Who can I hire to hack me?


GitHub screenshot "Insert your security key Press the button on your security key device to finish signing in. If it does not have a button, just re-insert it."

I use a password manager. I have 2FA set up on everything. When an organisation asks me to set a recovery question, I generate a 32 character passphrase. I don't use my mother's maiden name or my first pet's birthday on anything sensitive. I monitor my email addresses for breaches, and I regularly check my credit file. I'm doing everything a geek can to protect their online life. Is it enough? Terence Eden is on Mastodon@edentIs there a market / service for *personal* pen-testing or social…

Continue reading →

Tado API Guide - updated for 2019


Debug screen of a web browser.

Tado is a brilliant smart thermostat. But their API is very poorly documented. This is an updated guide for 2019. I am indebted to Stephen C Phillips' original documentation. Getting started You will need: A Tado (duh!) Your Username (usually your email address) Your Password A Client Secret Getting the client secret I'm using this client secret: wZaRN7rpjn3FoNyF5IFuxg9uMzYJcvOoQ8QWiIqS3hfk6gLhVlG57j5YNoZL2Rtc This secret may change in the future. In the examples, I'll shorten it to…

Continue reading →

$3k Bug Bounty - Twitter's OAuth Mistakes


A Twitter login screen. Highlighted is the information that it cannot access your DMs.

Imagine the scenario. You're trying out some cool new Twitter app. It asks you to sign in via OAuth as per usual. You look through the permissions - phew - it doesn't want to access your Direct Messages. You authorise it - whereupon it promptly leaks to the world all your sexts, inappropriate jokes, and dank memes. Tragic! What's going on? Many years ago the official Twitter API keys were leaked. This means that app authors who can't get their app approved by Twitter are still able to…

Continue reading →

Musical Roombas!


A list of musical notes and teh Hex codes needed to make them play on the robot vacuum cleaner

A few years ago, I added WiFi to my Roomba using a 3rd party add-on. Sadly, it looks like Thinking Cleaner, the company which created the WiFi unit is no longer manufacturing them. But in their latest firmware release, they added a fun new option - the ability to make your Roomba sing! Terence Eden is on Mastodon@edentI've hacked @edent_roomba to obey its true master.(You'll want the volume up for this.) pic.x.com/urd5xuyuj1❤️ 26💬 1🔁 020:41 - Mon 18 September 2017 The Roomba has a basic spea…

Continue reading →

Telnet and Root on the Sercomm iCamera2


A web browser displaying the message "Open Telnet Daemon successfully!"

tldr; URL http://[IP]/adm/file.cgi?todo=inject_telnetd Telnet username root Telnet password Aq0+0009 History Four years ago to the day, I wrote an exposé of the hideous security failings of Sercomm IP Cameras. The blog has since attracked 200 comments - as people try to unlock their cameras, and find out what flaws they have. Despite my best efforts at contacting Sercomm - the OEM who manufactures the cameras - and the "security" resellers who irresponsibly sell them to unsuspecting …

Continue reading →

Renault's Secret Mileage API


Website showing my car and its mileage

Last year I reverse engineered Renault's Electric Car API. One of the curious omissions was mileage - it just doesn't appear there. However! All is not lost. If you log in to your Renault Account - https://www.renault.co.uk/my-account/my-car.html - you'll get details back about your car including its make, model, date of next service, and mileage! Why isn't this in the regular API? Who knows. But here's how to get it programmatically. API The API to call is: …

Continue reading →

Self-inflicted Denial of Service on GitHub (Disclosed)


I've found an interesting, but low severity, way for a malicious user to selectively deny access to specific GitHub issues and Pull Requests. This doesn't affect the whole site - just targeted pages. It doesn't require elevated permissions, nor any special skills. This is just GitHub punching itself in the face. Here's how it works. An attacker creates thousands of comments in their own repos which contain references to a specific issue or PR in an external repo. When that issue or…

Continue reading →

Introducing @FiverFun - silly things on Amazon for under £5


It's nearly Christmas! That means Secret Santa time at work, and the need for little stocking-filler gifts. But where can you find such cheap treats? Aha! I have created a service just for you! https://fiverfun.tumblr.com/ is my new(ish) project. It scours Amazon for the best and/or weirdest things for under a fiver! At the moment the site posts updates 3 times per day - and you can also follow it on Twitter. It has been fascinating to see what people buy - as part of Amazon's affiliate…

Continue reading →

Should you open your WiFi during a disaster?


Graphic from the Italian Red Cross urging people to open up their WiFi.

There has been a terrible natural disaster in Italy. A huge quake has broken a city. Rescue teams race to the scene to try to save lives and stabilise the situation. During the rescue efforts, the Italian Red Cross sends this tweet: Croce Rossa Italiana@crocerossa#Terremoto, per favorire comunicazioni e operazioni di soccorso vi invitiamo a togliere la password della rete wi-fi pic.x.com/u9baz8f7wg❤️ 1,459💬 34♻️ 009:59 - Wed 24 August 2016 It says "To facilitate communications and rescue op…

Continue reading →

Easy APIs Without Authentication


A pet cat typing on a computer keyboard.

This is a curated list of APIs which do not require usernames, passwords, access tokens, signing, accept-headers, or anything more complicated than sticking a URL in a browser. (This is an update to my post from two years ago.) When I introduce people to the concept of using RESTful APIs, they immediately get how powerful it is to retrieve information from the Internet and then manipulate it in software. I used to give Twitter and Flickr as examples - they're both fairly well known and have…

Continue reading →

Disclosed - Lifx Security Issue


I love my Lifx Bulbs. They're a quick and easy way to retrofit Internet connected goodies into a smart-home. One of the best things about them is their open API. Sure, you can use IFTTT if you want something easy - but us 1337 hax0rs want an API and Lifx provides it. The API is pretty secure - good use of OAuth and tokens to make sure whatever you're building is resistant to infiltration. I mean, imagine if someone hacked your lightbulbs and ... err... switched off the light while you were …

Continue reading →

The absolute horror of WiFi light switches


I've just got a WiFi light switch. As I've explained previously, swapping out all my existing light bulbs with Smart Bulbs would be hugely expensive and has the disadvantage of not working when the switches are off at the wall. A WiFi light switch (theoretically) allows me to control the lights from my phone - and anyone else to use the physical buttons on the wall. That helps avoid this scenario: Cate@c8tersWhen you're house sitting for millennials and ask how the lights work…

Continue reading →