Can Hackers Revive the Deceased Jooki Device?
Alright, here's the scoop on Jooki, that abandoned screen-free audio player for kids. It lets the little ones rock out or listen to stories by putting tokens on top of it, all programmed by the parents through an app. Sadly, the company went belly up, shutting down their servers in the process.
Enter [nuit], a security researcher on a mission to poke around the device's innards. They've found some tasty vulnerabilities in the Jooki's firmware, hoping it'll inspire others to join in. Although it's not enough to restore full function right now, there are tantalizing leads.
Per usual, the device runs some stripped-down version of Linux. [nuit] walks through the partitions and snoops around the filesystem, setting the stage for future exploits. It's also worth noting how over-the-air (OTA) updates were supposed to work, which could become vital when the community cooks up a new firmware.
But let's get to the fun stuff. When Jooki starts up, it exposes an HTTP API on the local network. There are a few promising endpoints allowing control of the device, but the real exciting bit is a built-in backdoor – practically a ticket to ride with root-level permissions! It's just mind-boggling to find a commercial product with such a gaping security flaw.
Wait, there's more! The Jooki employs a heartbeat script, attempting to check in with the server on the regular. If the server's down, a hacky secondary OTA mechanism kicks in, executing commands sent back as root.
Now, any self-respecting penguin wrangler knows that root access is like the golden ticket. It's not long before an SSH server is up and running, giving you an interactive login to the speaker's operating system. As [nuit] points out, anyone who snaps up the Jooki domain name could potentially take root control of every speaker out in the wild.
Long story short, getting root access on a Jooki speaker is like falling off a log. The next challenge is figuring out how to make these speakers sing and tell stories again. Recent projects have tackled similar abandoned devices, so maybe we're not far from a similar solution for the Jooki. So, grab your hacking tools and dive in!
- The Jooki device, found to have a significant security flaw by researcher [nuit], runs on a stripped-down version of Linux, offering an opportunity for further exploits.
- With root-level permissions through the backdoor discovered in the Jooki, [nuit] has initiated an SSH server, potentially allowing anyone who controls the Jooki domain name to take control of every speaker in the wild, paving the way for potential restoration of functionality.
