Full Report
While at a gym, the author noticed a WiFi symbol on a scale. Upon doing further research, they realized that all of the products on Amazon were made by the same OEM with marginally different codebases. The mobile apps were even the same. So, the author decided to try to remotely hack these devices. Before even buying a device, they reverse engineered the mobile app to find APIs. To their horror, the firmware update APIs suffered from simple SQL injections. This let them enumerate devices and their authentication secrets, without having the physical box for it. They required some fun SQLi WAF bypasses to make this work. From there, they decided to get a shell on the device for further testing. This was done via connecting via UART on one of the scales. This was useful for debugging the linking flow of the scale. In particular, they wanted to know how the API servers communicated with the scale itself and through the phone app of the user. The scale would receive credentials for the WiFi via Bluetooth. The device uses mTLS to get a session token for authentication. The user-device association could be done in two ways: one initiated by the user and another by the scale. All of these properly checks the deviceid against the session token and other fields, making this pretty solid. While messing around with the parameters, they were intrigued by the multiple ways to do auth. Eventually, they tried mixing-and-matching the two flows for tying the user and device together. By providing a user session token but using a deviceid in the headers that we don't own, the request authenticates us but believes it's a device initiated request because of the header. So, it assumes that the device is valid but it's really not. The explanation and the code snippet they provide helps a lot with this. Several good bugs! From a blackbox perspective, multiple authentication schemes coming together is tricky to get right. The SQL injection bug was trivial but they had to put other work in order to find these APIs. You always need to put in the work but it's just in different areas sometimes, such as reverse engineering.
Analysis Summary
# Tool/Technique: Remote API Exploitation via SQL Injection
## Overview
This summarizes the technique used to remotely compromise the user-device association flow of millions of smart weighing machines by exploiting SQL Injection vulnerabilities found in the firmware update APIs. The process involved reverse engineering the mobile application to discover APIs, bypassing a Web Application Firewall (WAF), and then abusing poorly implemented authentication logic.
## Technical Details
- Type: Technique
- Platform: Backend API Servers (likely handling firmware updates and device association logic), Mobile Applications (Android/iOS used for initial analysis/interaction).
- Capabilities: Remote enumeration of devices, extraction of authentication secrets, privilege escalation via user/device association swapping.
- First Seen: Based on the reporting dates, the vulnerability was exploited around late December 2024/early January 2025.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1190 - Exploit Public-Facing Application
- **TA0004 - Privilege Escalation**
- T1068 - Exploitation for Privilege Escalation (Leveraging SQLi to manipulate association logic)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Required WAF bypasses)
## Functionality
### Core Capabilities
- **API Discovery via Reverse Engineering:** Analyzing mobile application code (iOS/Android) to identify backend API endpoints, specifically those related to firmware updates and device association.
- **Remote Credential and Device Enumeration:** Using SQL Injection (SQLi) against firmware update APIs to query the database, allowing the attacker to list connected devices and discover associated authentication secrets without physical access.
- **WAF Bypass:** Employing various SQL Injection techniques ("fun SQLi WAF bypasses") to successfully inject malicious payloads past protective web filters.
### Advanced Features
- **Authentication Logic Confusion/Bypass:** The primary high-impact technique involved exploiting flawed logic in the user-device association endpoints. By mixing credentials from a valid user session token with an attacker-controlled `deviceid` in headers, the system incorrectly authenticated the request as a (trusted) device-initiated flow, effectively allowing an attacker to re-associate an existing device to their own account.
- **Hardware Reconnaissance:** UART connection was used on a physical device (scale) to debug the linking flow, specifically how API servers communicated with the scale via the phone app, aiding in understanding the authentication mechanism.
- **Bluetooth Analysis:** Used knowledge of the BLE protocol to understand how WiFi credentials were passed to the scale.
## Indicators of Compromise
- File Hashes: N/A (Directly targeting backend infrastructure/APIs)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Exploitation targeted application servers handling device association requests (Nature of API endpoints not specified, but inferred to be internet-facing).
- Behavioral Indicators: Unexpected database queries originating from API endpoints handling device configuration or software updates; unusual authentication sequences during device pairing/association attempts.
## Associated Threat Actors
- The vulnerability was discovered and exploited by the individual author/researcher mentioned in the article (Spaceraccoon). It is not explicitly attributed to a known threat group.
## Detection Methods
- **Signature-based detection:** Detecting known SQLi payload patterns, particularly those used for the WAF bypass.
- **Behavioral detection:** Monitoring API endpoints responsible for device configuration and firmware updates for input that deviates from expected parameters (e.g., unexpected characters, excessive query lengths).
- **Code Review/Logic Auditing:** Detecting the specific authentication flaw where device association logic fails to cross-reference the session token identity with the claimed device ID ownership across both user-initiated and device-initiated flows.
## Mitigation Strategies
- **Input Validation and Sanitization:** Implementing robust parameterized queries or prepared statements for all database interactions, specifically where user or device-supplied data is used in SQL queries (to prevent SQLi).
- **Strong Authentication Context:** Ensuring that the session token (`Session-Id` or `sessionidtoken`) context strictly validates the identity associated with the `deviceid` being acted upon, regardless of which flow type the request attempts to mimic.
- **Principle of Least Privilege:** Ensuring API systems that handle sensitive operations (like device linking) do not expose unnecessary database structures or secrets via error messages or successful enumeration attempts.
- **Mutual TLS (mTLS):** While the devices use mTLS for session token retrieval, API endpoints must ensure this token is validated against the authenticated peer identity.
- **WAF Configuration:** Tuning WAF rules to effectively catch known evasion tactics used against SQL injection attempts.
## Related Tools/Techniques
- Generic SQL Injection Attacks
- Mobile Application Reverse Engineering (Static/Dynamic Analysis)
- Bluetooth Low Energy (BLE) Interception/Analysis (Related to initial device setup)
- Firmware Analysis (Implied by the target of the update APIs)