Insights For Success

Strategy, Innovation, Leadership and Security

Internet of Things

Fun with Shodan and IOT

Edward Kiledjian

Read this related article: Find phishing and malware with a simple search

Search engines have become a favourite starting point for threat actors, so it should also be your starting point. Beyond Google, there are a bunch of specialized search engines that are powerful and scary. This article talks a bit about Shodan. Think of this article as a gentle introduction.

What is shodan

Shodan is often called the world's most dangerous search engine. Shodan attempts to catalogue metadata about its targets and its targets are often Internet of Things (IOT) devices. Hackers and security researches use Shodan daily to find vulnerable webcams, open traffic light systems, SCADA in manufacturing plants and much more.

I'm going to assume you have a free Shodan account.

Browse the categories

If you visit the Shodan Explore section, you can find all kinds of interesting systems listed.

Unprotected webcam

For this example, I searched for the Axis 212 webcam which is known to have many vulnerabilities and a known default password.

As an example, the webcam I highlighted seems to be in a daycare facility and isn't even password protected.

I've blurred out the children and teacher.

Some are unprotected. Some have kept their default passwords (there are lots of default password lists like this one). Obviously many of these cameras are made by a handful of manufacturers in China and are never updated. Once you find a vulnerability on one model it is often workable on dozens of others.

Routers

You can search Shodan for common router brands like Belkin, D-Link, Netgear, etc and then try to log in using the default admin passwords. Above is an example of a Linksys router exposed to the internet without a password. Others are exposed with the default password.

Intel AMT Exposed to the internet

There is a major Intel AMT vulnerability but Shodan shows that 4,647 devices with AMT (on July 22) were connected to the internet.

If you search for "http intel active management" in Shodan, you will get a listing of these devices.

Other searches you can perform

Netgear device with port 80 open to the internet

Bitcoin servers

You can even use the Shodan ShipTracker dashboard to track realtime ship

ShipTracker is harmless on its own, but combined with data available from other sources and the knowledge that many ship systems use default passwords and it is a disaster waiting to happen.

There is a known vulnerability that allows a threat actor to steal or modify information from a Memcached server. This vulnerability was used to target GitHub with a massive DDoS attack. Not all Memcached servers are vulnerable ( I won't show you how to find the vulnerable ones) but how would you search for Memcached servers on the net? The answer is with a Shodan query.

 

Conclusion

Obviously, this is just the tip of the iceberg. A true threat intel specialist will be able to automate Shodan queries and then combine them with known vulnerabilities, exploits or default credentials. I am hoping this article created a bit of interest in you to learn more. 

For this article, I only chose examples that were exposed to the internet and were not password protected. Be careful as laws differ around the world. In some countries even testing default passwords could be considered "hacking". 

Attacked by the Internet of Things

technologyEdward Kiledjian
Image by JD Hancock used under Creative Commons License

Image by JD Hancock used under Creative Commons License

In the last 30 days, I participated to 2 CIO conferences (Montreal and San Francisco) and interestingly heard similar questions from executives about the security risks and dangers of Internet of things devices. Are they really that dangerous? 

When I talk about Software as a Service, most readers think of the Google computer cloud, Amazon Web Services or Microsoft's Azure cloud platform. What never gets mentioned is the new breed of Attack as a Service providers. As competition in this space heats up, purveyors of these types of "fine" (said sarcastically) services are looking for ways to reduce the price to win customers. Yes, free market economic is alive and well in the dark underbelly of the internet. 

An October 2014 (link) report by Akamai (one of the internet's largest Content Delivery Networks and provider of Website attack protection services) said that they saw a significant increase in the number of UPnP devices being used in amplification attacks. 

Amplification means an attacker can start with a very small number of attack origin devices, then use flaws and misconfigured internet connected devices to turn the drop into a tidal wave.

The Open Resolver Project has collected a list of 28 million internet connected devices that can be used for amplification attacks (link).

Remember that not so long ago (Christmas Eve and Christmas Day), a group known as the Lizard Squad "took down" the Playstation and XBOX online services through a DDOS attack using thousands of compromised home internet routers. 

As companies rush to cash in on the connect-everything-to-the-internet craze, many are cutting corners on security in order to rush products to market or save money on development costs. These are the same companies that don't update their products when major flaws are discovered in the open source tools they use, which means known vulnerabilities sit waiting to be exploited for the life of that device.

Clearly we have a problem with IoT devices already connected to the internet, and eventually it will have to be fixed somehow or we will see bigger and more devastating DDoS attacks. I'm not sure how these will get fixed but it may come down to government regulation (which I hate to even think about). 

Going forward, I am hoping the larger players with be able to sway device manufacturers to adopt a more security conscious approach. Apple is working on HomeKit and Google bought Nest and Dropcam. Maybe if these larger players use security as a differentiator, it may push  other manufacturers in the right direction. 

The OWASP (link) Internet of Things Top Ten Project is a great start and the site defines its purpose as:

The project defines the top ten security surface areas presented by IoT systems, and provides information on threat agents, attack vectors, vulnerabilities, and impacts associated with each. In addition, the project aims to provide practical security recommendations for builders, breakers, and users of IoT systems.
— OWASP

As a security expert, I have very limited IoT technologies in my house. Not because of a lack of desire but out of concern for security. Be careful of what you buy and how you use it. Make sure IoT devices are on a separate network, so that  a compromise of those devices won't give an attacker a foothold in your home's internal network. 

Ask yourself :

What would be the impact if a bad actor saw or listened in on a private conversation? What is they accessed your home internal network and copied your computer files?

This is a market that will explode in the coming years. We will see IoT embedded in everything from our toaster to our pants. Our shoes will provide step counters, our fridge will say how much we ate and the bathroom will illustrate how much time you lost in there reading a magazine.

Everything we do will watch, measure and report on us. Let's try to make sure all this incredible data isn't used for nefarious purposes. As a consumer, demand secure devices from manufacturers. Vote with your dollars. Email company support departments asking for updates and better protection. It's in all of our hands to make security a priority for these companies.

 

Dropcam vulnerable to hackers

technologyEdward Kiledjian

Dropcam (Now a Google Nest company) took the remote internet connected video world by storm by allowing anyone to remotely monitor their homes or business' cheaply and without being a technical genius. There are countless media articles about business and homeowners using it to catch thieves, but now we learn that it can be exploited by cybercriminals against you. 

Two researchers from Synack (Patrick Wardle and Colby Moore) discovered vulnerabilities in Dropcam which they will demonstrate at Defcon 22 in Las Vegas next month.

Like a bad hacker movie, the researchers claim to have discovered that it is possible to hack the system to watch videos remotely, turn on the microphone (hot mic), inject fake video into the stream (to cover tracks) and even to use the Dropcam to compromise your network. 

"If someone has physical access [to a DropCam device], it's pretty much game over," says Wardle, who is director of research at Synack. "People need to be aware that these devices can be accessed by hackers or adversaries, and they should be scrutinized in the way people protect their laptops," for instance. [source DarkReading]

It seems the software running on the Dropcam is also old and unsupported which may explain why it is also vulnerable to Heartbleed.

All in all a pretty bad situation that should serve as a wake up call to everyone that we need to pay more attention to the Internet of Things. Too many small companies are trying to seel sensors, cameras and mic to consumers without paying enough attention to protecting their devices (and therefore my privacy). hopefully Google and Apple will force more secure standards to bring these small players in line.