Foone🏳️⚧️
good lord. I pulled a microSD card out of a Raspi inside an IoT product and it appears they had some developer use a raspi to develop/test some software, and then they just yanked the SD card out of that machine and duped it on to all of their deployed products.
it's got .bash_history of the development process! there's git checkouts of private repos! WHY WOULD YOU DO THIS?
Ryan Castellucci :nonbinary_flag:
@foone 🍿
Foone🏳️⚧️
this is deeply embarrassing. I have lists of their duckduckgo and google searches for the programming problems they were having building this product.
no programmer should ever have that personal shame shared with the world. let alone included on every microSD card your company ships!
Foone🏳️⚧️
oh sweet jesus they logged into slack from this machine('s image)
I have their chrome profile, with history and cookies and shit!
Foone🏳️⚧️
this might be UPS trucks. I should probably not query any of these GPS histories
Foone🏳️⚧️
also they're spamming 9 lines to syslog every minute.
this is a microsd card in a raspi, guys! you are going to fry your fucking card by running out of write cycles. That's not a good idea in any raspi application, especially not an IoT one
Foone🏳️⚧️
also, you punks are writing python 2 code in 2021? come on, who does that?
I mean, I do all the time, but I'm a known retrocomputerist. I run Windows 95 and MS-DOS regularly. of course I'm using a wildly outdated programming language. I'm not making a product I sell to customers!
Foone🏳️⚧️
oh cool you can pull the GPS history of a truck from azure without any login, you just need to know the device ID.
Foone🏳️⚧️
I've also been able to de-stealth a "stealth startup" on linked in.
because this has commits from different users, and I can just look up on linkedin what stealth-startup all those people work/worked at and then look at the name on the IoT box I'm holding
Foone🏳️⚧️
oh sweet jesus
they automatically scp up some logs to a server somewhere. Did they set up keys so that authorized devices could log in automatically without passwords?
NOPE THEY USED SSHPASS
Foone🏳️⚧️
well I'm putting this away so I don't accidentally hack them.
Foone🏳️⚧️
I have a file here with multiple lines like:
sudo sshpass -p PASSWORDHERE scp /path/system/network.log USERNAME@IPADDRESS:/home/manufacturing/
Polychrome :blabcat:
Haelwenn /элвэн/ :triskell:
Pleroma-tan
Foone🏳️⚧️
@kirby their company is only two cities over it would be trivial for them to find and arrest me!
Jens Finkhäuser
@foone @kirby Share this info with someone and let them do the hack? No, no, that'd be a criminal conspiracy, I cannot recommend this.
Foone🏳️⚧️
Also I'm a reverse engineer. There's no reverse engineering here!
I unscrewed the box, pulled out the raspi, pulled the SD card out, put it in my laptop, and it automounted. I then looked at some files while making a disgusted face.
That's not reverse engineering! That's just lookin'
Foone🏳️⚧️
this is one of the many reasons I'm not a security researcher.
it's a target rich environment.
:umu: :umu:
GuySoft
Mx Amber Alex (she/it)
@foone in Germany, which is infamously backwards and close-minded about i.e. disclosing 0days, you could go to prison for this.
Germany recently sentenced a software engineer to huge fines for cybercrimes, in a years-long trial that destroyed his career, because he found a plaintext password in a file, told the company about that vulnerability, and went public with it when they bitched at him what business he had finding vulnerabilities in their product (a client of theirs had hired him to figure out why his servers were crashing or smth) (and ofc he waited with the going public until the vuln was closed).
DeterioratedStucco
@foone
Dev to grumbly tester: "Hey, it works on my machine :) "
Overhearing PM: "Right, let's ship your machine then!"
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.