During an engagement a while ago, I got to do some fan hacking!
Fan Hacking – Introduction
I was on a wireless engagement with Eric some time ago, and we weren’t having much luck.
That said, I was able to gain control of a few ceiling fans, and I wanted to share how.
We were initially hoping to use them to pivot to another network, but they weren’t connected to any.
I have run across this issue in other places as well, and it is a fun party/drinking trick.
While walking around, we saw a few open access points in the format of “Haiku_Ex:01:23”.
We weren’t sure what these were, so we connected to one of them.
After a few Google searches, we discovered that these SSIDs belonged to Haiku fans.
This sounded interesting, so I downloaded the app and sat down.
Fan Hacking – Connecting and “Registering”
After I installed the app, I opened it up, and I saw the Haiku splash screen.
Unfortunately, the first screen was a Login page mentioning how to control devices.
In this case, I decided to test the registration functionality, to see what it would do. First, I created the very legit sounding, “Fake User”.
Next, I created the account using an e-mail address that I obviously controlled.
Unfortunately, after creating the account, I got to a screen that asked me to activate my account.
That said, clicking “Activate account later” seemed to do something, as the app showed a different Haiku splash.
After a few seconds, I received a message about the app, fan, or something else “Updating”. That said, I had no control over anything, and wasn’t sure if I had successfully registered.
Three minutes later, the app was verifying my my update, although I did not know what for.
After the app verified my update, I got to a screen that said it was still doing things.
A few minutes later, I connected to the fan, and had access to the administrative menus!
Configuration and Control (Fan C2)
First, when I was in control, I took a quick look at the “Fan Configuration” menu. This had information about the devices, timezone, as well as a few other settings.
I was hoping that the network configuration would show us that the fan was dual homed, but this wasn’t the case.
When we realized that we weren’t going to own any internal networks via a fan, we decided to check out some of the controls.
There was an event scheduling function, which would be nice for mornings/evenings/travel.
Whoosh mode sounded interesting, but I’m honestly not sure what I would use it for.
Sleep mode looked like an easier UI than event scheduling, if you were just using it for mornings/evenings.
Finally, I went to the main menu, and the basic fan control.
From here, I turned the fan off, reversed the direction, and changed speeds a few times. It was fun to prove that we had full control, and our client had a fun time with this demonstration. Here is a short video of a few of the hijinks.
Fan Hacking – Conclusion
While we didn’t reach our goals, this was still a fun hack.
I’ve been able to pull of this trick in a bar with friends as well, which was awesome.
Not exactly the exploitation I was expecting after finishing my OSCE, but it was a nice break!
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he’s done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!
He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.
This page contains links to products that I may receive compensation from at no additional cost to you. View my Affiliate Disclosure page here. As an Amazon Associate, I earn from qualifying purchases.