←back to thread

Hacking a Smart Home Device (2024)

(jmswrnr.com)
314 points walterbell | 5 comments | 15 Apr 25 03:12 UTC | HN request time: 0.553s | source
1. paranoidrobot ◴[15 Apr 25 05:06 UTC] No.43689144[source]
As far as I can tell it doesn't mention which air purifier.

Knowing that might help influence purchasing decisions for those also interested in a "sleek" air purifier that contains an ESP32.

replies(3): >>43689189 #>>43689368 #>>43690867 #
2. rx_tx ◴[15 Apr 25 05:17 UTC] No.43689189[source]
I suspect hiding the manufacturer/model was very much on purpose, they blurred the markings on the PCB and hid the domain name for the manufacturer's API calls (and in the console logs as well).
replies(1): >>43689468 #
3. deanc ◴[15 Apr 25 05:49 UTC] No.43689368[source]
I highly suspect that this is a Levoit air purifier. I recently purchased a Levoit 300S and had the same issue. The VeSync app connects the device directly over the internet and you can control it via an API on their domain with a username and password. Your air purifier is then a backdoor to your home network. I just put it on a guest network now rather than go through this.
4. timc3 ◴[15 Apr 25 06:06 UTC] No.43689468[source]
I agree, hopefully it helps not getting the article taken down because its a very good primer on getting any ESP based device locally working.
5. rickdeckard ◴[15 Apr 25 10:00 UTC] No.43690867[source]
I guess that is on purpose. After all the article could easily be rewritten as a successful attack on the manufacturer infra using a private key extracted from a device.

So the Authors Home Assistant Integration could be at risk to stop working quite quickly...