Welcome! Log In Create A New Profile


Exploiting the PogoPlug Mobile

Posted by fsm 
Exploiting the PogoPlug Mobile
August 10, 2014 05:25AM
Didn't think this fit anywhere else, hopefully someone already saw this - VERY helpful :)

GTVhacker Pogoplug Mobile

The PogoPlug has an open bootloader and its kernel drops to a root shell making this a very open device. On top of that a user is also able to enable a SSHD server if they visit My.PogoPlug.com and enable it. Enabling SSHD not only sets dropbear to start on boot but also forces the user to change the root password. This however is only offered if a user opts to setup SSHD.

This leaves a lot of users with a default root password, but seemingly without any services running that could use it.
Lucky for us a diagnostic page runs on every pogoplug and can be accessed at:


This diagnostic pages uses the root credentials as its login/password.
After accessing this diagnostic page you will need to access the hidden command execution portion. This can be access by visiting the following


After visiting the above URL you should now have an input field that you can enter in any command which will execute with root privileges.
Accessing from CURL The below command will test a PogoPlug for the default login and command execution script. For a quick test substitute COMMANDHERE with reboot.
curl -k "https://root:ceadmin@IP-OF-POGOPLUG-MOBILE/sqdiag/HBPlug?action=command&command=COMMANDHERE";

Below are the default root credentials for the PogoPlug, these are only changed if a user enables SSHD through the PogoPlug cloud interface.
Username: root
Password: ceadmin

Re: Exploiting the PogoPlug Mobile
August 10, 2014 10:11AM
I was reading this on hackaday. I can confirm that the PERL command works by rebooting a brand new out of box plug, I wonder if there is a way to use this to enable ssh so we don't have to register the device, trying to restart the service, with PERL it looks like it wont accept spaces in the command, and I can't seem to connect the commands https site in the bowser.
Re: Exploiting the PogoPlug Mobile
August 10, 2014 11:25AM
I guess I forgot to log on to post that, anyway I played around a little and you can now enable ssh without registering the device. I couldn't conect to the CloudEngines Diagnostic page with https with any of my computers for some reason (strangely this changed after I was able to log on with my phones browser and issue the command) Its as easy as accessing the page at
and issuing the command
dropbear start
Thats it, you can now SSH into your plug without registering it with pogoplug.
Re: Exploiting the PogoPlug Mobile
August 10, 2014 08:12PM
No one ever said this was secure :)
Re: Exploiting the PogoPlug Mobile
August 10, 2014 08:25PM
It's nice knowing you can enable SSH without having to rely on Pogo's service, though.

Personally, I had to put my plug in the DMZ in order to enable SSH, which is a bit crazy. It's EXTREMELY nice to see that maybe someday we'll have a one-click type tool for expanding the uses of the plugs!

Your Email:


Spam prevention:
Please, enter the code that you see below in the input field. This is for blocking bots that try to post this form automatically. If the code is hard to read, then just try to guess it right. If you enter the wrong code, a new image is created and you get another chance to enter it right.