OpenHAB - Man in the middle attack

From Embedded Lab Vienna for IoT & Security
Jump to: navigation, search

Summary

The results of our Man in the middle attack on OpenHAB.

Goal

To perform a Man in the Middle attack via arp spoofing between a Hue bridge and a computer and capture the traffic send between OpenHab and the bridge to control a wireless light.

Used Software

You can find our documentation about installing OpenHAB here Install OpenHAB.

Used Hardware

Philips Hue White and Color Ambiance Single LED-Bulb E27 10W

Philips Hue Bridge 2.0, Gateway

Capturing traffic before the Attack

Before we performed the Man in the Middle attack, we performed a wireshark capturing directly on the host camputer which was using OpenHab.

As one can see, we can see in plain text the numbers for color, saturation and brightness. And we see every PUT message send whenever we change something.

Traffic before attack.png

Using Cain & Able

The first thing to do when using Cain and Able is to use the sniffing function the determine which hosts in the network are available for sniffing and MitM attacks.

To start the process, we click on the second button from the right in the top left corner.

Cain-Able-Sniffer.png

The output is a list of available hosts in the network, in our case including host 192.168.0.38 on which OpenHab is running and 192.168.0.150 which is our Philips Hue bridge.

Cain-Able-Sniffer Output.png

The next step is to select with which participants we want to perform out attack, for that, we select the ARP menu at the bottom left part of our program and then tap on the big blue Plus symbol.

Cain-Able-ARP.png

In the newly opened window we can choose out to victims on which we will perform the arp spoofing so we chose out host computer and our bridge.

Cain-Able-Victims.png

The last step is to just press the Radioactive button to start the poisoning.

If we take a look now at the arp table of our host computer, we can see that our bridge and the attacker computer have different IP addresses, but the same MAC address, namly the address of our attacking PC getting every message that is sent over our computer.

Cain-Able-Radioactive.png

Thus we can now also use Wireshark to capture the traffic between host computer and Hue Bridge.

Capturing traffic during the attack

We can now capture the traffic send between host PC and Hue bridge on our MitM camputer and beside the fact that every package contains a timestamp which allows a precise reconstruction and collection of data when and how the lamp is used, we can as well see the status of the lamp such as brightness and saturation as well as changes displayed in plain text.

Cain-Able-Wireshark-1.png Cain-Able-Wireshark-2.png

API Interface

Another thing we can see during performing our MitM attack is the request api URI of our bridge.

URI-Request-API.png

We can use that URI with just a slight change, adding just lights instead of lights 1/state, to display a huge chunck of information about every light connected to our bridge.

Watch-changes-without-spoofing.png

If this site is open, it is possible even without a running arp spoofing to watch the changes in the lamp's settings.

References