Reverse engineered the WiFi pairing of my "Max Hauri MaxSMART 2.0" smart plug yesterday evening. Turns out it uses this great protocol called EasyLink. EasyLink is used to tell a device that isn't in a WiFi the WiFi credentials by sending some UDP packets on the WiFi. Sounds pretty neat, and must be very secure. The thing is, it can be secure, it'd support encryption of the credentials with a key shared by the sender and receiver. However Max Hauri didn't opt to do that.

Instead it will broadcast your SSID and WiFi password in a way that anyone who can see your WiFi can read. If they know that they should be listening. It essentially sends the bytes of data in the packet length. So per packet, a byte of data is sent. My implementation of this is at - this doesn't support the encryption stuff. I honestly didn't expect much better from Max Hauri, since the devices also use a HTTP (no S!) cloud API and md5 hashed passwords.

EasyLink has this handy demo repo of their Android library: and they seem to be the people behind

EasyLink also has an evil twin, SmartLink, which sends two bytes per packet, stored in the target IP of the packet, another great way to leak your WiFi credentials.

In short, you don't need anything fancy to crack WiFi credentials, you just need them pairing their new smart device and an application to read these special packets to get the WiFi password of your neighbors.

How would you do this pairing securely? Use bluetooth like netatmo or nest, or have the device create a WiFi AP, like Chromecasts.

Sign in to participate in the conversation - because anarchy is much more fun with friends. is a small Mastodon instance for and by the Chaos community surrounding the Chaos Computer Club. We provide a small community space - Be excellent to each other, and have a look at what that means around here.
Follow @ordnung for low-traffic instance-related updates.
The primary instance languages are German and English.