~/blog/aerogarden

[[misc]](/)|[[TIL]](/content/TIL.html) # Aerogarden explorations ## Background I recently got into hydroponics by way of an [Aerogarden Bounty](https://www.aerogarden.com/new-aerogarden-bounty.html), a plug and play system for maintaining a small garden indoors. Some versions in the product line offer Wi-Fi connectivity, which enables you to configure the device from your cell phone with their proprietary app (available on the app store), as well as verify its settings. Configuration via cell phone alone makes it worth it, as the small touch screen interface can be fairly inconvenient (though it gets the job done). While my lettuce is doing great, I've been thinking about creating a dashboard for my (now multiple) aerogardens, to track progress, while also giving me a place to integrate with other data sources. In particular, I am designing a continuous pH monitoring system for my gardens and would like to have access to that data in one place. <a href="lettuce.jpg"><img height=80% width=100% src="lettuce.jpg" alt="A picture of three heads of lettuce—two black seeded simpsons and one parris island" /> _Two black seeded simpson, one Parris Island_. Searching around online yielded few results; the most promising project seemed to be a [homeassistant integration](https://github.com/ksheumaker/homeassistant-aerogarden) but on further inspection, that integration was limited to directly [polling the aerogarden servers](https://community.home-assistant.io/t/first-timer-trying-to-convert-a-working-script-to-create-support-for-a-new-platform/22503), as opposed to querying the aerogarden device itself. ## Approach I set out to gather as much information as I could on the communications originating from the aerogarden. I knew that if I wanted to see the communications _from_ the aerogarden, I would need to somehow get it to connect to a Wi-Fi access point that would allow me to inspect all of the traffic. ### TinyCheck While it is certainly possible to configure a network inferface to enter monitor mode and play around with things to get the traffic I was looking for, I wanted to move a bit faster. I found a project, [TinyCheck](https://github.com/KasperskyLab/TinyCheck) that was basically everything I was looking for in a single repo. With TinyCheck running on a raspi that doubles as my [OctoPrint server](https://octoprint.org/) with an extra Wi-Fi interface (in my case, a [TP-Link WN722N v2.0](https://github.com/AIRCRACK-NG/RTL8188EUS)), I was off to the races. ## Man-in-the-middle After a [tiny change](https://github.com/vagelim/TinyCheck/commit/0a65632cf3c5b2d1df93e431d7ed3f93f00d79c2) to set up a static access point (as I figured I would be playing for a while, disconnecting/reconnecting and didn't want to have to keep entering Wi-Fi configuration details on the aerogarden's tiny screen), I changed the aerogarden's settings to connect to my new access point and left it running for a few hours. ### Traffic spotted After loading up the resulting pcap file in [Wireshark](https://www.wireshark.org/), I was greeted with initial success! <a href="first-cap.png"><img height=80% width=100% src="first-cap.png" alt="First packet capture showing DNS queries" /></a> Immediately I noticed the DNS query for app1.aerogarden.com <a href="dns.png"><img height=80% width=100% src="dns.png" alt="DNS query drilldown" /></a> It only got better from there, though. I kept looking through the data and quickly found an unencrypted HTTP stream, querying the host from the initial DNS query. <a href="http.png"><img height=80% width=100% src="http.png" alt="HTTP stream follow" /></a> Taking the IP from the server's response, I used it to filter the capture for traffic to or from that IP. <a href="filter.png"><img height=80% width=100% src="filter.png" alt="Apply filter for source and dest" /></a> And finally, I landed upon an interesting payload: <a href="payload.png"><img height=80% width=100% src="payload.png" alt="Websocket datagram" /></a> So the device was communicating over a websocket connection, and seemed to be sending commands to the device (blue), resulting in encoded/encrypted responses (red). ## Exploitation? Though there's still more to explore, particularly the response data, I was interested in seeing if I could convince my aerogarden to talk to an HTTP server of my own choosing, with the ultimate goal of eventually getting it to talk to a websocket server under my control. I added a DNS entry to the `/etc/hosts` file of the access point, pointing app1.aerogarden.com to an nginx server on my LAN and tried once more. <a href="access_log.png"><img height=80% width=100% src="access_log.png" alt="Access attempt!" /></a> _To Be Continued_ [![github](/img/GitHub-32px.png)](https://github.com/vagelim)