the `TIME LM 37X8` is a 'smart' clock that features:
* internet connectivity to download apps, exchange information
* bluetooth controller to use the internal speaker
* clock with multiple alarms
* web radio tuner
* timer
* stopwatch
initial configuration is similar to Chromecast's, it stands up a WiFi network named `LM7***` based on the serial number of the device.
download the Android/iOS lamteric app and walk through connecting it to another wireless network - they do some external access checks with:
*`ntp` requests to `0.pool.ntp.org`
*`dns` resolution of `developer.lametric.com`
*`icmp` requests to `developer.lametric.com`
which has made tricking the device into talking to another endpoint has been unsuccessful so far, as it also appears to do SSL certification verification, so sslstrip isn't seeing anything.
through lametric's [developer site](https://developer.lametric.com/), once the device is registered, the API key necessary for talking to the device is displayed
## digging
### nmap
from `nmap -PN -p 1-65535 -sV 172.16.42.219`, we get:
```
PORT STATE SERVICE VERSION
22/tcp open ssh Dropbear sshd 2014.66 (protocol 2.0)
80/tcp open http lighttpd 1.4.35
443/tcp open http lighttpd 1.4.35
4343/tcp open ssl/http lighttpd 1.4.35
8080/tcp open http lighttpd 1.4.35
9001/tcp open tor-orport?
9002/tcp open dynamid?
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
ssh, 4 web servers (likely 2, one each of HTTP and HTTPS), 2 unknowns and a Linux fingerprint. for a clock.
### curl
#### 80 -> 443
```
$ curl -k -vv http://172.16.42.219
* Rebuilt URL to: http://172.16.42.219/
* Trying 172.16.42.219...
* TCP_NODELAY set
* Connected to 172.16.42.219 (172.16.42.219) port 80 (#0)
> GET / HTTP/1.1
> Host: 172.16.42.219
> User-Agent: curl/7.51.0
> Accept: */*
>
<HTTP/1.1401Unauthorized
<WWW-Authenticate:Basicrealm="global"
<Content-Type:application/json;charset=UTF8
<Content-Length:96
<Date:Fri,10Mar201723:58:22GMT
<Server:lighttpd/1.4.35
<
{
"errors":[
{
"message":"Authorization is required"
}
]
}
* Curl_http_done: called premature == 0
* Connection #0 to host 172.16.42.219 left intact
```
so something is listening there, and it's spitting back JSON, but we don't have credentials yet.
#### 4343
```
$ curl https://172.16.42.219:4343 -k -vv
* Rebuilt URL to: https://172.16.42.219:4343/
...
<HTTP/1.1404NotFound
<Content-Type:application/json;charset=UTF8
<Content-Length:67
<Date:Fri,10Mar201722:22:18GMT
<
{
"errors":[
{
"message":"Resource not found"
}
]
}
```
different port, potentially the same underlying service/data, but this time - does not appear to require credentials.
### wireshark
see some communication between the device and it's mobile app:
<modelDescription>LaMetric - internet connected clock and smart display</modelDescription>
<modelName>LaMetric Time Battery Edition</modelName>
<modelNumber>SA01</modelNumber>
<modelURL>http://www.lametric.com</modelURL>
<serialNumber><redacted></serialNumber>
<serverId>10478</serverId>
<deviceId>10478</deviceId>
<UDN>uuid:<redacted></UDN>
</device>
</root>
```
this port seems to change, but is easy to find as is part of an SSDP [UPNP broadcast](#upnp)
### mobile app
by changing the weather settings, we see:
```
GET /premium/v1/weather.ashx?q=<parameters> HTTP/1.1
Host: api.worldweatheronline.com
Accept: */*
```
parameters broken down:
```
Potrero District, United States of America&
num_of_days=2&
format=json&
fx=yes&
cc=yes&
mca=no&
fx24=no&
tp=24&
includelocation=yes&
showlocaltime=yes&&
extra=isDayTime,utcDateTime&
key=<redacted>
```
looks like a premium API key to [world weather online](worldweatheronline.com)
## deeper
### API
looking at some [docs](http://lametric-documentation.readthedocs.io/en/latest/reference-docs/lametric-time-reference.html) from lametric, was able to determine that the api lives at `http://device:port/api/v2`
authing with `dev` and `\<api key\>`, was got the expected list of routes:
cool, so we can talk to the API successfully now - unfortunately, there isn't much that appears interesting on the surface, at least from an attack vector.
searching around for their [firmware](https://developer.lametric.com/getfirmware/download), the latest version shown was 1.7.7 - apparently they version OS and API separately.
binwalk shows us that the file is a nested squashfs:
* despite ability to use htpasswd or htdigest, they use plaintext
* automatically installs `/etc/install/*.ipk`
* automatically makes all application configuration data readable by all users
* 2 wifi controllers allow for it to act as a hotspot
* it's using an SD card as primary (?) storage
* it has a keyboard controller, does not appear specific to the 3 buttons
* like most devices, has an easily accessible glob/regex of 'allowed' firmware names
* why is there an alarm set for `15:22:49`?
* what is the test that happens when we run `lmledtool -t`
unfortunately, many of the files mentioned live in `/lametric/data/configs` which is mostly unpopulated in the firmware squashfs, so will need to revisit once the root hash is cracked.