Cатсн²² (in)sесuяitу / ChrisJohnRiley

Because we're damned if we do, and we're damned if we don't!

[BruCON] Embedded System Hacking and My Plot To Take Over The World

Embedded System Hacking and My Plot To Take Over The World (Paul Asadoorian)

Lets look at embedded systems and see how we can use them to take over the world!

The most important thing we can take away from this talk is what we can do to change thing!

Taking over the world

  • Many have tried
  • No one truly successful
  • What are the three things you need to take over the world
  • All geeks like specifications and requirements!
  1. Money
  2. Power
  3. Stealth


You need to buy stuff, like armies, countries, pay people off

  • Embedded platforms include
  • Video Game Consoles
  • Entertainment Systems
  • Wireless Routers



You need the ability to use those resources to influence and control people

How can embedded devices help

  • Network traffic e.g information
  • Information = power
  • Traffic can be manipulated, through a single core device
  • Embedded systems are key to controlling so many services
    • Power
    • Water


If people know your plans, those people might try to stop you!

The benefit of using embedded systems

  • People don’t know they have one
  • Nobody pays attention to them
  • Nobody is interacting with them directly (Keyboard/Mouse)
  • Security is ignored (Cheapest one wins)
    • Vendors concentrate on profit and not advanced features
  • Not always well-tested (access to physical devices)

Embedded devices are everywhere –> http://wigle.net/gps/gps/main/ssidstats

Stats allow you to target by vendor and popularity

Vulnerabilities in embedded devices

Lots of research, many devices are vulnerable to default username/passwords as well as other problems. Researchers have been provided with results of the research, nothing has changed. Even if they fixed it, it couldn’t protect existing users!

So what if “Bob” scanned to find some of these vulnerable routers!

Scan ISP client ranges on port 80… automate exploit… Profit!

Example of vulnerabilities we could search for

  • Wireless Routers
    • TONS of FAIL
    • Default Weak passwords
  • ROKU Media Device

Use Shodan to find devices and then widen the net to scan the ISP range to get a complete list

With a well tuned NMAP script you can scan 2 million IP addresses in < 40 hours

Other options:

  • NTP
  • DNS Zone Transfers
  • Brute-Force DNS sub-domains

NTP (Network Time Protocol)

Back in 2003 Netgear shipped thousands of router all hard-coded to point to an America University.

HD Moore release research on how to query NTP servers for a list of client querying them.

Query the static NTP set in  the Netgear –> List of outdated Netgear –> Profit

DNS Zone Transfer

e.g. ourlinksys,com

NOTE: No longer supports full transfers!

What now?


So many devices are completely open… others are only protected by a default username/password. Some also on require a password, no username.

Some devices have improved (Linksys for example), but still have a way to go.

Multifunction Devices:

Expose a lot of data, including the ability to remotely scan documents and view them through a web interface. By scripting this to scan the contents of the multifunction device every 60 seconds and save it to a file.

Other things that are exposed are the names and information about items printed. Lanier printers for example, expose a list of recently printed documents through the interface. Interesting information for a social engineering attack.

Roku Device:

Multimedia streaming device.

Open on port 8080

Accessing with a web-browser gives no response. With netcat it comes back with serial/reference numbers followed by a “>”

This allows you to control the Roku remotely without any authentication at all.

Even more attacks

  • VxWorks –> presented by HD Moore at BSidesLV
  • DNS Rebinding attack –> Craig Heffner presented a possibility to take remote control of a router using DNS rebinding
  • ATM –> As presented by Barnaby Jack at Blackhat USA

Potential Linksys Vulnerability

HNAP request can reach admin web server on certain modules with certain firmware versions.

Reported to Cisco PSIRT for possible fix. Cisco were unable to reproduce the fault. CISCO PSIRT said however, that HNAP wasn’t able to be disabled if there was a flaw found.

What do we do about it!

Security Fail –> http://www.securityfail.com

Site to discuss and post information about embedded device flaws and security issues. Public wiki.


Vendors should

  • Make device that forces user to change the default password
  • Allow users to disable protocols
  • Only enable secure management protocols by default (HTTPS, SSH)

ISPs should

  • Block inbound port 80
  • Take responsibility for patching and keeping users up to date


Comments are closed.

%d bloggers like this: