@overflow they're okay, haven't pissed me off yet

I haven't exploited their git repos.
I haven't misused their leaked AWS credentials
I haven't gone to the media to try and expose this company.

but I took only one of NUCs. The same content is on all the rest of them, I assume

also I hope they wiped these hard drives

ugh. I picked up a shitty NUC from ewaste and it had a label on it for an AI company.
ahh, another startup that burnt out trying to build some silly AI project on crap hardware. I wonder what they did? I check their URL:
ahh. healthcare. great, great.

HEY FUN FACT: this was used as part of an Alexa/google home type thing! this is the "cloud" half, as in the part sitting in a warehouse somewhere.
It turns out every time the customer asked for something from the smart assistant, the WAV file was sent to the cloud box

where it is still stored. and I now have eleven thousand wave files

I have now stuck the hard drive in my imaging box

it turns out it was in service as of June.

and this one has log errors about the sensors in the bathroom and bedroom. this was used. fuck.

when you see a gaylord stacked high with NUCs and half of them still have USB fans attached, you know these were all just yanked off a shelf.
no one wiped these.

but given the state of them when they arrived at ewaste?

no they did not

jesus christ this isn't the only time THIS MONTH I've found an IoT device and checked the filesystem contents and it's got their private git repos on it

assuming their S3 keys aren't just saved in this harddrive somewhere

or maybe the fools who dumped all the NUCs from their entire "AI remote healthcare" in the recycling without yanking any drives are just somehow REALLY GOOD at knowing how to secure their s3 buckets.

god the logs are full of errors about assorted video streams failing.
so this thing was connecting to something which had cameras. like, I can tell which room of the house failed.

now I don't think there's any video stored on this device, but keep in mind: the fools that made this thing fill up with WAV files? they also designed the video streaming part. Where are those videos stored, and how safe are they?

oh hey!

this thing authenticates to some of their servers (which are still up, even if the company might not be (this is unknown at the moment)) over SSH! using keys kept in the same home-rolled vault thing!

so I can SSH into their servers now!

okay so the good news is that they don't just have S3 keys laying around in plain text.
the other good news is that they have a secrets manager
the bad news is that they rolled their own secrets manager
the extra bad news is that I have the source for said secrets manager
and the extra extra bad news is that it has to decrypt those keys without external input, meaning I have all the parts here to pull out their s3 keys

and now I can email the lead developer.

or just commit to their git repo, I guess.

they sure did! I have a video of someone picking something up from outside a door.

wait. did they seriously stuff videos into their redis database?

tempted to drive past their HQ with a megaphone "I'VE GOT YOUR MODELS, YOU AI HACKS!"

oh god this thing sends email from gmail

please tell me they didn't embed the google login into this device

I'm really not the right person to work in computer security research, but it'd be nice to have a sort of consulting job with a local one where I can just point them at some really broken shit and they investigate it and maybe give me a commission