我如何摆脱了连接到中国未加密云服务器的泳池热泵
作者发现其泳池热泵通过WiFi连接到一个位于中国Alibaba Cloud的未加密服务器,存在安全隐患。
通过网络嗅探、代理服务器(mitmproxy)和反向工程,作者最终成功切断了与该服务器的连接,并建立了一个Docker容器,将泳池热泵作为本地REST API暴露。
研究表明,该热泵使用的Wi-Fi模块(Hi-Flying HF-LPB130)允许通过AT+命令更改云服务器,并存在潜在的安全漏洞,例如可以控制其他用户的热泵。
作者的方案利用了Modbus协议并解析了设备寄存器,从而实现本地控制,避免了依赖第三方服务器。
查看原文开头(英文 · 仅前 3 段)
I have a pre-installed pool heat pump - an “AcquaSource” branded unit, the kind you can buy at any pool store in Europe - which supports WiFi. The App called “Pool Panel” wasn’t pretty, but it worked and I didn’t give it much thought. At one time, the remote control of the pump stopped responding: The pump itself was fine; the panel worked, the temperature held. So I decided to take a deeper look at how it all works.
This is the story of how I got control back, learned a few uncomfortable things along the way, and ended up with a small Docker container that exposes my pool pump as a clean local REST API.
Disclaimer: if you try any of this at home, you’re on your own. I’m describing what I did with my own device on my own network. If you break your device, that’s on you. Also: Don’t poke at devices that aren’t yours.
※ 出于版权考虑,仅引用前 3 段。完整内容请阅读原文。