I'm surprised you let your washing machine into your network. I now get the appeal of just an alert the washing machine is done. But I could not for the life of me allow any of these kinds of devices onto my home network. Even in isolation...
Respect, but this is kinda the hard way - I just plugged mine (dumb machine, not smart) in via an energy metering plug, and when energy use drops to less than 10W for more than 2 minutes, it’s done - very simple homeassistant automation. Convenient for me as the machine is 500m from the house.
Unless you are using a rooted Android, putting your own certificates on your phone is annoying. They need to be in the system certificate store which is, as far as I know, only possible with a Magisk module.
An easier way is to run an Android virtual device with an older Android version on your computer. You can then use some scripts to add the certificates and proxy the traffic to Burpsuite or mitmproxy. That way you also don't have to switch devices.
It would also be interesting to use APKLab or Jadx to look at the code of the app. Maybe you can find the key derivation algorithm. The app and the washing machine must somehow generate keys or have pre-shared secrets.
If I understand correctly, the app only works if both devices are in the same network? I like that
I did something with my Bosch washing machine (not like the OP). My washing machine is at the other end of the house from my home office. Sometimes I would put a load of washing on, and despite setting an alarm, might forget (perhaps I am in an important meeting etc).
So I decided to solve it.
Using the Bosch API - I can tell both when a cycle is complete, and if the door is open. Currently I use their default version, but there is a local hosted option I'll be switching too now the proof of concept works.
So using Home Assistant I have a simple script that detects when a washing machine cycle is complete AND the door has NOT been opened. This implies my washing machine has wet clothes still in it.
So Home Assistant will alert my phone (and my wife only if she is home based upon presence detection) once every 15mins that there are wet clothes waiting in the washing machine.
If you like these kind of posts, maybe you should go to https://hackaday.com/ it is all articles like this every day, though usually more on the hardware side.
The washing machine REALLY liked talking to... itself? I don't think whoever engineered their networking stack knew what a loopback interface was, because it was sending a lot of traffic from itself to its own IP address. I didn't think this was relevant, so I ignored it. It really liked sending traffic to 255.255.255.255 every second, for some reason. Again, ignored
Are those gratuitous ARPs? This is a common behaviour.
Possibly, I completely forget ARP exists most of the time. I didn't pay much mind to it anyway, I was too bemused at the constant requests from/to its own IP rather than using loopback
I have a magnetic Zigbee vibration sensor on my washer and dryer connected to Home Assistant. I hadn't thought of monitoring smart outlet current/voltage instead, that's a good idea too.
> when your "three hour" (usually like 4-5 hours) load finishes
What kind of laundry cycles are we running here?
My machine finishes a normal "eco" cycle in <30 minutes. It also beeps really loudly when it's done. The combination of quick cycles and simple notification signal keeps me out of the weird tech solutions rabbit hole.
the "cotton" (delicates) program on this machine is a 3hr 4min program by its own preset, so usually stuff like bedding or softer clothing, or generally just things that I want to be washed same-day (that also won't survive one of the more rapid washes, or just requires an actual thorough wash) because it'll prevent me doing something otherwise. Issue is the machine is constantly recalculating how much time is left, seemingly based on stuff like the temperature or weight of the load or something like that, so when it starts on 3 hours, it can be four hours until it's done in 30 minutes, and then it sits on the last 5 minutes for over 45 minutes. I've waited six hours for my bedsheets, a blanket, and some pillowcases to wash before! It truly is one of the washing machines of all time.
Im hacking my fridge, its not software but a hardware hack, its an expensive motorhome fridge, runs on gas, 12vd, and 220v, it had an internal fire on the electronic controller, so it fried the cables and internals but the fridge is still more or less ok. the idea, is to rather than buying a new control board (250usd) which would need extensive work to refit as all plugs cables are shot, to replace this with a new system that i basically cobble together out of parts from an old gas boiler, so the gas boiler has all the parts on the motherboard to make the spark generator, for the gas burner, then all i need is the logic and safety, and i might be able to have it run on gas only with some different logic and control, it saves me a new fridge, and its a fun project to show my 9 year old boy about electronic engineering. I know its not a job for everyone as there is gas involved etc. but normally I get a lot of resistance on my similar hacks but when there finished the blowback normally dies down. It's a fun job, if anyone is interested in hearing how it will go, let me know and ill consider making a full post about it.
