Cute App, But I'll Use My Own
by pax
There is an app for everything, and we can hack every app. Therefore, everything is hackable.
My apartment got rid of the classic RFID key fob to open its gate and sent out an email telling all residents to download an app called Gatewise or they would not be able to enter. Being security aware in this world of apps, I am not a fan of putting anything I don't know, need, or trust on my phone. This app didn't check any of those boxes for me.
So I decided to explore Gatewise and see what I could find out. First is the privacy policy1 where I learned that yes, they will be collecting, storing, and giving up any information they can get. Location, phone number, device information - all the things I'd rather not. I don't want their app. So I called my apartment office telling them I didn't have a smart phone, how was I supposed to open the gate? Their reply was shocked silence followed by, "You mean you have a phone that just... makes calls?" To be clear, I have a smart phone. But it's interesting to take note, the modern world is significantly less accessible to you if you don't have a smart phone. After two visits to the office in person, they figured out they could text me a vendor link for opening the gate. This was exciting news for me. I know all sorts of fun ways to use web addresses. Links lead to great hacking possibilities. Here's what they sent me in that text:
The xx-xx-xx at the end I've used to replace 32 characters of hexadecimal.
The link led to a page with a list of labeled buttons, one for each gate I was allowed to open. Moving to my computer, I opened Burp Suite2, a tool that (among other things) lets you capture and edit outgoing HTTP requests. This lets me see exactly what is being sent to Gatewise's server when I push the button to open the gate, as well as what their server responds with.
Pressing an open gate button sends a JSON POST request with two pieces of information to this address: portal.gatewise.com/api/v1/visitor/open_gate
The first piece of information sent is the same generated ID that was included in the original link (which I've changed to xx-xx-xx). The second piece of information is a four digit number called "access point ID" (I'll call that 1234). Here's the bit of JSON sent:
{"token":"xx-xx-xx","access_point_ id":1234}That's it. An HTTP POST request with a little bit of JSON. I know I can send that without using their website and buttons.
Figuring out how to open that gate.
Start with what I know.
I have an Android phone, so I'll be working in Linux. I'm planning to use a Curl command in a shell script to send the token and access point ID to the Gatewise server. Curl is short for "Client URL" - it's a Linux command that is used to exchange data with a server. I hadn't done this from my phone before, so it took some research to get started. Termux3 is an app that will give you a shell to run code in without jailbreaking your phone. You don't want the Termux in the Google Play store though; it's no longer being maintained by the developers.
You need the version on F-Droid4.
F-Droid is like the Play store, but for open-source apps and it's not run by Google. From F-Droid I also got the Termux:Widget5 plugin because it lets you execute script files from your home screen, which is exactly what I want to do.
Using Termux, I built my Curl POST request off what I had captured in Burp Suite and saved it as gate.sh.
Building the POST request as a runnable.sh file was new ground for me, so it took a good amount of reading and failed attempts before I got it right. But here it is:
Using Termux:Widget, I put a list on the home screen of my phone with entries to open different gates/doors. All I have to do is tap an item on the list to open it. Now I can use this same code on any number of devices and it all looks the same to the apartment office and Gatewise.
There were several pieces of this project I had very little experience in. I mentioned the places where I needed to stop and learn more to show a point. It's O.K. not to know something. Part of hacking is learning. Stop and learn what you can.
Don't just copy-and-paste or you'll have no ability to troubleshoot when something doesn't work right. Know that a solution exists, then hack until you can bring it together.