Rudder Nonsense: Steering Smart Rowers Off Course

[Music] all right hi my name is Shane Kel I work with uh netspy yeah this talk started as a a learning project a couple years ago and I was trying to get into mobile application testing and it's kind of morphed into I've been down this um embedded systems drive at whole the last couple weeks as well so it's the the project that keeps on giving just to give you guys some structure it's uh the project was three phases the first first two phases I did back over holiday break in 2022 it sat on the Shelf sadly for a couple years and then when I proposed it for this talk I went through phase three and it was interesting like being able

to take a learning project and go back to it with some of the mobile skills that I developed since then and to take another look at things um so if you have a project like this that you've been you know sitting on the shelf for a while uh it's a good idea to pick it back up when you've got a little bit more uh Tools in your toolbox as it were um also thank you very much Carl for helping me out with my presentation all right so back in 2021 um we wanted to take a little bit more of our workouts at home uh I wanted to get a rowing machine my wife was okay

with it but she insisted that it had to be a smart rowing machine so in short it's an Android powered user interface uh has some gamified workout experiences that are locked behind a pay wall um it's usable with without a subscription but there's something about seeing that little meteor ball like bounce as you're doing your rows that it uh is kind of motivating um and when I canceled my subscription uh it was something that I kept taking a look at and uh since I'm a cyber security professional I decided to take a deeper look at the unit as it were so we enter phase one proxy manipulating traffic so the goal here is to I try to

identify what traffic is it sending how's it handling authorizations can I even proxy the traffic and what happens when I manipulate those responses before they get back to the rowing machine so talking about scope the API on the back end is strictly off limits um I'm manipulating responses coming into the rowing machine and only sticking within my own network so the lay of the land is the it autol loads this app on Startup it goes through a setup sequence the app loads you're inside the app into this splash screen here and can you guys see my cursor okay I just want to make sure um there's no virtual or physical buttons so like when you look at the

thing there's nothing to push or prod or anything to no seemingly way to navigate away from the application the locks here that you see on the screen uh those are subscriber features there behind the pay wall and I ran an nmap port scan to see if there's anything interesting that I can en right there and it reported that all the ports were closed um but on the back there's a lot of ports on the back and so you see these SD card ports there's a a usba port here um the serial Port that I enumerate later in the presentation and so of course what do I do I I plug in my um my micro USB adapter here so that I

can connect it to my uh my testing machine and this dongle here is a wireless keyboard dongle and that one was the the trick um for those of you viewing at home you heard a chime sound that's the chime that I hear whenever I connect my USB dongle and I knew that I was able to do something interesting and so using that wireless keyboard dongle you can alt tab away from the application um and this is going to be like a big like Jedi hand wve over this but the objective is to able USB debugging so that I can issue Android debug bridge commands or ad from my testing machine um and then I can start

changing like Wi-Fi configurations and all that uh so the next step when you're trying to proxy traffic from uh an Android enabled device is to get my my CA assert uh my certificate Authority assert from my intercepting proxy into the system store on the device so that I can look at the https traffic that's being sent uh so the first things first I use burp so all of my intercepting proxy directions are going to be in burp you can use zap or any other intercepting proxy but uh you need to do this import export CDA certificate from your proxy listeners in burp and Export it in the dur format um and then using that um you're

going to run this uh this oneliner here I got this oneliner from mum proxy it's a sport spiler for later on in the presentation but it's a really handy command because basically what you have to do is you have to take your caert you have to rename it to be the hash value of that CT before it gets into the system store otherwise the Android operating system is going to disregard it uh so doing that um you get this value here so that's my rename CT uh next what you're going to do is use the endoor debug Bridge uh you're going to uh restart it as root you're going to remount the the system directory with

just this remount command so that it's writable and then you're going to push your rename Ser into that directory which is listed out here it's a kerch directory in security um then what you need to do is you need to change the permissions on that um on that Ser otherwise again Android is going to disregard it if it doesn't have the right permissions and then you're going to reboot the device and then on the device when you look in the trusted credential section in in the system section you're going to see this Port sger Port sger are the folks that make burp site so uh once you see that you know that you are should be able to proxy

traffic now people that are more familiar with mobile testing especially on the Android side you might be saying that wait you can't just remount system to be ridable that's not possible in current versions of Android and you would be correct um but I'm not dealing with the current version of Android so after from Android 10 and on now this is this is a part that I want to talk about because um from Android 10 and on you you can't remount system to be writable so how would you go about this you would have to either rebundle the application to have the your certificate Authority bundled in the application so that the application trust the certificate that you're

