Research
Security News
Malicious npm Packages Inject SSH Backdoors via Typosquatted Libraries
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
SwitchBoard
Advanced tools
SwitchBoard is a node.js based application intended to run on a device within a local network - preferably a dedicated server (such as a Raspberry Pi). It allows all web capable devices within that same network to issue commands to any other configured device. You may use your phone, tablet, desktop or laptop browser to interact with any controllable device - or issue simple GET commands programmatically.
Video demonstration:
Or you may browse through a static version: http://imbrianj.github.io/switchBoard/
###Easy
npm install -g git+https://github.com/imbrianj/switchBoard.git
switchBoard -c yournewconfigfile
http://192.168.2.13:8080/
(Remember to bookmark)###Advanced Download the source, edit config/config.js to reflect your node server IP, desired port to hit when you visit the remote and web mac address of the server (used for authenticating against Samsung TVs). If you don't have a specific device, just comment out or remove the configuration for it. If you do have a device you'd like to control, just populate the given fields - they should all be pretty obvious in their use. Run node app.js then visit your node page. Run a command from the remote and Allow access on your TV.
Name | Status | Notes |
---|---|---|
ActiveBuilding | Stable | Checks for arrived packages to be picked up from your concierge |
Belkin Wemo | Stable | |
Client MP3 | Stable | Sends an mp3 playback command to all Websocket connected clients |
Client Notify | Stable | Sends a Desktop Notification to all Websocket connected clients |
Client Speech | Stable | Sends text to be speech synthesized to all Websocket connected clients |
Client Vibrate | Testing | Sends a command to vibrate all Websocket connected clients (phones, tablets, etc) |
Debug | Stable | Display basic system information (memory, cpu, uptime) |
Denon | Stable | New controller and still in testing |
Foscam | Stable | Works with FI8910W (if you have another version that this does not work with, let me know and I can add support). Arm, Disarm, Go to presets, etc. INSECURE Exposes camera credentials to users |
Gerty | Stable | A simple interface for all devices that reacts to natural inputs. |
GitHub | Testing | Poll for commits to a given repository. For Switchboard, can tell you if you should update. |
LG TVs | Development | Still need work on authentication |
Location | Stable | Uses switchboard-phpServer and Tasker to track your GPS position |
MP3 | Stable | Works on *nix with mpg123 or OSX with afplay. Win not supported |
Nest | Stable | Works with Nest thermostat and Protect smoke / CO detectors |
Panasonic | Stable | Text input and basic controls |
Pioneer | Testing | Reportedly works, but unable to test |
PS3 | Stable | Uses GIMX to emulate PS3 controller (see below). OSX not supported |
Pushover | Stable | Requires purchased app and token / user key |
Raspberry Remote | Stable | Uses Raspberry Remote to control lighting. Only Linux is supported |
Roku | Stable | Launch apps directly, text input and basic controls |
RSS | Stable | Simple RSS and Atom reader |
Samsung SmartTV | Stable | Text input and basic controls |
SmartThings | Stable | Control devices and monitor real-time states. Requires companion app |
SMS | Stable | Uses Twilio. Requires ID and token |
Speech | Stable | Uses espeak for *nix, say on OSX. Win not supported |
Sports | Testing | Pull sports scores from ESPN (please don't hammer this endpoint) |
Stocks | Stable | Uses Yahoo Finance |
Traffic Cams | Stable | View multiple traffic webcams |
Travis CI | Stable | |
Development | Present mentions of your Twitter handle | |
Weather | Stable | Uses Yahoo Weather |
Website | Testing | Simple controller to load an external site as an iframe |
XBMC | Stable | Basic controls work |
I'm always looking to add devices and services. Even if you're not a developer, you can help by testing, doing documentation, translating or even just expressing interest in something to help guide the effort. Join ##switchboard on irc.freenode.net If you'd like to reach out. If you work for a device manufacturer - let me know if I can beg, borrow or steal a device from you to integrate!
