Update 4 on iOS smart home application analysis

During the past week, I focused mainly on the dynamic analysis of Wemo switch and Wemo app. It first got my interest because I heard that it was still communicating with the server with a Man in the Middle proxy, and essentially disregarding any SSL/TLS error handling. I spend some time getting familiar with the MITM tool, Bettercap, in order to perform the dynamic analysis.

 

Side note: I had to spend a whole day just to get Bettercap to work on my computer… The most current version of Bettercap is version 2.7. However, it is written in Go language, therefore I had to install Go in addition to it. In the end, it didn’t work on Windows, (I later found out that it could work on Windows, but I have to follow a page of instruction in order to make it work…) I tried to install it on Linux, but the interface of 2.7 is completely different with the legacy version 1.6.2, which I have a little experience before. Although the most updated version is supposedly considered better than the legacy version, I found the legacy version to be much more intuitive and informative. Therefore, I spent some additional time again to replace the most current version with the legacy version.

 

After setting up and familiarized myself with Bettercap, I ran Bettercap as a HTTPS proxy and tried to intercept traffic coming from either Wemo app or Wemo switch. Interesting enough, neither of them stopped working / questions the communication through an insecurely channel. This essentially means that they are not handling SSL error at all, or I did believe so. After running a through black box test of how and what data is transmitted from Wemo app to Wemo switch and consulting the result with my adviser, we figured out that Wemo app is actually communicating to their server via an alternative port rather than the standard port, that’s probably the reason that we can’t see any traffic flowing from Wemo app to their server even with our HTTPS proxy in the middle.

 

My plan for the upcoming week is to try to alternate the port of my current HTTPS proxy to be on the same port that Wemo is using and try to see if I can see anything flowing through that channel, this would allow me to get a more closer look at the communication method they are using and identify possible vulnerability. In addition, I want to install more apps from the App Store to perform more dynamic analysis to see how each one of them are react to an insecure communication channel.