providing it um which is a problem here because there's a a service running on the rower machine that's above root level that whenever I uninstall the APK or the Android application it automatically reinstalls its own copy so I can't rebundle the application uh further um the other way you would go about this is installing magisk which is you know a mobile standard for um rooting your Android phone that was a problem here because when I go through the the install process one of the things you have to do is you have to pull the firmware image modify it and then get it reloaded onto your device and when I did that you enter a Mode called Fast boot where you

can Flash the the modified boot image there was about 15 minutes where I thought I bricked the thing um which is a problem when your primary stick holder really likes using the Roaring device so it was a hard stopping minute but thankfully I didn't have to worry about all that um all right so you have the caert installed in the Android roaring device now you have to configure your your proxy listener uh so in your proxy listener you're going to uh edit one of these configurations create a new one and you want to set it to listen on the local interface uh for connections and you can change this bind Port usually when I'm using like a

mobile test I'm testing on IOS and Android so I set them up to listen on different ports so I can more easily like isolate the traffic coming from whichever device um on the device and question so the rower edit the the proxy um host name and the proxy port to point to my proxy listener so that it's sending its traffic to my proxy listener for capture and then going back to my intercepting proxy uh like you you boot up the the rower and you check the traffic and if you don't get any errors and you get traffic coming through great now we can analyze traffic that's a big step in the right direction hooray all right

so looking at the traffic uh here so these two requests here these accounts requests those are interesting because there's one for features flag and there's one for just my regular account information so the one for my regular account information uh it's pulling down all of my user data including this billing State and it says canceled that's always interesting so what do we do we put it we capture it with our intercepting proxy and we modify it before it comes back to the rowing machine to be active and when you go into the rowing machine you get you don't have any locks in your interface anymore okay so um looking at it I assumed that it was an

authorization issue based on just that flag and it is but the problem comes in because the the workout data that's being used to populate all these programs is being sent to every body regardless of what their subscriber state is so the only thing me changing that flag did was enable my rower to be able to consume that data in these programs and allow me to use the programs so one feature flag was being relied on to basically pay wall all the subscriber features and when you bypass it you still get the user row as normal all right so what about that other one the future Flags Okay so looking at the response you see all

these Boolean values uh false false false true okay well what happens when we turn them all true true true true true before it gets back and you know that you know the one marking here is you can see the editor response I didn't point that out before um and then you go into the user interface and I've got this new experimental feature flag thing here now out of respect I'm not going to talk about anything that I saw in there I saw some things that uh are not available for public consumption and it also gave me access to Canary builds if I wanted to download like a like a beta version of the application before it's released

to the public well that's interesting now uh those those account Flags um are sent several times as you navigate through the UN user interface and you use the rower for normal functions so we enter phase two automation so the rower goes through it several times like I mentioned now is there a good way to automate this and the short answer is yes um so we enter minimum proxy what is min proxy it's another intersecting proxy much like burp but it's lightweight open source and it runs really well from the command line um it's also expandable with add-ons that are written in Python so anything that you can do in Python you can write an add-on for Mid and proxy to change its

behavior and to take actions automatically based on events mid and proxy views the request and response as a flow so each flow is an object and each object has different attributes so I was worried about this by the way you know originally when I made the slide it was dark text on a dark background and then I did a lunch and learn and now it's all this white space with light text on a light background so hopefully this comes across okay so this is the basic structure of an add-on in mum proxy so you're going to import from the mum proxy Library this HTTP um class base class which lets you create your own class so you create um a

class change some traffic and then um each flow object like I said has different properties so here you see this flow. request. host so when we have uh a a host in the flow match our Target host we can do some code and response so it's an event trigger um there's also similarly on a request you can do much the same thing now it has there's a whole list of these event triggers um and it you can key off on you know requests or errors or whatever um the other thing that you can do with these is you can do matches based on the path so if there's a path that comes through that you're targeting

then you can serve up your own response okay so getting into when I was diving into this I'm like okay I want to be able to to see the traffic that's going from minum proxy down into my rower machine right and so I have a proxy chain set up so I have the the rower machine which is pointed at BB Suite which is pointed at Mid androxy and then out to the internet because I want to see the traffic that mid and proxy is modifying before it gets back to the rowing machine so that was the objective here um I guess talking about that it's important to know what your tools are doing and how they're doing them that's

my main focus here all right so burp up proxy settings now in the Upstream proxy servers you can set up rules based on um you know host names in the URL and where the traffic is going so like for example if you need your authentication request to go to a specific host um you could set up a rule that if it matches the host matches this Don name you know send it off to this host but I actually want all the other traffic to go over here and so you for for this it's much easier you just set up the destination host it's like any traffic going out I want it to go to my

