BG - Crash The IoT Train Yourself: Intentionally Vulnerable WRT (IV-WRT) - Paul Asadoorian & Nick Cu

folks we today we've got Paul asadorian and Nicholas Curran from security weekly uh Paul asadorian is the founder and CEO of security weekly where he has led the content and production of one of the longest running computer security podcasts and internet TV shows by day he's a product strategist for tenable network security Paul produces and hosts the various shows at security weekly all dedicated to providing the latest security news interviews with the industry's finest and Technical how-to segments Paul extensive experience in penetration testing embedded security systems and hacking all the things uh Nick Curran is a security geek philosophy geek and a producer for poll's security weekly he enjoys poetry music and tea and his speaker bio

includes the

phrase which basically means he's a jerk because he makes people like me and it should say Amicus thank you not no but uh uh uh make strangers speak Latin so anyway without further Ado put your hands together thank you everyone uh for coming to our talk I know it's kind of late and people want to get dinner and stuff uh I promise to be as entertaining as I possibly can um I well I started by adorning myself in unicorn so uh this is uh Nick kin uh Nick you've never presented before in front of an audience so uh I'm very it's awesome to you here you know have you to than for that yeah so we did a project together uh Nick

started working with me a little while back and uh I was the chief insecurity architect in the project that we're going to release during this talk today uh called intentionally vulnerable wireless router fir distribution ivw Nick was the insecurity engineer so uh we worked really well together to come up with uh this really cool Firma that has a lot of vulnerabilities before we get to the technical details in Nick's demo I'm just going to kind of set the stage as to where I think we're going in terms of embedded device security why the problem is so bad um some of the things that I've tried in the past that haven't really been working so well um

and that will lead into like why we created this vulnerable firmware and some of the things that we put in it we've already taught it at black hat for two days this is the first time we're releasing anything public about it um so you can go to iv- wt.com and you can get access to our GitHub if you get bored during the talk so um I they did an intruction for me like I smoke cigars and drink Scotch and I go on the camera and I talk about security and they call it a podcast so that's kind of fun um so I used to start my talks and say you know who cares if you hacked the toaster

right everyone for years was always like you're going to have Linux on your toaster and then someone's going to care about the security someday and I was like no one cares about Security on your toaster I'm here today to tell you that I now care about having a toaster that's really cool and I do care about the security because someone created a toaster and it's called jammie now it's just a proof of concept toaster however Jamie is a Wi-Fi toaster that connects out to the internet to get the weather report and then burns the weather report on your toast in the morning how have I lived without this device all of my life I will never know

but I want security for the internet of things because I want a jammie and then you do too now don't you you're all sitting there going yeah like I want my weather on my toast right I want to hack it you know so it says you know semi uh quote or E1 equals one you know I want to put you know cross-side scripting on my toast that would be a lot of fun too so I you will care that your toaster is hacked and you will care because you will want a Jammy toaster and I mean this just kind of speaks to how lots of people have hopped on the iot train there are tons and tons

of devices a lot of them in my own home um in fact we lost power uh at my house I live in uh Rhode Island we had a nasty storm that knocked out power for the past few days and my wife and I have been texting and uh trying to figure out when power is going to be restored to our home and as I was leaving the bar coming to the talk that's kind of tradition uh I got a message from my smart things and it says hey your Smart Hub thing is back online and I sent my wife a note I said you have power back and like I knew before my wife who may

not have been home because of all the smart devices in my house and I mean there's just lots of reasons why we are going to have more technology in our homes that we're going to care about the security when something dies we're going to replace it with something with an embedded system with Wi-Fi that connects to the cloud it it it's just a fact I can't wait for my to toilet to [ __ ] the bed so to speak because there are toilets with Wi-Fi and heated seats and warming dryers and warming you know b day things inside of them and I want to connect it to Twitter so that you all know exactly what's H I feel it's

important to keep my subscribers a breast of what's happening with the toilet so uh old technology will be replaced by new technology that will further The Internet of Things security is still heading here on the iot train we've seen more vulnerabilities this year I think than ever before as I was putting my core slides together for our embedded device security class someone released on full disclosure 60 vulnerabilities across 22 different devices guess what they're the same vulnerabilities we've heard about since 2003 when the first sea surf vulnerability was released on a WRT54G guess what they're the same vulnerabilities that we're talking about when they're going to talk about car hacking at black hat they're the same

