Fan Hacking 101 – All Your Fans are Belong to Us

During an engagement a while ago, I got to do some fan hacking!

Fan Hacking - Introduction

I was on a wireless engagement with Eric some time ago, and we weren't having much luck.

That said, I was able to gain control of a few ceiling fans, and I wanted to share how.

We were initially hoping to use them to pivot to another network, but they weren't connected to any.

I have run across this issue in other places as well, and it is a fun party/drinking trick.

Target Discovery

While walking around, we saw a few open access points in the format of "Haiku_Ex:01:23".

Fan Hacking - SSIDs

We weren't sure what these were, so we connected to one of them.

Connected

After a few Google searches, we discovered that these SSIDs belonged to Haiku fans.

This sounded interesting, so I downloaded the app and sat down.

Fan Hacking - Connecting and "Registering"

After I installed the app, I opened it up, and I saw the Haiku splash screen.

Haiku splash

Unfortunately, the first screen was a Login page mentioning how to control devices.

Sign in

In this case, I decided to test the registration functionality, to see what it would do. First, I created the very legit sounding, "Fake User".

Fan Hacking - Create user

Next, I created the account using an e-mail address that I obviously controlled.

Create account

Unfortunately, after creating the account, I got to a screen that asked me to activate my account.

Activate account

That said, clicking "Activate account later" seemed to do something, as the app showed a different Haiku splash.

Fan Hacking - Second splash

After a few seconds, I received a message about the app, fan, or something else "Updating". That said, I had no control over anything, and wasn't sure if I had successfully registered.

Fan Hacking - Updating

Three minutes later, the app was verifying my my update, although I did not know what for.

Verifying

After the app verified my update, I got to a screen that said it was still doing things.

Checking versions

A few minutes later, I connected to the fan, and had access to the administrative menus!

Configuration and Control (Fan C2)

First, when I was in control, I took a quick look at the "Fan Configuration" menu. This had information about the devices, timezone, as well as a few other settings.

Fan Hacking - Configuration

More configuration

I was hoping that the network configuration would show us that the fan was dual homed, but this wasn't the case.

Network config

When we realized that we weren't going to own any internal networks via a fan, we decided to check out some of the controls.

There was an event scheduling function, which would be nice for mornings/evenings/travel.

New Event

Whoosh mode sounded interesting, but I'm honestly not sure what I would use it for.

Whoosh Mode

Sleep mode looked like an easier UI than event scheduling, if you were just using it for mornings/evenings.

Sleep Mode

Finally, I went to the main menu, and the basic fan control.

Fan Hacking - Fan control

From here, I turned the fan off, reversed the direction, and changed speeds a few times. It was fun to prove that we had full control, and our client had a fun time with this demonstration. Here is a short video of a few of the hijinks.

Fan Hacking - Conclusion

While we didn't reach our goals, this was still a fun hack.

I've been able to pull of this trick in a bar with friends as well, which was awesome.

Not exactly the exploitation I was expecting after finishing my OSCE, but it was a nice break!

doyler on Githubdoyler on Twitter
doyler
Ray Doyle is an avid pentester/security enthusiast/beer connoisseur who has worked in IT for almost 16 years now. From building machines and the software on them, to breaking into them and tearing it all down; he's done it all. To show for it, he has obtained an OSCE, OSCP, eCPPT, GXPN, eWPT, eWPTX, SLAE, eMAPT, Security+, ICAgile CP, ITIL v3 Foundation, and even a sabermetrics certification!

He currently serves as a Senior Staff Adversarial Engineer for Avalara, and his previous position was a Principal Penetration Testing Consultant for Secureworks.

When he's not figuring out what cert to get next or side project to work on, he enjoys playing video games, traveling, and watching sports.

Common passed on this blog, I made it to a jam.

Leave a Comment

Filed under Security Not Included

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.