I bought a 25€ smart plug from a DIY shop, mostly because it was very cheap. I hadn’t poked at any IoT devices. I was struck by both the price and the complete lack of branding on the box - no idea who owns the infra, who makes it, etc. Getting it set up and on the home wifi was easy. I started poking at their app with mitmproxy. First interesting thing - it logs my phone’s location each time I use the app.
Steps for self:
Change linux box to forward packets, and change dhcpd clinets to send traffic though the linux box. Sniff with:
tcpdump -i enp2s0 host 192.168.1.20 and port 8886 -w /tmp/8886
and similar.
Use nftables to redirect packets from my iphone and the device to port 8080 on the linux box.
nft add table ip nat
nft add chain ip nat PREROUTING { type nat hook prerouting priority 0 ; }
nft add rule ip nat PREROUTING tcp dport 80 counter log redirect to :8080
There are better ways. One problem I found was that a counter or log only rule in a type nat hook didn’t do anything, unless you had a rule that actually changed packets.
Use mitmproxy to peek at traffic. Add a cert to the iphone with mitm.it.
SSLKEYLOGFILE="$PWD/.mitmproxy/sslkeylogfile.txt" mitmproxy --mode transparent --showhost --listen-port 8080
I had to repair debian bug 928749 with
ln -s /usr/share/fonts-font-awesome/css/font-awesome.min.css /usr/lib/python3/dist-packages/mitmproxy/addons/onboardingapp//static/fontawesome/css/font-awesome.min.css
I had hoped to try wireshark’s support for decoding tls.
Try stuff out!
It turns out that it is a tuya device. See API calls or firmware.
At this point, I stopped poking, as I didn’t actually have any idea what to use the device for :).
The rest of the blog