels to those devices
    Access the robot dog’s web interface with no authentication
    Use the robot’s cameras for live surveillance
    Log in via SSH using default credentials (pi/123)
    Move laterally within internal networks to which the robot is connected

your_challenger 4/15/2025||

Great article and great website. I love that every external link showed a favicon like image next to it.

hilti 4/15/2025|

Awesome journey! Thank you for having me … I learned a lot.