I started "hacking" my propane grill (OK just trying to cludge some repairs) and decided after a few hours that I am not confident enough in my own work to muck with anything around flammable fuel.
Hmm, I don't see any encryption. In the first screenshot 'cyberchef.avif' in the 'input window, the data is just unencrypted hex ASCII. I can fairly easily read the hex: even judging only from the first byte 7D, it is most probably JSON:
7D = {
0D0A = CRLF
09 = TAB
22 = "
73 = s
74 = t
61 = a
74 = t
75 = u
73 = s
4C = L
74 = a
....
So that is just the 'decoded' text. Where's the mentioned XOR encryption?
Also, the 'key' in the second screen shot is a nibble (=one hex character) out of alignment of the listed bytes. It also is not cut from the gap that is in the input text now, as suggested by the visual presentation: the 'key' is 'D0A097D0D0A7D' which is 13 hex digits, and again, a nibble out of byte alignment. It looks like a 0 must have preceeded to make it '0D0A09...' = CRLF TAB, and it total that's 'CRLF TAB { CRLF {'. But the gap was originally '24F70...', which, aligned to bytes, was '224F70...' = '"Op...'
So, the screen shots appear to be bogus or fake or edited.
Sorry about that, the screenshots were taken after I'd already done everything and was writing up the blog, since I didn't have the original data to hand. I forgot to include this in the post, but at some point after rebooting the washing machine (I still can't get over how insane that sounds) while writing my notification script, the machine started returning unencrypted yet still encoded data, which is why in the script's poll loop attempts to deserialize the bytes as JSON first, only on failure trying to run it through decryption.
Sometimes it's returning encrypted data, sometimes it isn't, and sometimes it's just spitting actual garbage down the wire. I did also modify the screenshots to blank out some bytes, but you can probably see where that is. None of this was faked, it's just an incredibly dumb smart appliance.
If I can capture it sending encrypted data again, I'll update the post with corrected screenshots.
First up: this isn't criticism of the original post in the slightest, it's a wonderful journey through figuring out how a weird device that wants to be on your wifi works.
If you have a device that speaks to an Android app, you want https://github.com/niklashigi/apk-mitm - it'll strip pretty much every known certificate pinning implementation from an apk, and it'll also rewrite the manifest so it'll trust the user-installed certs without having to root your device to modify the system store. Uninstall the original app, sideload the output of apk-mitm, and then you can use mitmproxy on a stock device.
The other thing is that if a device is providing encrypted data to an app, and the app is displaying the decrypted data, then the app inherently either contains the decryption key somewhere or downloads it from somewhere. https://github.com/skylot/jadx will turn an apk into something that approximates Java, and digging through that will often let you figure out what the key is. But some vendors will decide that the appropriate way to handle this is to kick the cryptography out to native code, at which point you're into having to RE something in Ghidra. Depending on your mindset this is either incredibly tedious or incredibly fun, but it's generally possible.
The author was able to build on top of work that had been done by others, but if you're ever faced with a situation where nobody else has done that work, don't just give up. It's worth spending time trying to figure out how code running on a device you own works, and even if you don't succeed in the end you're probably going to learn a lot in the process.
not to overshadow apk-mitm, but i find PCAPdroid and its MITM plugin (which uses mitmproxy under the hood!) to be convenient, if you want to look at things on the device.
"The author was able to build on top of work that had been done by others, but if you're ever faced with a situation where nobody else has done that work, don't just give up." If I couldn't strike lucky with an xor brute force, my next plan of attack was to start poking at whatever android app they had. It was only because my friend happened to find that someone else had already done it on github that I managed to take the shortcut. If we hadn't found that github I'd probably have a far more detailed writeup so that other people could follow on with their own appliance, if they happen to have the same/a similar one.
+1 on this... I was actually surprised this wasn't one of the earlier efforts, as to me it would have been one of the first things I tried. Given the webview aspects of the app, I wouldn't be surprised if it was using something webcrypto was capable of int he app ui, with the key relatively obvious to yank out.
