![]() ![]() The app sends information about the phone and the executed actions to a dedicated statistics endpoint. In this case, a random password is generated and stored hashed (SHA-512) in the SQLite database. It is not the case for the initial pairing or when the hub is factory reset. Insecure storage of credentialsįlic Hub password, when user resets it or when manually set by the user, is stored in clear text in the SQLite database. However, this default password is only used for the initial setup and it is immediately replaced by a randomly generated one which is hashed and stored hashed on the phone. The default password of the hub is XXX (the three letters are redacted). It's the same when a factory reset is done (rollback to firmware 1.0). To ease the initial setup, it is not required to enter the "factory password" of the hub that is printed on its back. Security concerns Default credentials for Flic Hub Potential weaknesses are reported since they can help to understand how the application works.Ĭredentials, security tokens, serials were updated with fake ones in this documentation. The goal was to find ways to interoperate with the Flic buttons, not to find security vulnerabilities in software or hardware. The analysis of the application was exclusively done through traffic sniffing (HTTP and Bluetooth) and static analysis of the Android application. This review was only done on the Android version of the application. I also got a first overview about how it's done with Bluetooth, however, I did not fully reversed the link encryption part at this stage. Still, I discovered how the buttons' config can be retrieved and updated when paired on the phone. ![]() ![]() The Flic Hub has not any REST API exposed, in fact, no port is open on the Hub. I wanted a way to get events from buttons paired with my phone or the Flic Hub. I wanted to see what can be done by fiddling with the application. The team focused on the Android and iOS SDKs for other apps to be able to trigger an action on a button click. The guys from Shortcut Labs AB made great products with their Flic Smart Buttons but sadly, there were promises of a SDK to interact with the buttons and the hub but nothing was delivered yet.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |