14 comments

[ 2.6 ms ] story [ 28.0 ms ] thread
Howdy.

Back in 2019 I reverse engineered the lyft bikes api to unlock them from my bed. It's one of my favorite stories, and after telling it dozens of times I finally decided to write it up in its full technical glory.

I used to love learning about security through blog posts/writeups, so I tried to include as much detail as possible. Let me know if you like this style!

You never know with corporations. Consequences range from "federal pound-in-the-ass prison" or "here is $500".
> pound-in-the-ass prison

Care to explain your use of this term?

You'd generally expect a company like Lyft to pin its certificates, so it's notable that they don't. Any ideas as to why?
> Geofence bypass: As far as I understand, there's no easy way to enforce a geofence server-side other than timing, consistency, etc. You sort of just have to trust whatever the phone tells you.

There's no fool proof method but you can make it very hard and impractical.

Both Apple and Google offer attestation mechanisms to confirm the integrity of the App and Device Environment that it's running on. This ensures that the API requests are coming from an attested device.

To mitigate the MITM attack you can use TLS Certificate pinning on sensitive API requests.

You could have the server side API provide a session specific signing token that the App uses to sign payloads attached to API calls.

funny thing, that: https://www.gfaker.com/

Apparently you can get dongles for iPhones to do GPS spoofing, because apparently(?) iOS can take an external GPS source(?!?).

you've unlocked hundreds of bikes under your account. That would mean you've reserved the bike and therefore have to pay for damage/loss of property?
(comment deleted)
I used Charles to help me get endpoints for controlling my automatic cat toilet. The Chinese based iOS app was horrible to use and who knows what data it collected.

After getting the endpoints, I was able to plug it directly into Home assistant.

> cat toilet..... iOS app....data

I'd like to think this is a satire of the Internet of Shit^H^H^H^H Things. But I doubt it.

Most amazing tech blog I’ve read this week. What a great read!