Uber device control for the tech using X10

by ~ March 31st, 2003

Intro:

So who/what is X10? X10, who’s annoying and often sexist pop-under marketing strategy leaves much to be desired, is a company who makes and sells a series of home automation devices, which themselves leave very little to be desired.

On the most fundamental level, using X10 means being able to control the lights and appliances around your home with remote controllers. The controllers. range in size and complexity from a key chain controller to a TV style remote control and perhaps more fundamentally, a thin (7 mm) light switch sized controller which sticks directly to the wall in any location you like.

A simple, practical example, would be to add a switch to the wall within arms reach of your bed to control the lights, the TV, and the coffee maker.

Understanding the X10 technology:

X10 works by utilizing the electrical wiring in the wall to carry messages from the X10 controller to the various device modules. It takes advantage of the fact that electrical wires, in addition to carrying electricity, are also able to carry a certain amount of data.

Set-up is simple, a device like a light is plugged into an X10 module which is then plugged into the wall. Two selector dials on the front of the X10 module allow for selection of that modules ID. Choices range from A though P on one dial and 1 thought 16 on the other. Setting the first dial to A and the second dial to 1 makes that module A1. Simple enough.

When you use a remote to turn on/off A1 that light will act accordingly. With the set up of additional devices you have the choice to either assign a new ID to each, or repeat ID’s for a group of lights/appliances.

To view all the X10 based home automation devices X10 has to offer you can check out:
http://www.x10.com/automation/homeautomation.htm

Some X10 products are available at Radio Shack stores under the
brand name “Plug n’ Power.”

Advanced uses for X10 (the real fun):

X10 is great for both tech and non tech people alike. Both will no doubt be happy with the ability to turn on/off lights and appliances by simply punching a button or two on a remote control.

More technically inclined minds however will quickly wander toward the computer. The good news is, X10 has made a computer controller interface. Using this interface (a serial device) and some software, the world of X10 opens up to computer controlled events. Possibilities are then left to the imagination and creativity of the users and programmers. Examples include, Time based events (think cron), Motion based events (utilizing X10 motion sensors), Mood settings (set various lights to various levels of dim or on/off position at the click of a mouse) and even TCP/IP remotely controlled events (think web, cell phone/WAP, IM, SSH).

An example of a net-based X10 controller:

A real world example to get you thinking, I personally have created an IM to X10 bridge using a linux server, HEYU and Perl with the Net::AIM perl module. For what little security can be had over AIM, I used a dual authentication method. First the user has to be logged in with my screen name, then they have to send the right password for that command. Using this program I was able to successfully check the status of lights and appliances at home from work via AIM. For fun, I once used it to spook my GF by turning off her desk light while she was home alone. The IM I got back was “you are so not funny”. I of course disagreed. On a more serious note, It did save my butt one day when I left the house unsure if I had turned off the coffee maker. By the time I thought of it, I was already on the train and far from a computer with an internet connection. Using my cell phone, which allows for logins to the AIM network, I was able to poll the coffee maker to find out if it was on or off, and after seeing that it was in fact on, I was able to turn it off preventing a potential fire. That secured the real world usefulness of X10’s technology in my mind. Hey, having the ability to perform things like coffee maker power polling and toggling from your cell phone on the train, now that’s uber device control for the tech using X10!

X10 Related Links of Importance:

X10 - http://www.x10.com

Linux/Mac:
HEYU! - http://heyu.tanj.com/heyu/index.html

Windows:
http://www.x10.com/support/support_soft1.htm

Comments? Questions? email brian@mindflip.org

Brian

KLV now available

by ~ March 3rd, 2003

Brian’s Kismet Log File Viewer now available.
> Kismet Log Viewer (KLV) Project Page

DefconX

by ~ August 7th, 2002

DefconX was the 10th anual Defcon hacker convention. It took place Aug. 2nd to the 4th at the Alexis Park Hotel and Resort in Las Vegas. Mike of Mindflip was in attendance for all three days, here are the photos he took.

AIM forced behavior “issue”

by ~ July 16th, 2002

Intro:

This article will describe an “issue” I have found with the the 4.7 version of the official AIM client. This”issue” involves the ability to automatically force an AIM client into performing various functions. This is achieved when the user loads a webpage created with specific code in the META HTTP-EQUIV=”refresh” html tag.