mum proxy now this wild card is important if you ever set up multiples of these rules and you have a wild card setup U it runs in a stack a cascading stack so it starts at the top and works its way down um wherever that wild card is if you have rules after that they're never going to execute so just keep that in mind all right so this was my first mum proxy add-on script I'm operating on the response so when the response comes back if if the flow request. host matches my target host name do some Rex matching on the path here's a flow. request. path and if I have if it matches one of my

target paths um then what we're going to do is we're going to open a file that has the Json body that I would like to inject and then I'm going to modify that response body with my modified response and print a a statement saying that you know something's been modified um it's not really like beautiful python code but keep in mind this was 2020 to um this was a couple years ago uh so the response bodies that I have saved uh look like this it's just Json um and so I just save them in the file ready for use all right so then we do a test run and it works so on the left here

this is the the output for minum proxy and you can see here on this request um it does this change billing value and then if you there's a little uh cursor here if you click into the request you can see what the response body is and it I was looking for like an indicator it would be nice if MIM proxy like told you that it modified a response but you can see here that that it's set to active um and then going into burp to confirm so we've got the request here we've got the response there's no edited marking on the response which is what I wanted to point out here and the building state is set to active so just

confirming that everything works as documented all right great then we enter phase three um so minim proxy has an example that states that um when when you use it it doesn't send any data to the server at all and so what it's going to do is modify the response and send it back without releasing it from the internet so this is important because like the API is out of scope I want to be persistent in the in the sense that like the things that I'm changing like if they make a change to the APK later on Down the Line like I'm I'm fine like all of everything that I've done is still going to work uh the way I wrote it and

so my goal was to confirm that this function worked as intended um create a minum proxy service running on a Raspberry Pi so everything's automated and then eventually flesh out the add-on to to handle all of the traffic going to the server so not just like these member functions like anything going out would just be handled by the add-on sent back to the rower machine so it's all within Network basically I want to decouple the thing from the Wi-Fi network requirement um I don't I don't know there's just something about something having to be online that like it first I don't know I I I have I have thoughts on that that I'm not going to get into and my

thoughts and opinions are my own and don't necessarily represent net spy's um thoughts and opinions all right so going back to my proxy map we're going to flip the proxies now so uh we've got the rower pointing at mum proxy which is pointed at burp Suite which is pointed to the Internet so this uh proxy swap is important because I just want to make sure that Mum proxy is not just like making the responses but still releasing the request to the API so a pitfall I want to point out when you have your Upstream proxies pointing to each other and you forget to change that setting what happens is it's an infinite Loop of the requests going

back and forth and you start getting like weird behavior in burp and you don't realize what's going on for maybe a couple hours the first time it happens but then you check your event log you've got all these all these throttling messages and so that's a good indicator that you've got like the Spider-Man Point thing going on um yeah I just wanted to mention that all right okay so we make some updates to the add-on this is this is the current state of my add-on actually so um switched up to doing a case statement so if the flow. request. host matches our Target um we're going to do like a reg search in my local fire directory see if I've

got a response already in my file directory that matches the path and if it does we're going to serve up that body in the response and then we're going to you know write it to the the command line and so then Commander run gets a little bit more complicated with the mid and proxy so you got mid and proxy in the script run your script the mode is do your mode and then upstream and this is pointing at your burp intercepting proxy if you want to capture you that traffic and then you need this SSL insecure flag Because unless you port your caert into mid and proxy it's not going to trust the burp C all right so then we start run a test

compare the proxy act activity okay so on the top here this is minum proxy so you can see that the accounts uh requests that were in scope uh they get logged um it sees a request to come in it logs it you can get information on that request but then when you go to burp this is the same uh activity you can see the customer's profile and the calibrated but there's no accounts requests here at all so confirming that the documented uh function works as intended which is important so effectively we can fabricate our own responses in response to requests from the rower awesome now I mentioned um that there was a cyber squatter or a possible cyber

squatter I think I've since I think I've since landed on that it's not a cyber squatter it's actually a legit company but anyway so there's these two update domains right so there's this Rock Chip and this local IP address this local IP address is not on my network I do not have an IP address like this on my network I checked um and it's they're two head requests that never get answered and it sends out uh the product name the version the serial number country code all that it's like okay that's that's weird what is rock chip.com this is what LO Rock chip.com looks like now so you can it's little suspect for a long time I thought it was

