Embedded System Hacking and My Plot To Take Over The World (Paul Asadoorian)
Lets look at embedded systems and see how we can use them to take over the world!
The most important thing we can take away from this talk is what we can do to change thing!
Taking over the world
- Many have tried
- No one truly successful
- What are the three things you need to take over the world
- All geeks like specifications and requirements!
You need to buy stuff, like armies, countries, pay people off
- Embedded platforms include
- Video Game Consoles
- Entertainment Systems
- Wireless Routers
You need the ability to use those resources to influence and control people
How can embedded devices help
- Network traffic e.g information
- Information = power
- Traffic can be manipulated, through a single core device
- Embedded systems are key to controlling so many services
If people know your plans, those people might try to stop you!
The benefit of using embedded systems
- People don’t know they have one
- Nobody pays attention to them
- Nobody is interacting with them directly (Keyboard/Mouse)
- Security is ignored (Cheapest one wins)
- Vendors concentrate on profit and not advanced features
- Not always well-tested (access to physical devices)
Embedded devices are everywhere –> http://wigle.net/gps/gps/main/ssidstats
Stats allow you to target by vendor and popularity
Vulnerabilities in embedded devices
Lots of research, many devices are vulnerable to default username/passwords as well as other problems. Researchers have been provided with results of the research, nothing has changed. Even if they fixed it, it couldn’t protect existing users!
So what if “Bob” scanned to find some of these vulnerable routers!
Scan ISP client ranges on port 80… automate exploit… Profit!
Example of vulnerabilities we could search for
- Wireless Routers
- TONS of FAIL
- Default Weak passwords
- ROKU Media Device
Use Shodan to find devices and then widen the net to scan the ISP range to get a complete list
With a well tuned NMAP script you can scan 2 million IP addresses in < 40 hours
- DNS Zone Transfers
- Brute-Force DNS sub-domains
NTP (Network Time Protocol)
Back in 2003 Netgear shipped thousands of router all hard-coded to point to an America University.
HD Moore release research on how to query NTP servers for a list of client querying them.
Query the static NTP set in the Netgear –> List of outdated Netgear –> Profit
DNS Zone Transfer
NOTE: No longer supports full transfers!
So many devices are completely open… others are only protected by a default username/password. Some also on require a password, no username.
Some devices have improved (Linksys for example), but still have a way to go.
Expose a lot of data, including the ability to remotely scan documents and view them through a web interface. By scripting this to scan the contents of the multifunction device every 60 seconds and save it to a file.
Other things that are exposed are the names and information about items printed. Lanier printers for example, expose a list of recently printed documents through the interface. Interesting information for a social engineering attack.
Multimedia streaming device.
Open on port 8080
Accessing with a web-browser gives no response. With netcat it comes back with serial/reference numbers followed by a “>”
This allows you to control the Roku remotely without any authentication at all.
Even more attacks
- VxWorks –> presented by HD Moore at BSidesLV
- DNS Rebinding attack –> Craig Heffner presented a possibility to take remote control of a router using DNS rebinding
- ATM –> As presented by Barnaby Jack at Blackhat USA
Potential Linksys Vulnerability
HNAP request can reach admin web server on certain modules with certain firmware versions.
Reported to Cisco PSIRT for possible fix. Cisco were unable to reproduce the fault. CISCO PSIRT said however, that HNAP wasn’t able to be disabled if there was a flaw found.
What do we do about it!
Security Fail –> http://www.securityfail.com
Site to discuss and post information about embedded device flaws and security issues. Public wiki.
- Make device that forces user to change the default password
- Allow users to disable protocols
- Only enable secure management protocols by default (HTTPS, SSH)
- Block inbound port 80
- Take responsibility for patching and keeping users up to date