my thoughts on IOT

[unclejed613]

my thoughts on IOT are

a) before producing an IOT device, do your homework, find out how to secure the device from being hacked and either being used as part of a botnet, or as leverage to break into the owner's home network.

b) don't leave open backdoors on the hardware itself. in many cases all it takes is a 4-pin header plug and a serial port to get root access to the IOT device (this requires access to the physical device). other devices have been hacked through their JTAG ports.

c) never rely on "security by obscurity". "homebrew" or proprietary encryption methods often aren't well tested. one IOT device saved paswords using a rolling caesar cipher (i.e. 1st character ROT1, second character ROT2, 3rd character ROT3, etc...). open source encryption algorithms are well tested through tons of peer review, while commercial algorithms are rarely tested beyond the most basic attacks. a lot of proprietary encryption methods have flaws in the math that leak clues about the nature of the encryption.

d) lock down everything that talks beyond the local network. if the device is to be accessed from outside the local network, from a phone for example, lock down all other ports, and only allow authenticated traffic from the external device. don't leave telnet ports or other common points of entry open.

e) do not make devices with a common password. each device should be sold with it's own individual password. remember, someone can go out and buy the same device, just to find the security flaws. many users do not set passwords, and keep defaults in place. after all, IOT devices are supposed to be "plug and play", so who is going to set a password? also, avoid using the device's serial number as the password.

f) have a secure method of pushing firmware updates, and if you update firmware, don't change it's location on the internet. an attacker can, if firmware updates are sent "in the clear" do a man in the middle attack and upload modified code to the device. also, if the manufacturer changes their folder structure around, or changes their domain name, the firmware updates are no longer available to the IOT device to download, and if there was a security weakness that was being fixed in the update, devices that can't find the update will remain vulnerable. if you have a method for the owner of the device to update firmware, make sure it can only be done on the local LAN, and the user should provide a password.

several years ago, there was a botnet that infected printers that had ports open to the internet. more recently, there was a botnet that spread through webcams that had open ports on the internet. one researcher was able to propagate an experimental botnet through "smart" light bulbs, and it only took a matter of hours before the virus infected several thousand light bulbs. the virus propagated both over networks, and through modulated light. "smart" refrigerators and TVs have been hacked and used to gather information (for instance by turning on the cam on the TV as well as the microphone that's used for voice command of the TV), or to provide leverage to break into the home network.

 

[Nigel Goodwin]

TVs have been hacked and used to gather information (for instance by turning on the cam on the TV as well as the microphone that's used for voice command of the TV), or to provide leverage to break into the home network.

Rather 'scare mongering' as almost no TV's have either cameras or microphones, there are a very tiny number of such, but it's pretty insignificant.

 

[unclejed613]

Samsung and LG smart TVs do, because they have voice command and facial recognition. there is malware that can turn these devices on while the TV is in standby, and send picture and sound over the internet. there also have been cases of TVs that use an Android operating system getting infected with ransomware. a lot of IOT hardware has gone to market with zero or next to zero security built in. get a new TV, set it up, the TV complains it can't provide the best search results or fast and efficient streaming of content unless you poke a hole in the firewall. the refrigerator wants to send you updates on your phone to remind you to buy milk, eggs, etc.. but first you have to poke a hole in the firewall. a lot of devices on the market have telnet and other ports left open so that if the customer has a problem with the device, the help desk personnel can look at the device settings. there are ports left open for the device to send usage statistics back to the manufacturer's database. todays "toys" are tomorrow's standard features, which is why they gather the usage statistics, to see which features get used, and which don't. researchers have found whole home automation systems with their interface open on the internet.


if you have bit of time for a couple of videos, this first one is about people putting stuff on the internet in general, SCADA interfaces (where you could actually go and push buttons and operate controls), security cameras, VNC on their home computer (which means anybody could come along and do stuff with their computer)...

the second one goes into more depth on actual IOT devices available in 2017 that had stupid easy vulnerabilities:

this one is from 3 years ago, some of the early IOT "fails", some of which still exist.

 

[Nigel Goodwin]

Samsung and LG smart TVs do, because they have voice command and facial recognition.

Only 'some' do, not all - and that's only two manufacturers - it's a pretty rare feature, and not popular either.

 

[unclejed613]

Samsung and LG were the first two i thought of, but it looks like every major manufacturer is making them. even so, theres a lot more that can be done to a TV... a basic test i use on any hardware that uses wifi, is when i get a password prompt, i enter the following line:
test;reboot

the semicolon tells the password script to execute whatever follows as a command line. there are security measures that can prevent this. if those security settings aren't included in the device's firmware, that password entry will reboot the device, and it doesn't matter whether the username and password are correct or not.

in that first video i linked, Dan Tentler asks a very good question, "if there's a thing, and we can put it on the internet, should we put that thing on the internet?" all of the things he describes and shows screen shots of, had zero security, or had default username/password credentials (like admin, admin). the video is good for a few laughs too, because it seems a lot of people think "if we put our system on the internet, but don't tell anybody, no one will find it". unfortunately, these days, it takes about 10 seconds from the time something is put up on the internet to that device getting inundated with exploitation scripts. there are a lot of tools out there for finding anything and everything that gets connected to the internet, one of them is the website https://shodan.io, and another tool that can scan the whole internet in a short amount of time is massscan, which is a command line tool. i think Shodan uses massscan, and acts as a web interface to it. these days it's better to do the setup of a device offline first if possible, and then allow it to go online. rather than just connect it to the internet and engage in a race to get the settings completed before somebody hacks the device.