a malicious domain I thought it was for sale um but it doesn't necessarily look like a a firmware distribution website turns out like based on the website if it's accurate it's a rock chip repair shot in Houston Texas um now doing some Google searching on you know rock chip this is Rockchip Rock chips.com now this is the firmware manufacturer that's in China that made the firmware that is used in my growing machine now I tried replacing the domain name in the original head requ um it didn't pan out uh so I'm I was hoping that like maybe I could download like an updated version of the firmware and like maybe install it myself or something will pull it apart but it it

didn't work out all right so um I don't really enjoy my information being sent like out into the ether where I don't really have control over it um so I made an update to the code to handle this these instances so now when the request goes out and it matches either the Rock chip.com or uh the IP address and the domain name I fabricate my own 404 response to get sent back that just says 404 not found um and then now I get responses yeah so it's just like just like a loose end that I was able to tie up with that I I don't like loose ends very much all right so now we

can we can intercept traffic we can capture traffic we can modify traffic we can fabricate responses and so now we want to be even more more automated so like the current state of things is I have to go to the command line or to my intercepting proxy and like fire off one lineer which is a problem when I have somebody else in my house that wants to use their Ro machine as well uh so I turned to my Raspberry Pi 4 model B um so I'm running ubun server headless on it it's Wi-Fi connected I can secure shell into it with a certificate uh so I can um so I can manage it um but the problem is when I go to

try to set up mum proxy as a service um it doesn't run very well as a service uh but that's okay because they have mum dump which is even more command line than mum proxy um this is what the output looks like when you're using mum dump um it works really well as a service um that was another that was another Rabbit Hole so I was I was stuck on this for a couple weeks so a shout out to Cory salop for helping me get this configured um I looked at uh cron jobs and service D and service D seem to be the much more friendly automated way to do it um so this is my uh service D

config file uh for the service that I wanted to create so basically what you do is you um you have to add this into the Etsy systemd uh system directory and then the other main point here is this working directory here that was my main sticking point point because when you're trying to pass in a script to a command that you're running as a service it's not running as your user it's running as a different system user and that was my main Pitfall because it would run it was run as a service but then you go to the rowing machine and all of your subscriber features are still locked and so this was this was

the key to get everything working correctly and then uh the exact start fully qualified directories um you to run this SSL secure some of this might not needed I was in this really deep like troubleshooting Rabbit Hole when I was trying to work through this but the this conf directory uh this is the default directory where mid and proxy stores its CTS and so if because you have to similarly to how you did your um insert your cert into the system store with your burp proxy listener when you're pointing the rower directly at minim proxy you have to repeat the same steps and so you need to make sure that the CTS match when you run mum minum

dump or minum proxy if it doesn't find a default D aert already generated in its default cert directory it's going to generate a new one and then your RoR is not going to trust that CA Sears you need to make sure that they match I probably could have explained that better in my slide deck but you know but it's cool now we're going to use system control enable to to enable the service on Startup so that it starts up automatically when the Raspberry Pi boots and then here you do a like and you make any changes to any of your services you have to reload the demon uh for system D which is a system control

command here start your service run a status awesome it's running active and enabled the service is enabled this one I highlight here because this is the one that determines if it's running on Startup or not and you can see here that it's running and it shows you the command that it's running awesome you go to the rower you boot it up like I don't have to execute any command line commands now it it just works uh so that gets me into uh current state so this is where my Raspberry Pi is now it's effectively glued to the back of my rower machine um Carl had the idea like maybe you can run mum dump as a service

directly on the rower itself which would be amazing uh that might be a good like next stage to the project um it Powers Up Normally I might have some power warnings I don't know I've never hooked like a like a monitor up to it to see if there are any weird like power warnings sometimes you get that with raspberry pies when you're running it off of USB power seems to work so it's fine um now eventually I'm going to build this sqlite database to handle like the the data that's coming through so like like the workouts come in as all Json data my workout data gets sent out as Json data so it' be nice to implement

that in a table there's I could either take the responses and save it as each entry into a sqlite database or go go to for the straight over engineered solution and translate all of those data points into you know tables and columns which is probably what I should have been working on for the last couple weeks but I went down this art rabbit hole with a cereal Port so um I this is a a 4 pin 2mm pitch pH connector that I plugged into the serial port in the back I was really hoping that I was going to get some kind of like um like a shell would be nice or even like some debug info but that Port

is basically like dead so it pulls up pulls High pulls low a couple times pulls high for a couple of bits and then it goes low and just stays silent it's like oh so um I found this video on open Tech Lab uh they have a good YouTube video on logic analyzers and so basically with a logic analyzer with an intercepting proxy you're using that to enumerate the traffic that's going back and forth over the web right logic analizer it's it's the same thing you're just doing it for electrical signals um so I bought a 24 MHz 8 channel um logic analyzer from AliExpress for uh the list price was $6 and my welcome deal brought it down to