ones on IV pumps that Billy Rios discovered and then got sick and got in the hospital and woke up next to the same IV pump that he did a security assessment on and found horrible security they're all the same classifications of vulnerabilities I'll go through the whole class of 10 of them very quickly for this presentation and it kind of leads into why we created our own wireless router vulnerable distribution so that we could work with this same class of vulner abilities and show people just how bad they really are so what does the internet of things mean I mean it means like things like devices but it also means the internet of things and the internet means a lot of things

to a lot of people mean to some people it means a series of tubes as kind of a throwback right but it means a lot of things to a lot of people the internet means cloud and cloud computing so when we talk about the Internet of Things Not only are we talking about the devices that you and I all know and love to have electronics and run Linux we're talking about Cloud we're talking about software which doesn't have bugs right it has features we're talking about mobile devices we're talking about Wireless technology The Internet of Things Inc encompasses all of these different Technologies and guess what we have to secure all these different Technologies when we talk about securing The Internet

of Things the scary part about this talk is I'm only going to talk about the security of the device itself not the security of all these other technologies that bring these devices together so I guess that means we should go to the bar now um that's really one option I'm offer going to the bar afterwards because I kind of want to finish my talk but um yeah it's pretty depressing when I start thinking about the security of the internet of things and I look at all the areas we have to secure um really quick right when we talk about an iot device we're talking about just this thing and in this presentation there's the browser that

interfaces with some kind of web application there's your mobile device that has an app that interfaces with another application that application all runs in the cloud and there are tons and tons of fail layered inside this internet of things however we're just talking about the device itself so what is a device thing it's a special purpose system for which the computer completely encapsulates the device it controls or is completely encapsulated by the device it controls this means when you go to your washer or dryer right you're not breaking out a shell and opening up a web browser well I mean maybe some of you are and that's really cool and we should talk later but most of us go up

to our washer to do what like tell it the temperature of the water how fast to spin the clothes put the soap in that's how we're interfacing with our washer now underneath there's a computer but the function of the washer is completely hidden by the computer so we're not talking about cell phones and laptops necessarily right because they're more like computers we're talking about lots of different devices who can tell me what all of the devices on this slide have in common stop you've seen this before you're ruining it what was that internet connected micr microcontroller sort of I have them all in my house that's really so I don't know how people have lived without a Sky Drop which controls

your sprinkler system does anyone else have the sprinkler system they can control their smartphone one person right how do the rest of you live in society without a smartphone connected iot device that talks into the cloud to let you program your sprinker system it's awesome no law weeds no lawn yeah AstroTurf that's how I live Paul um but these are consumer embedded mobile Cloud things as I call them so all of these devices are embedded systems but they have a cloud component so when I configure my Nest Thermostat it talks out to the cloud I configure an app on my phone it also talks to the cloud and then I can talk to my thermostat together I don't have

to poke holes in my firewall I don't have to do a lot of fancy security things I rely on the cloud for my security with all of the devices that are up here which I know for us is scary as I just mentioned but for the average person at home they don't have to poke holes in their firewall as you do with a lot of these devices as well these oh wow I'm a real nerd these are also devices I have in my home um this was the 2013 Christmas gift to my wife was a treadmill what she wanted a treadmill and this is the 2014 Christmas gift was a scale there a nice she

anyway um so these devices don't always talk to the cloud these are Standalone devices if you want to access them remotely you have to open up a firewall Rule now I'm going to tell you a really scary story I don't know if it fits here in the presentation but I'm going to tell it anyway because it's one that we build universal plug andplay into intentionally vulnerable um wireless router project that we're working on so I run the uh wireless network and the internet um uh connectivity for The Cigar Lounge that's our next door we have an arrangement one of the things I do as part of that arrangement to get free cigars and stuff is I take care of

their Network they were switching providers from Cox to Verizon they have a DVR system that sits on the network that they have to poke a hole in the fir wall to get access to remotely so Verizon comes in they drop off the new router I reconfigure all of the other things first I get everything working and the manager of the Cigar Lounge goes oh let me go on my phone he's like oh from the outside I can hit the DVR I'm like what do you mean you can hit the DVR he's like good job Paul you fixed it I'm like no dude I didn't do anything I don't know what you're talking about and I'm really

freaked out right now so I go on the router and I look and it's like oh universal plug andplay already opened up those firewall rules for you what oh my God that's frightening so uh we built that into Ivy work and I think that it's a really scary thing for me because when we look at uh we talk about some of the botn Nets and just how large they've grown if someone figures out how to exploit this hole to get more people to essentially drop shields in this manner you're going to see much much larger botn Nets that are comprised of embedded devices um these are some consumer things I want Luna is a really awesome

