Before I continue the details from my previous log, let's focus back on the building's networking infrastructure a bit. It's actually ironic that without the need for the 6 building entrances' IP doorbells to call each apartment and for the weather station on the roof that supplies data to the apartment PLCs (enabling automatic window blind adjustment based on light conditions and a safety feature where if the wind speed reaches a certain threshold, window blinds are automatically raised to prevent any damage) there would be no need to connect all apartments together inside an internal network and possibly leaving some vulnerabilities/misconfiguration open to exploitation. But here we are. ;)

I managed to get access to my smart apartment's router/access point configuration by using the device's network boot ability to temporarily boot a custom OpenWrt build which copied the password file from the internal flash storage. Due to the weak encryption used, the password could be decrypted from that file instantly. Geez.

I was then able to deduce the configuration details of all the apartments - it was the basically the same except for different IPs and IP ranges. And I did not like what I found - the subcontractor exposed way too many ports and left the job 3/4 done which explains why there was no after-sales support or monitoring plans - it seems we were in the dark as much as the smart apartment vendor who hired the ex-subcontractor.

Most of the "holes" in the firewalls of each apartment were due to the need to have VoIP calls pass through from the IP doorbells. It seems to me the whole VoIP/SIP architecture is quite complex and convoluted - reminds me of the Active/Passive modes of FTP which use many ports for a simple task of transfering files. Anyhow, the VoIP server is actually an Android app made by the IP doorbell vendor which under the hood uses the Linphone stack.

The subcontractor read the VoIP/SIP specifications (and possibly the instructions by the IP doorbell vendor) and happily opened lots of ports, both TCP and UDP. Luckily, one of those ports does not need to be forwarded for the TCP protocol, which my HTTP python service running on the tablets uses. And remember, the ports already point to the static IP of the wall-mounted tablet as the IP doorbell app is running on it, too!

So now I had a way in to each apartment, directly to my HTTP python service running inside an Android app.