Saturday, May 17, 2014

Hack Your Homeplug?


It's 1:10am Saturday (just TGIF-ed) and I'm overly excited over.... *drum rrroll* - homeplugs!
Apparently they are quite accessible. =D A cursory search over the internet led to me Zibri's blog which then directed me to this pretty nifty tool called 'faifa'. You could git clone from OR perform 'apt-get install faifa', assuming you're using the right operating system. ;)

It's only been 10 min since discovery, but let me break down some tiny roadblocks on the 'getting started' portion for your convenience!

Getting started:
1. Go get a homeplug - buy, borrow or steal.
2. Look at the back of the homeplug and snap a nice photograph such as the one below.
3. Note the i) Device Password; ii) MAC address <== Extremely essential
Note the 'DEVICE PASSWORD' & 'MAC ADDRESS' down - you'll need them

Accessing The Homeplug via Linux and the magnificent Ethernet cable:
4. Proceed to download the 'faifa' tool via "apt-get install faifa" OR git clone
5. Run the tool:
CMD: faifa -i <your_interface> -a <homeplug_mac_address> -k <home_password_without_dashes> -m

e.g. # faifa -i eth0 -a 00:26:75:11:22:33 -k ABCDEFGHIJKLMNOP -m

Shiny commands at your disposal! -m should display the menu

6. Pick your choice command (e.g. 0xA054 - to get some manufacturing string) 
0xA054 works!

7. Next, let's use wire...wait for it... SHARK!
And yes, it can be sniffed! Protocol: HomePlug! =D

What's next?
- Script a bruteforce on the last three bytes of the MAC address to SCAN all connected homeplugs?
- Aztech boast a "channel encryption" using AES. Ok, so disable it? Circumvent it?
- Or simply fuzz the crap out of it since we've got information from the wireshark capture. Scapy maybe? :)

1. Special thanks to Zibri -
2. Homeplug chipset hardcore specs -
3. The 'faifa' tool -

For fun but not much profit,
Jeremy S.