$1 and Sig Rock uh Sig rock is seems to be pretty cool so far and it's open source and free and they have a uh a driver that supports my 24 MHz 8 channel $1 analyzer um so that's how I that's how I enumerated this port a little bit more so what I was hoping for was that there was another Ur port on the inside that I couldn't get to from the outside and there is so when you pull this thing apart um there's a daughter board here on the left and there's a main board on the right now the daughter board has these uh oh good you can see that it has these markings here that determine that

it's a a UR Port so I was correct that serial Port is a UR Port it's just dead so the other Ur Port is here where I you can't see it um I have another connector coming comes on Saturday I'm actually really stoked about this because I hooked the logic analyzer up to this other Ur port and there's all kinds of data coming out of that Ur Port I just need a good way to get to it without taking the damn thing apart um so there's some vent holes here and my my new connectors come with pigtails and so what I'm going to do is plug the connector in here route the the the pigtail through those met holes and

so I have a port on the back of the machine that I can get to and so I can analyze it whenever the hell I want to yes um all right so the authorization issues so one authorization issue came from you know the flag um like any any input coming from a device you should like if it's coming from a user which basically my device is a user it should be distrusted uh or at least trust by verify the other authorization issue was the experimental feature Flags um so that brings me to my disclosure schedule so I did a responsible disclosure um I haven't talked to anything about the company because they're still in their two-month

patching window that they gave me uh but on July 19th I made some LinkedIn contact attempts I probably sounded like a creepy hacker stalker dude but I'm just a regular hacker dude um they didn't answer I called their customer support um and they were receptive and they wanted me to email them some screenshots of what I captured and so I fired up wir shark and captured the domains going out to the firmware update domains and sent him that uh I didn't hear anything and so I emailed on September 20th um and that was the first time I mentioned the authorization issues um on this on the 23rd their CTO emailed me back and asked for a few more

details and um he offered to set up a like a zoom meeting and so I sent him the info that I had and then I had the zoom meeting on the 27th he was very receptive to the information that I gave him about his authorization issues um and he gave me a two-month passing window so that's that's kind of where I'm at now I'm waiting for confirmation uh if I don't hear anything at the you know the two months and two weeks Mark I'll I'll probably reach back out for a followup I did offer to test it you know being a nice responsible security researcher um but yeah that's basically how I uh took a a rower machine I mean I

literally took it apart I still take it apart um it was a really fun learning project and it started with learning about mobile security testing and going down that rabbit hole and it's led to this whole embedded systems Rabbit Hole um I've also started eyeballing like other iot things within my house so I guess in my free time in an iot researcher now this is this is new to me I haven't gotten a lot into the hardware like hacking scenario but um you know the last 6 months I taught myself how to solder and i' learned a lot more about these embedded system communication protocols so it's it's been fun um any questions that's yeah that's that's an

AI generated image of me going down my art Rabbit Hole by the way it sounded like something fun to try with a 2019 pelaton yeah you know who knows yeah for sure well I I'll tell you though cuz I mean it's likely it's likely Android based right so if you I think m a eight yeah so I think that's the Android on it mum proxy's website they have some really good directions on how to because the main thing for proxying your traffic is trying to get that sht into the search store right so they have really good directions on based on what version of Android it is what steps you have to take to get that sht in there so mum

proxy like they they do a really good job with their documentation um I think they actually let me hang on let me go back I can I can take your question while I'm looking for this yeah mum proxy and M mum dump are awesome um but my question is have you tried to like search for that actual firmware update uh server maybe use showan or something like that using the the the flags that you you captured uh try to find the actual server and see what was there um I have not that's a good call out though um I'll do some more information on that when I was doing my digging on the um cuz there's some

information on that that um on that main board as far as like the the the device there's a serial number on there when I did that it's something called like an RK 3366 or 3399 and it ends up giving me a data sheet for like the actual processor that's being used on the main board but that's the that's about the extent of my enumeration so far that's a good thought though I'm going to be diving into another Rabbit Hole this weekend it seems sorry I'm really good at like going through One Direction on my slide deck and going back the other way I'm going to find that link

though here we go uh so when you go to mum proxy's website it's how to install system trusted CA

Android all right well if there's no more questions I'll I'll say thank you very much everybody uh it's an I'm honored and humbl to be here [Music]

[Music]