bed like it can wake you up and it has like heat and massage it's really awesome I talked about the toilet um I mean I figure I got everything else so I might as well have my crock pot tell me when it's done because I mean why not so uh door locks refrigerators okay so we should be uh the refrigerator is interesting and the televisions are interesting because I've always theorized that people will start caring about the security of these things when it impedes upon them from using these things so when they get hacked and what happens when you get hacked from a consumer perspective right you get popups ads popup ads when you start seeing those on your television

and your refrigerator you're going to be really freaking annoyed by that and they're going to call one of you right who how many people here are technical support for their family yeah like everyone in the room right so when people first started calling you were like I can't get to my porn sites because there's popups this is bad I need anti virus software right they called you so I truly believe that in the future when your refrigerator when your television starts integrating these ad systems Vio announced that that last week they're integrating an ad system into their TV this is coming I think evil bad guys are going to take advantage of it so expect the call

sometime soon okay so we should be here technology is being provided faster and cheaper than ever right embedded devices are everywhere they solve problems my irrigation issues are totally solved by a smartphone app and an Internet of Things device it's beautiful um we're going to see more embedded devices at we replace old things except for Jack we would never try and upgrade him he's old he can stay that way it's fine we love him just the way that he is that's my one old joke in haha haha Paul made it funny okay haha thank you thank you okay so it's a train about to crash and all the passengers are unaware or simply don't care at this point because it

hasn't impacted people's lives right I get a wireless router I get a nest I am completely on aware of the security uh challenges that I faced because I haven't been exposed to it nothing bad has happened in their eyes I haven't gotten the slew of popups that I normally get so I think we're in a very scary place right now I really think we need to start raising awareness so I used to present this as you know the 10 most wanted list and I thought that embedded device manufacturers would pay attention and be like Oh Paul said we should do these 10 things or not do these 10 things as the case may be so we

should really listen to Paul no one really listening it didn't really work out but there are still 10 things mistakes that I see that we're making in embedded Security today or in security as it were so I want to present them in a slightly different light and talk about some of the bad things we still see firmware back doors the most prolific if you search for firmware backdoor on Google you get Joel's back door okay I go into excruciating detail Joel's back door it's not quite what you think it's a dlink router vulnerability that allows you to set a specific user agent and authenticate to any device running this firmware probably one of the most famous back doors in like

firmware or embedded device history uh it's a really cool vulnerability but it represents a huge problem that we have that firmware and embedded devices have inside of them credentials that we all know about and if we all know about them there's no security to any of these devices they put these in here for support reasons and whatnot Ed scotus made a great suggestion on the security weekly show a couple of weeks ago he said there needs to be a standard for authentication on embedded systems and I truly believe that that if we can develop a standard and have a secure protocol and a secure mechanism to manage and maintain our systems we won't need to put in firmware

back doors default credentials lots and lots of examples of default credentials um a couple of different uh examples I like to point to a little while ago you know 2012 there was a 420,000 note botnet called the carab botnet it ripped to the Internet by guessing credentials over town net and you know this is it's kind of sad um do I talk about um okay so yeah the Carnot net was default credentials on embedded systems I mean these just simply shouldn't exist the user I been saying for years should set the initial password on their router it's not being done today as evidenced by this 420,000 node botnet that was put together to basically scan the internet now the

scary part for me is what if we couple this with universal plug-and play so today there's 420,000 or in 2012 there's 420,000 devices that have default or we credentials on them and we can build a Boton at that size what if we were to start propag gating out malware that through Universal plug-and playay another weakness on these devices was able to open up all of these ports and tell them to drop Shields with that number double triple quadruple I think we'd have a serious problem on our hands so that's one of the reasons why I like to advocate for default credentials hopefully we can get some embedded device manufacturers to listen to us insecure Remote Management is another

area again now we talked about default credentials but now we're talking about them over telnet why are we still using telnet this just goes back to the whole premise that Ed brought up Ed scotus brought up on the show that we need a secure way to interface with these systems this includes the protocol this includes the actual username and password itself not being default not having a back door all that ties together in what we need to recommend to everyone to be able to authenticate to these devices to be able to use them and be able to manage them so the Moose worm uh was released in 2015 and infected 50,000 router uh routers with default

