Sometimes I like mimomax radios, and sometimes I hate mimomax radios. They are without doubt one of the best radios around for getting the most value out of a 25kHz radio channel. However they have bugs. Lots of bugs, sometimes big, sometimes little. I have spent more time working out why these radios don't work or behave like I would expect than any other radio. So I decided to break one. Purely for academic purposes of course.
Mimomax radios have an open ssh port on port 22, and I happened across the root password for one radio in particular. Unfortunately I can't say how I happened upon this password, but happen upon it I did. It would seem from observation that the root password for every radio is different, the passwords are 8 characters long and only have lower case letters and digits.
Armed with the root password, one can download the entire file system and inspect the scripts that control the radio and so on. From this the following information is discovered:
In theory then, we could write a custom script to extract the password hashes for the radio which we could crack by brute force. Using an Amazon EC2 16 GPU VM with hashcat, we can achieve a md5crypt hash rate of 197.5 MH/s. To hash the entire keyspace (36^8) of would take about 4 hours, so on average it should take 2 hours per hash, at a cost of roughly $50 USD.
The security of the radio could be increased greatly by encrypting custom scripts and license files using an asymmetric key instead of symmetric key. This way even though we could decrypt existing scripts and license files we would not be able to generate new ones without further tampering with the radio. Of course, once you have the root password all bets are off as we can change the keys to whatever we like. To make cracking the password hashes more difficult, they could also increase the keyspace of the passwords by using upper case characters and making them at least 10 characters long.
Leave a Reply