- #Chamberlain myq home control serial number
- #Chamberlain myq home control serial
- #Chamberlain myq home control code
- #Chamberlain myq home control Bluetooth
However, this is all speculation and was not tested because we didn’t want to access the remote API.
Since we don’t believe that the device ever cleared the original garage door information, we could have potentially opened the device from the new account.
#Chamberlain myq home control serial
One thing that we wanted to try was to modify the Android app to send a different serial number. We used a technique called SSL unpinning to decrypt traffic from the Android application we’ll post a future blog explaining this process in greater detail.
#Chamberlain myq home control serial number
From capturing the SSL traffic on the mobile application, we were able to see that it was failing since the serial number was already registered to another account. While we were testing with the /sys/mode API call we were able to put the device into a soft factory reset, where we were able to attempt to add the device to a different account. We didn’t spend too much time looking into the third-party attack vector and remote API since it becomes sort of a gray area for researching. At this point we decided to investigate the other attack vectors. There were more URLs that we found to be accessible and some additional API paths, but nothing stood out as a good place to start an attack from.
#Chamberlain myq home control code
We extracted the entire contents of the Marvell microprocessor, and were able to analyze the assembly and determine how the web server behaves.įrom looking through the web server code we were able to identify how the device is setup through the local API as well as finding some interesting, albeit not very useful commands that we could send. While it will still run predefined applications, RTOS’ usually don’t have a filesystem like traditional systems do. The main Wi-Fi module was a Marvell microcontroller that was running a RTOS (Real Time Operating System), which acts much different than a normal Linux system. With the JTAG connection we were able to dump the entire contents of the flash chip and debug the system unrestricted. The UART connection was disconnected or not enabled, but the JTAG connection worked to communicate directly with the main Wi-Fi module.
#Chamberlain myq home control Bluetooth
The MyQ Hub listed on FCC’s website also included a Bluetooth module that was not present on the two MyQ Hubs that we purchased. No other ports were open on the device.ĭisassembling the Hub revealed a small SOC (system on a chip) module that was handling the Wi-Fi and web communications and a secondary PIC microcontroller which was responsible for controlling the RF side of things for both the garage door and the remote door sensor. When attempting to navigate to the device at port 80 it would redirect to start.html and return a 404 error. A quick port scan of the device revealed that it was listening on port 80. The first thing we attempted was to gain access to the device via the local network. However, we discovered that there is a flaw in the way the MyQ Hub communicates with the remote sensor over radio frequencies.įrom an attack perspective there are three main vectors that we began to look at: local network, remote access (API, or third-party integration), and RF communications between the sensor and the Hub.
We found that Chamberlain did a fairly good job of securing this device, which is typically uncommon for IOT devices. This allows the MyQ Hub to retrofit and work with a wide variety of garage doors. The way Chamberlain has made this device universal is via a Hub, which acts as a new garage door opener, similar to the one that you would have in your car. McAfee Advanced Threat Research recently investigated Chamberlain’s MyQ Hub, a “Universal” garage door automation platform. The convenience that many of these IOT devices provide often persuades consumers away from thinking about the possible security concerns. The idea of controlling your garage door remotely and verifying that everything is secure at home, or having packages delivered directly into your garage is enticing for many people.
0 kommentar(er)