telet credentials open source drivers uh it's kind of a little stretch in the security it's really one of my pet peeves uh mostly from working with WRT54G routers you know they've got a binary blob uh broadcom gives you a b binary blob and you build an open source operating system around this binary blob if you need to update your operating system system and the open source components you can't because that binary blob is tied to whatever kernel version you know it was compiled with or whatever the case may be so I think it really holds us back security-wise and I really uh like to advocate for open- Source drivers when we talk about embedded systems I still to this day take apart

firmware of very modern devices and find functions prone to overflow talking s s print F we're talking star copy it's there in fact in um earlier this year Craig Hefner one of my Idols awesome firmware reverse engineer um he found that dlink had an s s print of overflow and never fixed it in fact they had a vulnerability in their firmware they tried to fix it they didn't fix the vulnerability but in trying to fix the vulnerability introduce another vulnerability it just shows you the state of where embedded device companies are in terms of security they lack a fundamental understanding I think we need some posters right I respect myself that's why I refuse to use S printf

using S printf is a decision you can never take back maybe they need to hang some of those up in the office I don't know firmware signing is still a problem to this day um it makes updates harder to back door many of the devices that we're talking about today they fall into a couple different categories they could not they could allow you to update the firmware but it's a totally manual process you have to go do it and there's no validation that the firmware you're installing is actually from the manufacturer so then they kind of wisen up right and they're like wow we should really make it easier for the user so we're just going to do

automatic updates and they do automatic updates and the users are happier because they don't have to do anything but they forget to validate that the firmware should be signed or you know use some kind of weak signing and then we say well you know you should really have strong signing and then they start signing their drivers Tesla is one of those companies um I I don't is it oh I got a little bit ahead myself but uh Belin is one of the uh bad companies in this respect because um as was reported last year um Belin weo firmware images are used to update the devices are signed with public key encrypt ion to protect against unauthorized

modifications right so like yes we need firmware updates yes we have to make it easy for the user yes we need to do this security thing the problem is the signed key and the password are leaked in the firmware that's already installed on the device which means if I can pull the firmware off the device I can get all the signing keys and it kind of makes it a mute uh a null point so um that was last year that we started talking about that um speaking of user friendly Tesla who makes like really cool geeky cars for us like awesome stuff right um they've got a big advantage over today over most of the car manufacturers uh I

was actually just speaking with someone was very close to this issue he said they've come a long way Tesla will do an over theair update that does proper signing I mean they use SSL but okay at least they're trying right to do an overthe a update that um is secure and doesn't require the user to visit a dealership or put a USB key in their car so Tesla is one of the ones doing it right BMW is also on that list of Manufacturers that just recently are doing it right and this is what I mean by making it userfriendly easy for the user the user shouldn't have to be involved if we have to go to users and

say hey you should update your firmware you're already lost they don't know what firmware is the average person driving a car doesn't know what firmware is as relates to their car they have no idea so we need to make this process as easy for the end users as possible there are some companies leading the way which is great A lot of the uh issues with embedded systems center around the web management interface and the web management interface you know sometimes I'll pull my class I'm like has everyone ever written a web server like from scratch in C has anyone done that before yeah is it fun no it's horrible right so when someone does it they're like oh is

that open source can we have a copy of that and then if that has a vulnerability in it it just gets copied from device to device to device to device because it's a pain in the butt to write it's not the right way to implement a web framework on an embedded system this is another area where I really want to advocate for standards I want people to have a secure web framework that if they're hey I'm building a Linux embedded device or I'm building a VX Works embedded device whatever it is I want to put a web interface on it give them a secure framework to start off with give them a fighting chance to build something

secure a lot of the vulnerabilities that we've traced over time that we've built into IV wrrt are very much web related when you start linking them together as we'll show you in our demo please sacrifice something for the demo Gods we're going to show you that linking them together is really bad and um remember I said there was those uh 60 vulnerabilities and 22 routers a lot of those in common had the sea vulnerability we're going to show you coupled with the authentication bypass coupled with command injection that's a lethal combination it's not one that we made up today devices have these vulnerabilities and that's why we want to show them to you uh in a controlled

environment um you know a lot of uh in in that particular one that was going to full disclosure a lot of these vulnerabilities didn't get fixed a lot of these manufacturers aren't listening to researchers fixing problems they don't have a s they don't have a bug Bounty program I think they'd be afraid as to how much money they'd have to pay out like dink to have to pay out in order to fix all you know discover all these bugs and then finally fix them so um my other recommendation to embedded device manufacturers maintain a start have a bug Bounty program do that stuff don't ignore researchers that are disclosing flaws and have a process for

it uh again we talked about uh Universal plug-and playay a little bit there are essentially a lot of protocols and these protocols aren't just on consumer Wireless gear right there's uh backnet which is building automation which has no security built in by by default at all there's modbus which when I talk to some of my friends about modbus say that to call modbus a protocol is an insult to all other protocols and again represents something with no Authentication universal plug and play is the same thing okay so despite my best attempts of getting people to hear my 10 complaints and embedded device manufacturers and iot and even car manufacturers making one or more of the

