Hacking the Withings Smart Baby Monitor

I started tinkering with my Christmas gift: the Withings Smart Baby Monitor. Let's try to hack it (in a good way). I also wrote this article as a tutorial to hacking devices for newbies - being a newbie myself ;-).

Disclaimer: I'm not trying or encouraging to hack into other's Baby Monitor! Just my own. Don't hack into your neighbor's stuff, it's evil.

Context

I got a really cool gift for Christmas: a Withings Smart Baby Monitor to keep an eye on my new born. It's basically an IP cam with sound (both speaker and mic) and a temperature + humidity sensor. It can communicate with iOS and Android devices via Wifi, Ethernet or Bluebooth. Since I love hackable stuff, I dug a little to see how this cute white box works and if I can send and receive stuff my own way. What about getting the video feed on my Mac for example?

Discovery

Locating the device on your network is simple enough: the iPhone app gives you the IP of the monitor once it's correctly configured.

First test: it responds to ping \o/. Let's see what's running with Mac OS port scan utility:

Open TCP Port:  22          ssh
Open TCP Port:  1935        macromedia-fcs

SSH server, cool! Credentials are a holy grail... Googled it a little but no luck, also tried obvious login/password combinations, no luck either. We'll do it another way.

Sniffing setup

Since there is no obvious way to interact with the box, we'll have to sniff network traffic to see what's going on. I'm going to use the open source cross-platform tool Wireshark for this.

The desired result is to sniff the traffic between the iPhone app and the Baby Monitor when they're both configured to use the same Wifi network (you could also use the Ethernet port on the monitor). As you may know, it's difficult to sniff traffic on a switched network so we'll use some embedded Mac OS tools to work out a simple solution:

  1. Connect the Mac OS machine to the internet provider box via Ethernet
  2. In Mac OS network configuration, setup Internet Sharing: we want to share your Ethernet connection through Wifi (see screenshot in French below)
  3. Connect your Baby Monitor and your iPhone to the Wifi network created by Mac OS

Now your Mac machine will be able to see all the network traffic going between your devices and from your devices to the Internet since it acts as a network router. Just what we want.

Launch Wireshark and tell him to report traffic on your Wifi interface.

Start the capture, go to your iPhone app and activate baby monitoring. You should see a whole lot of stuff happening in Wireshark. You can stop the capture after 30 seconds or so.

**** TODO SC ****

We are mostly interested in two protocols: HTTP and RTMP (you can filter on one or the other in Wireshark to clear things up). You probably know about HTTP. RTMP is an Adobe proprietary protocol for streaming audio, video and data over the Internet.

HTTP

Let's see what we can learn from the HTTP requests. Those are made by both devices (monitor and iPhone app) to Withings servers (babyws.withings.net). Here is what I saw on my setup:

Between iPhone and Withings servers

NB: I edited the values, just in case.

A GET request from the iPhone:

GET /cgi-bin/presence?action=get&sessionid=4878-531a41ea-e5a6058e&deviceid=699425 HTTP/1.1\r\n

And the server response JSON response:

HTTP/1.1 200 OK
Date: Sat, 28 Dec 2013 11:30:26 GMT
Server: Apache
X-Powered-By: PHP/5.3.10-1ubuntu3.1
X-WI-SRV: FR-EQX-WEB-07
Vary: Accept-Encoding
Content-Length: 320
Content-Type: text/plain

{"status":0,"body":{"client":{"client_ip":"<my_public_ip>"},"device":{"kd_hash":"00:24:e4:0b:7a:08-d3123ce9842e809a093b136af5727a24","kp_hash":"00:24:d4:0b:7c:08-1b38e4f6ebe6c27ccd241a747133978d","kl":"00000000000000000","private_ip":"192.168.2.3","probe_ip":"<my_public_ip>","proxy_ip":"89.30.121.12","proxy_port":1935}}}

This seems to be a request to get some first info about the monitor and some other network info: my iPhone is on 192.168.2.2 and gets the monitor IP (192.168.2.3).

It also sends my public IP address, which is probably useful when in a remote configuration (iPhone away from LAN). Usefull but not cool... As soon as you plug and configure your device on your LAN, your IP is sent to Withings without any warning and even without purpose (since you're on a LAN). Furthermore, connection is not encrypted so "everybody" on the Internet with a sniffer can see that you're plugging in a Baby Monitor and on which IP it is.

