OpenHAB - Man in the middle attack
The results of our Man in the middle attack on OpenHAB.
To perform a Man in the Middle attack via arp spoofing between a Hue bridge and a computer and capture the traffic send between OpenHab and the bridge to control a wireless light.
- Cain & Able https://www.chip.de/downloads/Cain-Abel_17043501.html
- OpenHAB https://www.openhab.org/
You can find our documentation about installing OpenHAB here Install OpenHAB.
- Wireshark https://www.wireshark.org/
Capturing traffic before the Attack
Before we performed the Man in the Middle attack, we performed a wireshark capturing directly on the host camputer which was using OpenHab.
As one can see, we can see in plain text the numbers for color, saturation and brightness. And we see every PUT message send whenever we change something.
Using Cain & Able
The first thing to do when using Cain and Able is to use the sniffing function the determine which hosts in the network are available for sniffing and MitM attacks.
To start the process, we click on the second button from the right in the top left corner.
The output is a list of available hosts in the network, in our case including host 192.168.0.38 on which OpenHab is running and 192.168.0.150 which is our Philips Hue bridge.
The next step is to select with which participants we want to perform out attack, for that, we select the ARP menu at the bottom left part of our program and then tap on the big blue Plus symbol.
In the newly opened window we can choose out to victims on which we will perform the arp spoofing so we chose out host computer and our bridge.
The last step is to just press the Radioactive button to start the poisoning.
If we take a look now at the arp table of our host computer, we can see that our bridge and the attacker computer have different IP addresses, but the same MAC address, namly the address of our attacking PC getting every message that is sent over our computer.
Thus we can now also use Wireshark to capture the traffic between host computer and Hue Bridge.
Capturing traffic during the attack
We can now capture the traffic send between host PC and Hue bridge on our MitM camputer and beside the fact that every package contains a timestamp which allows a precise reconstruction and collection of data when and how the lamp is used, we can as well see the status of the lamp such as brightness and saturation as well as changes displayed in plain text.
Another thing we can see during performing our MitM attack is the request api URI of our bridge.
We can use that URI with just a slight change, adding just lights instead of lights 1/state, to display a huge chunck of information about every light connected to our bridge.
If this site is open, it is possible even without a running arp spoofing to watch the changes in the lamp's settings.