As a kid I used tubes, a box fan, a cooler, and bucket with a siphon to cool me down.

You could easily set that up with just the water from a sink and some hardware store parts.

Search for ‘diy fan cooling tub copper coils’ as a start.

As an example: Homemade AC - The “Copper Coil” Air Cooler! - (Simple "Box Fan …

Copper coils have the best thermal efficiency, but plastic tubing would also work.

So don’t bring your submarines into the area. Brilliant!

Non-paywall link https://archive.ph/ySJDe

Potato Achieved!

I did a quick search and they don’t make it easy. Peter Lowe’s ad and tracking server blocklist is the only one I found. EasyList doesn’t seem to have a donation link, nor Dan Pollock at someonewhocares.org. Also worth noting that UBO doesn’t take donations. You could always subscribe to AdGuard, but that’s mixed.

https://archive.ph/w58Yk Alternative link unpaywalled

If this request worked, it meant that I could use an “encryptedValue” parameter in the API that didn’t have to have a matching account ID.

I sent the request and saw the exact same HTTP response as above! This confirmed that we didn’t need any extra parameters, we could just query any hardware device arbitrarily by just knowing the MAC address (something that we could retrieve by querying a customer by name, fetching their account UUID, then fetching all of their connected devices via their UUID). We now had essentially a full kill chain.

I formed the following HTTP request to update my own device MAC addresses SSID as a proof of concept to update my own hardware:

…

Did it work? It had only given me a blank 200 OK response. I tried re-sending the HTTP request, but the request timed out. My network was offline. The update request must’ve reset my device.

About 5 minutes later, my network rebooted. The SSID name had been updated to “Curry”. I could write and read from anyone’s device using this exploit.

This demonstrated that the API calls to update the device configuration worked. This meant that an attacker could’ve accessed this API to overwrite configuration settings, access the router, and execute commands on the device. At this point, we had a similar set of permissions as the ISP tech support and could’ve used this access to exploit any of the millions of Cox devices that were accessible through these APIs.

Blows me a away that an unauthenticated API with sensitive controls and data was publicly facing. Corporations these days want all your data but wonder why some customers are worry about how it is protected, it let alone if it’s being sold. Why should I allow you to control my hardware when you can’t protect yourself.