Another GET request from the iPhone:

GET /cgi-bin/device?action=getproperties&sessionid=3275-531a41ea-e5a6058e&deviceid=699425&apiver=3&appliver=201&appname=wibaby&apppfm=ios HTTP/1.1\r\n

And the server response:

HTTP/1.1 200 OK
Date: Sat, 28 Dec 2013 11:30:26 GMT
Server: Apache
X-WI-SRV: FR-EQX-WEB-02
Vary: Accept-Encoding
Transfer-Encoding: chunked
Content-Type: text/plain

{"status":0,"body":{"id":699425,"sn":"SN-00:24:d5:0b:8f:08","macaddress":"00:24:d4:0b:8d:1a","fw":"85","batterylvl":100.0,"type":2,"timezone":"Europe\/Paris","lastweighindate":1388229664,"lastsessiondate":1388229664,"preflang":"fr_FR","impedancemeter":1,"debug":1,"behaviour":0,"mfgid":0,"created":1366642740,"modified":1388002146,"babyphone_config":{"firstname":"V","gender":1,"birthdate":1293879600}}}

More info given by the server here: monitor (?) serial number and mac address and the baby account previously created on the Withings server (fake info here). Funny thing: some data (impedancemeter, lastweighindate...) are relative to the Withings Smart Body Analyzer scale. I guess the guys at Withings reused the same Web Service.

Between Baby monitor and Withings servers

A POST request from the monitor to the server:

POST /cgi-bin/presence HTTP/1.1 action=update&sessionid=5339-21c7517b-0ec5d323&kd=db6fe99fc59473f12e759ec509fff932&private_ip=192.168.2.3&

The most interesting part here seems to be the monitor providing it's IP address to the server (so that it can be sent to the iPhone app I guess).

And the enigmatic response:

{"status":0}

Another POST request from the monitor:

POST /cgi-bin/event HTTP/1.1\r\n
action=store&sessionid=5339-21c7517b-0ec5d323&events={"events":[{"type":30,"clientuid":"0f607264fc6318a92b9e13c65db7ab4d","clientname":%22MyIPhone%22,"accountid":21358,"date":"0","connectionid":"449063965","connectiontype":"direct"}]}

Something happened here, maybe it triggers a log on the server (action=store) of the iPhone connection to the monitor?

And another enigmatic response:

{"status":0}

RTMP

Those HTTP requests are cool but they don't seem to provide a lot of usable information / data from the monitor. Let's look at the RTMP stuff. RTMP is used primarily to transport video and audio, so we can hope to get the video feed from the monitor on the client of our choice.

I've looked at some of the RTMP packets to find some interesting stuff. I found something in one of the handshake packets data:

$z  pEER@@'5B}&vlC
Nrconnect?app200:24:e4:0b:7a:08-cd65e34332eba8dad2c474b51e53cd1cflashverRTMP 0.9swfUrlfile://c:/gentilflash.swftcUrlJrtmp://192.168.2.3:1935/00:24:e4:0b:7a:08-cd65e34332eba8dad2c474b51e53cd1cfpadcapabilities@.audioCodecs@videoCodecs@`videoFunctionpageUrlfile://c:/gentillepage.htmlobjectEncoding@        accountidw
clientnamemyIPhone  clientuid 0f607264fc6318a92b9e13c65db7de4f

Bingo! In that scrambled characters mess we have something that looks like the URL of the SWF video file on the monitor. Now we need a RTMP client to read it on the computer of our choice. I used RTMPDump.

After a few tries, I came up with this:

rtmpdump -r "rtmp://192.168.2.3:1935/00:24:e4:0b:7a:08-1c238320a0e9dea1c52d61797026b18e/gentilflash.swf" -o video.flv

NB: gentilflash means sweetflash in French ;-)

After that you can open the video.flv with VLC or something and you should see your self hacking or you baby sleeping on your computer!

There's also gentillepage.html that could be interesting, but I did not try to get it yet.

What's next

We already got the video feed on our LAN, which is nice. But I'll look into some other stuff:

  • See how it works when not on a LAN (you can see your Baby Monitor video feed from your iPhone app away from your Wifi).
  • Try to get the temperature and humidity values from the monitor. The info seem to be buried in the RTMP feed, I have no idea yet on how to get them. This old article from Adobe seems like a good place to start.
Alexandre Bulté avatar
Écrit par Alexandre Bulté
en freedom
blog comments powered by Disqus
Fork me on GitHub