Hacking the Budweiser Red Light (Part I): Identifying the network traffic that activates the light

The Budweiser Red Light is one of the best pieces of marketing I’ve ever seen. And while I’m enough of a hockey fan to want to pick up one of these anyways, the real prize is in figuring out how to make the thing go off whenever I choose.

Where to get started? While I’ve seen an attempt to use/modify the Electric Imp card inside the light to accept requests, I thought my approach might be simpler: Sniff the network traffic to and from the light, replicate it to sound the alarm.

The instruments used to sniff the traffic were as follows:

  • A MacBook Pro (to set up Internet Sharing upon for the Red Light to connect to)
  • My Android OS smartphone (to install and pair to the Red Light using the app Budweiser developed for that purpose)
  • WireShark (a network protocol analyzer) installed on the MacBook Pro, which also requires XQuartz

Instructions

I kept careful notes in case someone else wanted to replicate this experiment; those instructions are:

  1. Enable Internet Sharing on the MacBook Pro, and make sure you set no password or key. (At home where I have an Windows 8.1 PC, I had attempted to set up a Wi-Fi hotspot but the Red Light appeared to have difficulty getting on that network.) I named my new Wi-Fi access point “BudRedLight”.
  2. I had my Android OS smartphone join the Wi-Fi access point of “BudRedLight”, which it did without issue.
  3. In order to sniff its traffic, we’ll need to get the Red Light on the “BudRedLight” access point as well. This means installing and setting up the official Budweiser Red Lights app, and using the interesting flashing light method of sending the Wi-Fi connection details from the phone to the Red Light.
  4. Once that’s done, I left the app open on the phone, specifically staying on the screen that provided the “TEST YOUR LIGHT” button. The plan was to capture what was received by the Red Light once this was pressed.
  5. Now that the Red Light and my phone were both on the “BudRedLight” access point, it was time to boot up WireShark on the MacBook Pro (I had to start XQuartz first so WireShark would run).
  6. Let’s get WireShark listening to the traffic coming in and out of “BudRedLight”: Select the Capture menu option, and then Options. Unclick the “Use promiscuous mode on all interfaces option” (this will cut down on the amount of noise being captured). Instead, double-click on the Wi-Fi listing, and within it check the “Capture packets in promiscuous mode” option and hit OK. (Need a visual guide? Here’s a screenshot.)
  7. Okay – we’re now capturing traffic! Tap the “TEST YOUR LIGHT“; this will make your phone send a HTTPS request up to some remote server, which in turn appears to send a TCP [PSH, ACK] packet to the Red Light. In the screenshot of WireShark below, I pressed the “TEST YOUR LIGHT” twice, resulting in the two [PSH, ACK] packets listed:bud-red-light-tcp-psh-ack-traffic
  8. So what’s in that packet? Only 234 bytes of it contain actual data, so let’s see what that looks like (via WireShark):bud-red-light-packet-inspection

Next Steps

So we’ve got an example of the data used to set off the Red Light, but we don’t really know what’s contained in that data.

Deep packet inspection isn’t really my thing, so at this point I’ve started asking around for possibilities. Here are the early contenders:

  • Use tcpreplay, Ostinato or some other application to “replay” sending of the packet shown above to the Red Light; maybe we don’t really even need to know what’s in the packet and this will set it off.
  • Find and use some other utility (or person!) that can tell us how to further decipher what’s in the data seen above.

If you’d like to help out, you certainly can! I’ve uploaded a zipfile of a PCAP file containing the packet I’ve displayed above. Feel free to try and dicipher or replay sending of that packet on your own! Please leave a comment if you do so; it’d be great to solve this for everyone.

13 Comments

  1. Benji

    Hi Sully,

    I’m trying to make my Red Light go off when a goal is scored in NHL on PlayStation 3.

    Do you have any idea how to do this?

  2. Jason Berna

    I’m trying to figure out how to just make it go off for a longer anoint of time
    Any ideas

  3. Mikey

    why not just add hardware to the light to be able to turn it on and off whenever u want?
    I cant sniff any packets on my network just on boot up of the imp chip i see it connecting and that is all. maybe im doing something wrong.

  4. Arty Hurst

    I have a remote Bluetooth device on ice fishing rods outside my hut where I ice fishing. They alert my cellphone that a fish has taken the bait.

    Can I connect the fishing triggered Bluetooth device to the REDLIGHT to let me know there is a fish on?

    Thank you

  5. cdnninja

    A quick load shows this traffic is encrypted. This route won’t be easy to accomplish – if not impossible. I do like the approach though.

  6. Kurtisl

    I’ve captured the BLE (bluetooth low energy) signal from the phone to the bud red light glass circuit. I haven’t been able to replay it using blereplay due to issue with that code on linux but I am working towards figuring out the protocol and being able to trigger it on command. I am also going through the same process with a set of random ble lightbulbs (govee brand) I got from Amazon. I think this may be the best way to trigger these things.

  7. Adam

    Anyone know the pinout for the circuit. I’m trying to find the “lights on” signal so I can hook it to a relay and have multi led lights go off too.
    It should display 3volts while on then 0 volts after it finishes the display.

Leave a Reply

Your email address will not be published. Required fields are marked *