I'm a big fan of using web rendering for UI apps, but most devs are less interested in how to implement real security. Or add theatrical additions that just don't work with reality.
31 comments
[ 2.6 ms ] story [ 54.3 ms ] threadJust plug the washing machine into a smartplug and alert when power draw drops to idle for more than X minutes.
An easier way is to run an Android virtual device with an older Android version on your computer. You can then use some scripts to add the certificates and proxy the traffic to Burpsuite or mitmproxy. That way you also don't have to switch devices.
It would also be interesting to use APKLab or Jadx to look at the code of the app. Maybe you can find the key derivation algorithm. The app and the washing machine must somehow generate keys or have pre-shared secrets.
If I understand correctly, the app only works if both devices are in the same network? I like that
So I decided to solve it.
Using the Bosch API - I can tell both when a cycle is complete, and if the door is open. Currently I use their default version, but there is a local hosted option I'll be switching too now the proof of concept works.
So using Home Assistant I have a simple script that detects when a washing machine cycle is complete AND the door has NOT been opened. This implies my washing machine has wet clothes still in it.
So Home Assistant will alert my phone (and my wife only if she is home based upon presence detection) once every 15mins that there are wet clothes waiting in the washing machine.
Very simple - works perfectly.
Here is one in the same vein: https://hackaday.com/2023/04/15/internet-of-washing-machines... => https://tratt.net/laurie/blog/2023/displaying_my_washing_mac...
Otherwise, you would need some MitM style attack?
Anybody interested in this write up? Might even include a "Office Space"-esque montage of the smart module destruction.
Are those gratuitous ARPs? This is a common behaviour.
What kind of laundry cycles are we running here?
My machine finishes a normal "eco" cycle in <30 minutes. It also beeps really loudly when it's done. The combination of quick cycles and simple notification signal keeps me out of the weird tech solutions rabbit hole.
Also, the 'key' in the second screen shot is a nibble (=one hex character) out of alignment of the listed bytes. It also is not cut from the gap that is in the input text now, as suggested by the visual presentation: the 'key' is 'D0A097D0D0A7D' which is 13 hex digits, and again, a nibble out of byte alignment. It looks like a 0 must have preceeded to make it '0D0A09...' = CRLF TAB, and it total that's 'CRLF TAB { CRLF {'. But the gap was originally '24F70...', which, aligned to bytes, was '224F70...' = '"Op...'
So, the screen shots appear to be bogus or fake or edited.
Why? What's going on here?
If you have a device that speaks to an Android app, you want https://github.com/niklashigi/apk-mitm - it'll strip pretty much every known certificate pinning implementation from an apk, and it'll also rewrite the manifest so it'll trust the user-installed certs without having to root your device to modify the system store. Uninstall the original app, sideload the output of apk-mitm, and then you can use mitmproxy on a stock device.
The other thing is that if a device is providing encrypted data to an app, and the app is displaying the decrypted data, then the app inherently either contains the decryption key somewhere or downloads it from somewhere. https://github.com/skylot/jadx will turn an apk into something that approximates Java, and digging through that will often let you figure out what the key is. But some vendors will decide that the appropriate way to handle this is to kick the cryptography out to native code, at which point you're into having to RE something in Ghidra. Depending on your mindset this is either incredibly tedious or incredibly fun, but it's generally possible.
The author was able to build on top of work that had been done by others, but if you're ever faced with a situation where nobody else has done that work, don't just give up. It's worth spending time trying to figure out how code running on a device you own works, and even if you don't succeed in the end you're probably going to learn a lot in the process.
I'm a big fan of using web rendering for UI apps, but most devs are less interested in how to implement real security. Or add theatrical additions that just don't work with reality.
Specifically this element:
<a href="https://nexy.blog/2025/07/27/how-i-hacked-my-washing-machine..." class="hoverZoomLink"><img alt="CyberChef decrypting the washing machine's response" src="https://nexy.blog/0006-How-I-hacked-my-washing-machine/cyber...
I feel like that's true for every washing machine that has ever existed