Disclaimer: This post is written using the ‘Da Vinci’ open.ai model and has been edited to make it more presentable. Watch this space for a more technical article on this topic in the future.
It was fun and exciting to write this post using the ‘Da Vinci’ open.ai. This story is based on real experience and there is a lot to learn from it. So, we decided to share it with the world.
Our firm moved to a new office which is located on the 25th floor of a contemporary business building in Tel-Aviv, providing a stunning view of the city’s skyline. The space features a range of amenities to ensure comfort and productivity, but the thing that we love most about the new office premises are the doors.
The doors are connected to an IoT device that uses a Bluetooth protocol. A mobile application with a user-friendly interface allows employees to authenticate and control the doors. The application allows residents of the building to open and lock the door from their phones.
The system piqued our curiosity and we figured that the IoT device is connected to a lock that is controlled by a mobile application. It was not difficult to guess that the device must be responsible for translating signals from the mobile application into commands that open and close the doors.
We wanted to understand more about how the application works and how it communicates with the IoT device. We also wanted to find out about any potential vulnerabilities in the application that could be exploited to gain access to other doors in the building. The idea was to identify any weaknesses in the application that could be leveraged to gain unauthorized access to the other doors.
So, we decided to initiate the ‘Open Sesame Project.’ Our mission was to hack the application and open other doors. To achieve this, we grouped up into three teams. We never said that this was a competition, but it was evident that each team wanted to beat the other and reach the goal first. All of these teams worked independently but were all aiming for the same goal of opening the doors. Through their different approaches, they were able to hack the application and ultimately achieve the goal.
The teams employed different approaches. The first team focused on the HTTP traffic and the authentication process employed by that the application. This team tried to analyze the data being sent and received by the application, looking for potential weaknesses and exploit them.
The second team focused on reverse engineering, debugging the application, and interfering with the lock/open function. This team tried to identify any potential vulnerabilities in the application's code and use them to open the doors.
The third team tried the ‘man in the middle' approach between the app and the Bluetooth device. This team tried to intercept the communication between the application and the device, and then manipulate it to open the doors.
We are proud to have cracked the system in different ways and reached our goal. It was a difficult task, but the journey as well as the result was rewarding.
Through this challenge, we developed and implemented a system that enables us to open any door in the building as well as other buildings in different locations. We have explored the possibilities of technology and demonstrated the capabilities of modern engineering but have also exposed the vulnerabilities.
This success is a testament to the hard work and dedication of our team and how we are working towards making technology better for human use. We are grateful to everyone who helped us along the way.
Komodo Consulting is one of the world’s leading providers of penetration testing services. Our team of qualified, highly trained and experienced penetration testers quickly identify holes in networks and systems.
We also offer a wide range of other security consulting services, including incident response, forensics, and security awareness training.
To improve your security posture, contact Komodo Consulting today. We will be happy to discuss your specific needs and tailor a solution that meets your budget and requirements.
Comments