Owl Intuition Insecure API
January 1, 2017 — 0:05

A year or so ago I bought an electricity monitor from OWL, the single phase monitor with network connectivity called the intuition-e. Part of the appeal of this was that it sent out multicast messages on your home network which allowed you to capture and use this data however you wished. It had always been in the back of my mind that if you buy a network attached device you are at the mercy of that company continuing to provide the server for remote access. With the OWL, even if they completely shut down you could still get some use out of it even if you needed to add some extra hardware.

I moved house a couple of months ago and never unpacked the monitor until a few days ago. I had just been using an OWL Micro+ display previously but was now interested in getting the usage data onto my phone in the form of a homescreen widget. As it turns out my current router (Sky Q hub) blocks multicast messages, at least between wired and wireless devices, but the OWL also has the option to send UDP packets to a specific IP/port which wouldn’t be blocked. Using a combination of Tasker and Minimalistic Text Widgets i succeeded in getting my widget working but that is for another post.

This method only worked while i was connected to my home network so i wanted a way of accessing the data from any location, so direct from the OWL servers. To start with, as i was looking to display info on my phone, I had a look at the OWL Intuition app. Using the Packet Capture app i was able to discover an api address being used:

http://beta.owlintuition.com/api/electricity/history_overview.php?user=<username>&nowl=<network_owl_id>&clientdate=<date>

Similar addresses are available at:

http://beta.owlintuition.com/api/3phase/history_overview.php and http://beta.owlintuition.com/api/solar/history_overview.php

It didn’t take long to find the base mac address for OWLs parent company which confirmed the owl id was just the mac address.

A couple of things struck me as odd. Firstly, no https connection. Secondly, there is no api key like you might expect. My assumption was that were probably sending some custom headers or user agent string in the request, I opened the link in a browser, it displayed fine. Next guess, they are performing a lookup between username and mac address before returning data. I changed the username to random text – data returned fine. I tried a couple of random mac addresses and sure enough I got a hit on some valid data. That shouldn’t happen!

Curiosity got the better of me and I wrote some php to to loop through a number (256) of mac address and print the result.

<?php
for ($x = 0; $x < 256; $x++) {
$hex = str_pad(dechex($x), 2, ‘0’, STR_PAD_LEFT);
$url = “http://beta.owlintuition.com/api/electricity/history_overview.php?user=test&nowl=<base_mac_address>”.$hex.”&clientdate=2016-12-30″;
echo file_get_contents($url).” <br>”;
}
?>

Surely the server will reject so many consecutive requests? Nope: dump. 256 lines returned, 122 of which contain valid data. The others either invalid mac addresses or haven’t been operational for the last while.

I’m going to have a further poke around but i thought it was interesting enough share now.

Happy New Year!