 

[large_ghostman]

Shodan is now adapted, it isnt as dangerous as it once was. results are heavily filtered. By far the best method to find things on the internet is google! Use the right keywords and bingo!
There was a discussion not so long back on here, regarding opening up router ports. The thing is how many people use a router more than 3 years old? How many people have changed the default pass key? before you point out the pass key is a random generated number on a little sticker on the bottom of the router.......

Think car radios and the serial numbers and codes for them, they are generated somehow are they not, and up springs no end of software that can take your serial number and spit out the default pass word. Getting the serial number is is a simple request sent in the Auth packet to the router. Fastest way to see how vulnerable your router is, try and deauth it using some the Kali linux tools on CD, that way you dont have to install linux as its a live CD. Yes I know Kali is out of date!! But i still use that and Jack the ripper for most things when testing my network.

So far i found the best method to secure a network is to use a R PI on the first socket of a router, run a simple VM on the pi. It drives you mad trying to pivot into a network when the OS is not only on a SOC but the OS is also a VM! The Rpi 3 is just about fast enough to use as a pass through system, maybe the PI4 will be that bit faster, when that happens you have a pretty good way to secure most nets.
But most people make the same mistakes, without scanning any of you i am willing to bet most have windows updates turned on, so I know thats 4 ports that are open, most people use one of 3 browsers with auto update on or if not auto update they use the check version option and let me decide to update.

So for 99.9% of most people you only have to check roughly 12 ports, of those 12 ports 4 will almost certainly allow you in. No one thinks of the browsers and auto updating software, these all use UDP to open the ports and the ports are all documented. Grab your mobile phone and tether a laptop to the wifi hot spot option on it, then using Kali aggressively scan your own ip address, once the open ports pop up use metasploit to see if it gives you an option, if it does close that port, or use a PI as the front end .

 

[unclejed613]

kali isn't out of date, they just put up an update in Feb. there are several things that show up on shodan that people shouldn't have opened router ports for, but they do anyway. one of them is their Windows SMB shares. sure let's expose our shared file tree to the whole world, what could possibly go wrong? another one is VNC. the thing about massscan is that it can scan the WHOLE internet in about 45 minutes (that's only looking for one port, telnet for instance). of course, to do that requires a bit of bandwidth and an ISP that's not going to freak out at you essentially wardialing the whole internet. you could save some time by excluding 10.x.x.x and 44.x.x.x address spaces.

most IOT devices are just rushed into production, without a clue that it's vulnerable. if i were making an IOT device, i'd want to "red team" it. as a matter of fact, i would hire other people to "red team" the device, just to make sure i didn't miss something.

 

[large_ghostman]

kali isn't out of date, they just put up an update in Feb. there are several things that show up on shodan that people shouldn't have opened router ports for, but they do anyway. one of them is their Windows SMB shares. sure let's expose our shared file tree to the whole world, what could possibly go wrong? another one is VNC. the thing about massscan is that it can scan the WHOLE internet in about 45 minutes (that's only looking for one port, telnet for instance). of course, to do that requires a bit of bandwidth and an ISP that's not going to freak out at you essentially wardialing the whole internet. you could save some time by excluding 10.x.x.x and 44.x.x.x address spaces.

most IOT devices are just rushed into production, without a clue that it's vulnerable. if i were making an IOT device, i'd want to "red team" it. as a matter of fact, i would hire other people to "red team" the device, just to make sure i didn't miss something.

I didnt know it was up[dated, it had been discontinued for years and instead they had (forgotten name now), Anyway Kali is just what i am used to and you can update metasploit etc separately. I like it because of the non bloated way its set up and the mix of command line and gui stuff, i prefer the command line however as the GUI tools are often wrong, especially things like the quick fingerprint for machines on a network.

Backtrak!!! sorry i confused the two, both by the same people. C&B was also great, not sure if cain is still about. At least both kali and baktrack have the ripper

 

[large_ghostman]

kali isn't out of date, they just put up an update in Feb. there are several things that show up on shodan that people shouldn't have opened router ports for, but they do anyway. one of them is their Windows SMB shares. sure let's expose our shared file tree to the whole world, what could possibly go wrong? another one is VNC. the thing about massscan is that it can scan the WHOLE internet in about 45 minutes (that's only looking for one port, telnet for instance). of course, to do that requires a bit of bandwidth and an ISP that's not going to freak out at you essentially wardialing the whole internet. you could save some time by excluding 10.x.x.x and 44.x.x.x address spaces.

most IOT devices are just rushed into production, without a clue that it's vulnerable. if i were making an IOT device, i'd want to "red team" it. as a matter of fact, i would hire other people to "red team" the device, just to make sure i didn't miss something.

So if i give you my ip (vnc is running on it) you think you can get in to my network? If you would like try, pm me and i will give you my ip. I will also give you some of the open ports to save you scanning them, genuinely interested in how far you could get (free pen test for me). There is also a old spi win xp machine on the network and a couple of HP printers (the ones with more ports than sense) they have the email print ports open, now that should be more than enough info to get in.