Overview: You'll need to have your SwitchBoard device (computer, raspberry pi, etc.) pretend to be a PS3 controller (aka Sixaxis Controller) that communicates with the PS3 via Bluetooth.
cd switchBoard && npm update && sudo apt-get update && sudo apt-get --yes dist-upgrade && sudo apt-get clean all && sudo updatedb && reboot
# Make sure your Raspberry Pi is up to datewget https://github.com/matlo/GIMX/releases/download/v3.2/gimx_3.2-1_armhf.deb && sudo dpkg -i gimx_3.2-1_armhf.deb
# install gimxsixaddr
Current Bluetooth master: 90:34:FC:F7:75:E3
# your PS3's Bluetooth address, set this to be MAC address of your ps3 within config/config.js, remember to enable the device as wellCurrent Bluetooth Device Address: 04:98:F3:0C:FA:6B
# save for later, you can disconnect the PS3 controller nowhciconfig -a
# With your dongle plugged in, this should reveal the active dongle.hci0: Type: BR/EDR Bus: USB Etc.
bdaddr -r -i hci0
# Use the integer (in our case 0) from the hci0 output above, in this command, to set the MAC address of your dongle to that of the Sixaxis you saved earlier.switchBoard -c config/config.js
# power up your controller, hit the Raspberry Pi via your browserFor details about each device's specific requirements for installation, refer to the well commented config.js for any given device.
Thank you to Matlo from GIMX for his huge help in getting the PS3 control working. If you use the PS3 functionality and enjoy it, consider a donation to his project.
Nearly every controller was inspired by hard work from others. Trolling forums and seeing people's proof of concept code made many of them possible. For each controller file, a relevant link to the given forum/blog/post/article/page is available in a comment at the top.
MP3 sounds were taken from freesound.org. Specific attributions for each file are in the attribution.txt.
Also thanks to purecss.io and fontawesome.io for their assets.
If you have questions, comments or want to complain, email me at brian@bevey.org
If you require more immediate assistance, you can join ##switchboard on irc.freenode.net
Q. Why aren't you using a seed-based JS library / referencing CSS from a CDN?
A. I want to make sure this works without any Internet access. You need local LAN access, but nothing critical should be over the Internet. Some services (stocks and weather) obviously require access, but they are not core to the functionality of the app.
Q. What is that dot in the top right?
A. The dot indicates your connection state. If you see it, congrats! You're able to grab real-time info from SwitchBoard. Your browser will attempt to connect via WebSockets for real-time updates.
If your browser does not support WebSockets, it'll attempt to set up standard XHR polling. If your browser doesn't support that, you can still issue commands, but will need to manually refresh your browser for updates.
The colors indicate:
Q. How secure is this?
A. Depends. It's assumed that any device that's on your network is deemed white-listed. This probably shouldn't be used on a large network with people you don't trust to screw with your TV. My goal is to provide the most security by keeping external connections to a minimum. See "Q. Why aren't you using a seed-based JS library / referencing CSS from a CDN?"
Q. Why don't you use SmartThings or another third party system to do all this integration?
A. Most other systems are cloud-based. This means that if you wanted to change your thermostat, you'd have to send a request to SmartThings, then it'd send a request to Nest. I wanted to reduce that lag - but I also wanted to gain more control. By having SwitchBoard do the integration, we can keep things local and we can do actions those cloud-based solutions cannot. Want to poll every 5 seconds? You'd be a jerk - but you can. Additionally, I wanted to support hardware that isn't supported on other systems. The Pi is capable of any TCP commands (Rest or Sockets) - but can also interface with Bluetooth, GPIO and any native Unix command. This ability allows the PS3, text-to-speech and MP3 capabilities.
Q. Does SwitchBoard have a REST API?
A. Kind of. For simplicity, everything is going through GET. Allowing a browser to simply hit a URL has it's advantages - but if there's interest in adhering to the true spirit of REST, I can change to the correct PUT, POST, DELETE commands where appropriate.
Q. How can I access this if I'm away from my home?
A. I would strongly advise you to not just punch a hole in your firewall. If your router supports VPN connections, it's a very safe option to configure your phone to connect to that before using SwitchBoard remotely. If that's not possible or not convenient, you may use ngrok to easily access SwitchBoard (at no cost) with no additional configuration. If you choose ngrok, be sure to configure a password!
FAQs
Universal Remote Controller powered by Node.js
The npm package SwitchBoard receives a total of 1 weekly downloads. As such, SwitchBoard popularity was classified as not popular.
We found that SwitchBoard demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
Socket’s threat research team has detected six malicious npm packages typosquatting popular libraries to insert SSH backdoors.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.