So my apartment has a prepaid meter system for electricity distribution where we can load up some money and the meter deducts the day’s electricity cost at EOD and updates the balance in app.

The app also has a feature to turn of the electricity supply. Which is… interesting. I really wanted to reverse engineer and pentest the app for vulns. So one fine weekend I decided to do just that.

Found some major-major privacy gaps (not validating the bearer when fetching my neighbour’s meter details ::skull_emoji::) which can be another blogpost in itself once they patch it.

For now we’ll be focussing on the turning off the supply part.

I used burpsute, frida and bluestacks to intercept the API requests as I demonstrated in detail in a previous blog post.

But the major steps remain the same :

1. Setup burpsuite proxy.

2. Connect to the burp proxy using any vpn app.

3. Use xposed to install FRIDA framework onto device.

4. Install the burp certificate.

5. Install the target app and turn on intercept to see the intercepted requests.

This gave me the API endpoints that are called when the user hits the “turn meter off” button.

Now my idea was to use apple shortcuts app to simulate this request but it does’t allow me to put body data or auth tokens with the request. It just has a feature to call a URL with some parameter inside of it.

So to simulate this request I created a serverless function on deno deploy(tested out with cloudflare workers but it mysteriously refused to work on cloudflare).

After making two endpoints for the ON and OFF functionality, I created a new http shortcut on the iOS shortcuts app to trigger one of the endpoints whenever I leave or enter my apartment based on my geo location.

It works like a charm 80% of the time minus some random GPS fuckups and misfires. There seems to be some cool-down of about 5 minutes between on and off states to prevent abuse.