HackDig : Dig high-quality web security articles

Proform Desk Treadmill

2016-04-18 10:10

Today I get to drop 0day.  I haven’t changed my mind about responsible disclosure so put your pitch forks down and lets talk about some fun I had this weekend after installing my new treadmill.

ProForm Thinilne Pro Desk Threadmill (PFTL17014).  It is made by a company called ICON Fitness.  I tried contacting them with no luck.  They also have a bunch of other brands like the NordicTrack, ProForm, Weider, and Gold’s Gym

 

Product Page:
https://www.proform.com/treadmills/thinline-treadmill-desk

 

This device has a wifi setting so after scanning for APs on the treadmill and selecting mine (then entering the WPA key using up/down +enter one character at a time 1986 nintendo style) I get an IP address.

Nmap is my first choice to scan the device for open ports.  I’m an impatitent fellow so i use a basic nmap scan as my first pass:

Nmap results are in and we’ve got ssh, telnet (?!), and a few web servers.

Since I’m such an elite hacker the treadmill just makes the decision to give me root.  I don’t blame the device.  My dremel was sitting in plain view as I probed the device. Telnet goes away after setup is complete.  SSH remains.

This device is an ifit enabled device.  It connects to a back end service that supplies Google Maps streetview connected workouts complete with elevation.  It tracks your progress (weight, calories burned,etc) and gives you a dashboard.  It’s pretty shitty right now and has a ton of bugs.  I hope they work through it because it’s pretty neat.

The root directory contains some maintenance scripts that allow you to upgrade kernel, firmware, download new workouts, and log in to the backend ifitps servers.

If you’re interested in an ls -alR (directory listing of all files) you can check that out here.

Config files for wireless are stored in clear text here:

All network/back end ifit server requests (login, fw check, workout downloads, etc) are done as SOAP requests using using txt files in ../network as a template:

If the built in workouts don’t satisfy the end user you can replace them with custom workouts.

I’ll just leave the hashes from the passwd and shadow files here:

 

Lol, JK.  Here are the cracked passwords.

Session.Name…: cudaHashcat
Status………: Running
Input.Mode…..: Mask (?1?1?1?1?1?1?1?1) [8]
Hash.Target….: lzBtZDKjWKTHI
Hash.Type……: descrypt, DES(Unix), Traditional DES
Time.Started…: Tue Feb 02 16:06:35 2016 (2 mins, 4 secs)
Time.Estimated.: Tue Feb 02 16:44:16 2016 (35 mins, 35 secs)
Speed.GPU.#1…: 620.0 MH/s
Speed.GPU.#2…: 629.3 MH/s
Speed.GPU.#*…: 1249.3 MH/s
Recovered……: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress…….: 155713536000/2821109907456 (5.52%)
Rejected…….: 0/155713536000 (0.00%)
Restore.Point..: 3176448/60466176 (5.25%)
HWMon.GPU.#1…: 99% Util, 46c Temp, 0rpm Fan
HWMon.GPU.#2…: 98% Util, 45c Temp, 0rpm Fan

lzBtZDKjWKTHI:icon2011

[s]tatus [p]ause [r]esume [b]ypass [q]uit =>

Session.Name…: cudaHashcat
Status………: Running
Input.Mode…..: Mask (?1?1?1?1?1?1?1) [7]
Hash.Target….: w.rW11jv2dmM2
Hash.Type……: descrypt, DES(Unix), Traditional DES
Time.Started…: Tue Feb 02 16:03:18 2016 (4 secs)
Time.Estimated.: Tue Feb 02 16:04:23 2016 (59 secs)
Speed.GPU.#1…: 621.3 MH/s
Speed.GPU.#2…: 637.1 MH/s
Speed.GPU.#*…: 1258.3 MH/s
Recovered……: 0/1 (0.00%) Digests, 0/1 (0.00%) Salts
Progress…….: 5744099328/78364164096 (7.33%)
Rejected…….: 0/5744099328 (0.00%)
Restore.Point..: 0/1679616 (0.00%)
HWMon.GPU.#1…: 86% Util, 34c Temp, 0rpm Fan
HWMon.GPU.#2…: 95% Util, 34c Temp, 0rpm Fan

w.rW11jv2dmM2:winbond

My wife won’t let me do any thing else to it right now because she wants to use it but maybe if you like this we will do a part two in secret!


Source: 312=p?/moc.ytiruceshcetxeh

Read:34612 | Comments:2 | Tags:Uncategorized

“Proform Desk Treadmill”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)
Tell me why you support me <3