Update July 2023
I wrote this original post over 3 years ago. Someone recently reached out saying the garbage AeroGarden app has been taken down from the Play Store. I checked, and indeed the old AWS instance that hosted the API (which this redesign used) is no longer running. I’m not sure if MiracleGro is developing/have developed a new app and API, but I hope it’s more secure than what they cobbled together before.
Since nothing seems live anymore I’ve posted the entire project:
https://git.quinncasey.com/qcasey/aerogarden
I’m too busy right now to make updates but I’m still embarrassed by some of the code.
Although I’m not as embarrassed as some of the original devs should be: the old app’s security was abysmal. I considered sharing this information with the directors at Aerogarden but got scared off when I googled the definition of hacking in the US.
Statute of limitations? I’m not sure. I’m not a lawyer. Here’s the letter I was about to send to the directors which explains the situation (pasted below).
The gist is the old API was unauthenticated and the gardens were controlled by a sequential id number. Any idiot (including yours truly) could write a script that pulls user data (user images, titles, IP addresses, email), creates a list of all connected Aerogardens, and can control them en-masse.
There wasn’t even a rate limit!
After that discovery I ripped the brains out of my $300 Aerogarden Bounty, replacing it with a water pump and grow light both hooked up to smart switches. I wouldn’t touch anything coming from Aerogarden in the future.
Unsent Letter
Quinn’s Note: please remember this was written by a 22 year old. My grammer is margenaly better nw.
Dear Grey Gibbs,
grey@aerogrow.com, (303) 444-7755
CC: mike@aerogrow.com, john@aerogrow.com, chris@aerogrow.com, david@aerogrow.com, cory@aerogrow.com, patti@aerogrow.com
My name is Quinn Casey - I’m a Software Developer from Irvine California. I’ve been working on my modern implementation on the AeroGarden mobile App for personal use. This App, written in React Native, would be easily portable to both Android and iOS - and I’m pleased to announce I’ve made good progress! Screenshots attached.
Unfortunately, I write this email to you as a warning that your software systems, used by the WiFi models / published mobile app, is extremely insecure. You published and update in December that obfuscates this problem, but does not solve the root cause.
When reverse engineering the API for my own App, I was able to access the Garden records for all registered 26853 users. Any person with this information has both read and write control of all user gardens. Here’s a breakdown of what I found:
Original # of requests: 38408 Non-Zero requests (total registered users): 26853 Rough Total Gross (assuming bounty @ $290): $7,518,840 Active users (garden online in last 2 weeks): 11854
Top User: #21699 (22 gardens, @ IP Address: 172.31.13.136)
Some of their images: “Bounty 1”: http://54.86.39.88:8000/Upload/Device/device1549984457.jpg “Farm 1”: http://54.86.39.88:8000/Upload/Device/device1559237246.jpg “Farm 2”: http://54.86.39.88:8000/Upload/Device/device1559237332.jpg “Farm 3”: http://54.86.39.88:8000/Upload/Device/device1550940997.jpg “Harvest 2”: http://54.86.39.88:8000/Upload/Device/device1559996717.jpg
The person spending $7500 on AeroGardens has a very pragmatic naming scheme, there are more creative ones like “primeraerogarden” (34015), “Weed Plant” (18741), and “dickhead” (20743).
Reading these values is just good fun, but a major problem arises because the API does not require authentication to write requests. Any bad actor with a user’s ID (keeping in mind, it’s a sequential number from 0 to ~38408) can control that user’s garden.
For example, if we wanted to toggle the lights of “Matt’s Bedroom Garden” (21654), we just make this POST request at 2AM:
Since I’m making my own App, I’m obviously a rabid AeroGarden user myself. This problem ranges from mildly annoying to severely annoying. Anybody can turn my nutrient reminder to 9999 days, set my garden’s image to pornography or gore, continiously reset my garden’s time (denying the garden any light, killing the plants). Worse yet, this can be done on a massive scale, effecting almost 12 thousand users at the same time.
I say again: this data is sitting unencrypted on an outdated server in Shenzhen, CN. This problem is caused by either being too cheap or too ignorant to pay for quality software. This is bad for my $300 garden, and this is bad for the AeroGarden / MircleGro brand.
Part 6 of your code of ethics (https://s3.amazonaws.com/b2icontent.irpass.cc/1354/177317.pdf) details the board’s “…obligation of Covered Parties to protect the Company’s assets … includes intellectual property such as trade secrets, … designs, databases, records, salary information and any unpublished financial data and reports.”. I count several unprotected assets, and humbly urge you to make adjustments.
My background is in software development, I’ve been working with web infrastructure for over 4 years and with Unix systems for over 6. I have both fears and solutions for this problem, among others. I ask you fix this either with my help or without it, because it’s a major betrayal of your user’s trust.
I attached a link to all 26853 responses to see for yourself. Please feel free to reach out with any questions.
Sincerely,
Quinn Casey https://quinncasey.com