Smart lights have become pervasive in many homes, but they are often designed in such a way that makes them completely reliant on the manufacturer's servers and connectivity to the Internet. However, we would much rather be fully in control of our own devices.
As a target, we took on the cheap and popular Tuya white-label smart lights, which can be commonly found under many different brand names.
In this talk, we'll take you on a trip through our 1-year journey of hacking these devices, including the details of finding and remotely exploiting a vulnerability in the firmware for devices based on the custom BK7231 SoC.
Smart lights have become pervasive in many homes, but they are often designed in such a way that makes them completely reliant on the manufacturer's servers and connectivity to the Internet. However, for people who want full control of their own devices, there weren't many affordable and easily usable options.
One such option became available near the end of 2018 when a vulnerability was discovered in the firmware of smart devices manufactured by Tuya Smart. Shortly after the discovery of said vulnerability, a project by the name of tuya-convert popped up. It allowed its users to remotely flash Tuya devices with custom firmware by exploiting the - at the time - new vulnerability.
By 2020, however, tuya-convert stopped working for an increasing number of new devices. The manufacturer had patched the vulnerability, and unexploitable devices have begun showing up on the market. That's when we decided to look for the next vulnerability for Tuya's smart devices in order to allow remote custom firmware flashing once more.
We spent some time hacking on early devices which were based on the ESP8266 platform, and a while later switched to the newer devices based on the custom BK7231 SoC. During the course of our research, we found issues in firmware on both platforms and rediscovered some helpful reversing techniques.
In this talk, we'll cover our research journey with its ups and downs on both platforms, as well as the details of a memory corruption vulnerability which we exploited on the BK7231-based devices.