Of Fish and Hashes

Of Fish and Hashes
Not my tank (yet)

If you're here to figure out how to reset your Fluval Light, scroll down.

We recently found a screaming deal on our local marketplace for a 55gal fish tank.

I've always wanted a saltwater aquarium, so we thought this would be a fun winter project for us to dip our toes into (figuratively speaking).

One of the items that came in the deal was a nice Fluval Aquasky 14533 (I think that's the appropriate model number).

This light connects to a phone over Bluetooth (not sure what profile it presents yet). This light did not come with a password.

However, there was an option for forgotten passwords in their app.

Click it, and it copies the light's MAC address to an email which goes to their support team.

A few days later, you'll get an email back with instructions on where to put their magic passphrase, and the magic passphrase itself.

Their magic passphrase stuck out to me. It looked like some sort of hashing.

Further investigation showed it was indeed the case.


RESET THE PASSWORD YOURSELF

The recovery password is nothing more than the md5sum of the MAC address.

To generate your own recovery password, find a terminal and type:

echo -n 00:11:22:33:44:55 | md5sum

The "00:11:22:33:44:55" is whatever your MAC address is. The resulting string will be the recovery password and you won't have to wait a few days.

Alternatively, copy your MAC address into here: https://www.md5hashgenerator.com/ and click "Generate"

Then; On the Login screen, please select "Forgot password". Enter the resulting string in the "Retrieve key" field, then select "Retrieve":


THE IMPLICATIONS

I know what most of you are thinking, its a fish light, who cares. For me out on the farm, its not a big deal, but take a step back in time to the era of wardriving, and we begin to see a problem.

We like to show off our aquariums, often times they can be visible from the street. A nefarious actor COULD remotely connect to your light, "forget" the password, and proceed to change all your settings.

If you have some neon tetras, they might be a bit confused, but will otherwise be fine.

If you have some nice and fragile corals, or a new tank, a sick animal, or other delicate stock, changing the light settings could significantly affect their wellbeing.

I don't know what the solution is. I'm not sure Fluval has the ability to Over The Air updates through their app. I DO know that simply hashing a piece of information available easily over the airwaves is a terrible form of security.

This is a prime opportunity to use code signing, private keys, or other salting to ensure expensive and delicate ecosystems aren't damaged by bad actors.

Fluval, do better.