Testing has shown that this “issue” effects anyone running the 4.7 version of the official AIM client on win 9x, Me, XP, 2000, or the 4.5 version on Mac OS9/X. The AIM client available for Linux is not effected. The 4.8 windows client now gives you a warning as does the 5.0 Beta*. (Perhaps it effects others as well… NT?, CE? if you notice that it’s able to effect any of these or any others, email brian@mindflip.org and let me know so
I can update this list)

Discovering this “issue” has inspired me to stop using the official AIM client. I now use Trillian, http://www.trillian.cc which offers similar features while not being subject to
this “issue”.

Explanation ( how it works ):

On a whim I decided to send someone an AIM greeting card. On the last page of that process AOL goes ahead and pops up an AIM window with an IM going to the SN for the person you have specified to receive the card. The IM says something to the effect of “You’ve got a greeting, click here.” . Convenient, this way all you have to do is hit send and it will IM the person to let them know. This greeting card page poped up the window automatically, I didn’t have to click any links or OK anything, just load the page. That’s right kids, If AOL can pop up a new IM window automatically with a webpage, so can anyone else.

Viewing the source of that page showed me that there was code in the
META refresh tag…

<META HTTP-EQUIV=”refresh” CONTENT=4;
URL=aim:goim?screenname=mybuddy&message=buch_of_stuff_here>

Various lists exist all over the net explaining how to create AIM links. I had seen them before and looked at one again for reference. I derived the following link code, usually surrounded by <a href=” etc…, which adds a buddy list group and a series of biddies:

aim:addbuddy?listofscreennames=mindfliporg,mfliporb,mflipmax,
mflips0nic,mflipzorcon&groupname=mindfliporg

So by replacing their META HTTP-EQUIV=”refresh” code with my own…

<META HTTP-EQUIV=”refresh” CONTENT=0;URL=aim:addbuddy?
listofscreennames=mindfliporg,mfliporb,mflipmax,mflips0nic,
mflipzorcon&groupname=mindfliporg> (all on one line)

Once I let my test webpage load, which included the above line in the HTML, I managed to add a list of buddy’s and a group to my buddy list.

See it in action:

To determine if this issue effects you, make sure you are running AIM ( in some cases accessing this page launches the AIM client automatically ) and then visit the test page I have created. You don’t have to click this link to visit the page. You can copy paste the link into your favorite browser and hit enter.
( Please see warning below before visiting ):

http://www.mindflip.org/aimrefresh/index.html

WARNING: Just so you know ahead of time, viewing the web page in the above link will add a group called “mindfliporg” to your AIM buddy list list along with some mindfliporg member screen names as shown in the above example, feel free to delete this group and buddy’s at any time afterward. You can also just leave them there and IM us if we are ever on ;).

Potential Evil Uses ( why this is an “issue” to me and should be to you ):

As with all findings like this, there is always the potential for exploitation. I suggest you do not go down that road. If you do, I nor mindflip are responsible for what occurs.

Using the same method one can:

  • Register a new user to that aim client and make that user attempt to logon now.
  • Launch and force users to join any chat room.
  • Set the buddy icon.
  • Automatically fetch a file from another AIM user ( will show warning unless it has been disabled ).

All a person would have to do is check out the list of available “aim:” links and use a little imagination. With the use of a little javascript OnLoad() one could potentially force many behaviors with one page load.

  • Think advertising… visit my corporate website and all of the sudden you have a branded buddy list.
  • Think automatic direct connection…
  • Start thinking about doing away with that AIM client with the “issue”.

Comments? Questions? email brian@mindflip.org

* Thanks to Fett for the Mac and Win Me information. Thanks to Bob @ InstantMessagingPlanet.com for the info about 5.0 Beta

External:
US-CERT/NIST: Vulnerability Summary CVE-2002-2169
Security Focus: AOL Instant Messenger Unauthorized Actions Vulnerability
Press Coverage: AOL’s AIM Forces the Issue

Brian

H2K2

by ~ July 15th, 2002

H2K2 was the 4th HOPE conference, sponsored by 2600 . It took place July 12-14, 2002 in New York City. Mindflip was in attendance for all three days. When there is time we will post the happenings of the conference. In the mean time enjoy what little pictures we did take ;) .