10 mistakes that I just put up there on the board despite me talking about them for some time kind of frustrates me and I feel like we need to raise awareness even more I said you know we have vulnerable web apps we have uh vulnerable onp purpose Linux distributions we don't really have vulnerable onp purpose embedded routers and so we went through this kind of long rigoll of well maybe we need to find an old piece of Hardware that has vulnerabilities on it yeah those are the vulnerabilities we need to show people and do some demonstrations and they're like well I ordered one but it was revd not rev a and rev a has the

vulnerability so well that didn't work well I need to find this particular version of firmware for this old Linkus device that I have because that has a lot of the vulnerabilities that we like and we can show people how bad it is and then I write linkis on Twitter and open up support tickets and they're like no you can't have any the old firmware when we pulled on the download site I'm like okay well that doesn't help me either then you go try and find old firmware on the internet and you get malware and you have to rebuild your VM which really sucks so then I'm really frustrated and I'm like that's it we need to just build our own we need to

control our own environment so I don't know if I start out with uh okay so I'll talk about it here a little bit uh we actually started out with DDWRT yeah don't don't ever look at the DDWRT web interface code unless you have like doll spoons to gou your eyes out afterwards really really bad um so we turned to open wrt and I drew this big whiteboard uh in the office where where Nick and I work and I said um these are all the vulnerabilities I want like after everything I've seen with all of these devices across all of these different Industries not just wireless routers in people's houses but things that are on IV pumps things that are in cars things

are in basically anything that we classify as an embedded device here's what I want you to start doing so I drew it the Whiteboard and then you know as time went on through 6 to 8 months Nick would come in my office and be a glorious time and he put like this little check mark and we'd like Rejoice yay we have sea surf yay which normally we don't Rejoice unless we're on a pentest like that but so yeah so we Rejoice every time there's a vulnerability until we had this full list of vulnerabilities now those of you that worked with open work before what do you get when you log into open WT on the command

line anyone yeah busy box but what's the message that comes up when you log in what is it yeah it's a drink recipe right so it's like even better I get to come up with a drink recipe for IV work and I said it's got to be a Bloody Mary cuz how else to describe an intentionally vulnerable wireless router distribution than a it's a Bloody Mary cuz it's I mean it's a hot mess um it's a bloody mess basically is what we made out of open word after we ripped it apart so it's pretty fitting name uh at the end of the presentation I'll share with you my Bloody Mary recipe so that's like a bonus to get in the

talk okay so like I said finding vulnerable hardware and software was hard vulnerable fir is no longer available make show king attacks difficult um yeah stable environment to develop exploits is tough too like running things in emulation from other firmwares running firmware other emulation is a gigantic pain in the butt and is only going to get you like one example now we can control everything um again the goal is to raise awareness in the community get all of you working with this firmware to be able to use it to understand it to see how vulnerabilities work to see how vulnerabilities interact with each other is really important so that you can understand these problems even better so

that you can go to the all of the vendors and manufacturers of the iot gear and work with you know the bug crowds of the world responsibly disclose these vulnerabilities to help improve the security of iot which is a complete train wreck Okay so we built an authentication bypass um which is kind of funny because the the root uh Shadow file is right on The View source of the main page and you think that like that you'd never see that it exists out there okay there's firmwares that disclose the admin password in the source so we replicated that there's backd door accounts command injection cross-site scripting reflected and stored cross-site scripting cross-site request forgery a really

funny token spoofing thing that just kind of like came about as we were putting vulnerabilities in there it's kind of lame um it was by accident basically you can spoof anyone's token if they're logged in you could send their token if they're already logged in um but the csrf plus the authentication bypass makes a kind of uh moot point uh Universal plug-in play is also on there as well um so we have you know like a little script you run a command it sends a command to ivw to open up Port 80 on the W port to to essentially drop Shields to its management interface on the on the external internet okay now I'm going to turn over

to Nick kin who's going to talk about how he was able to like where in the code some of these vulnerabilities are and how the vulnerabilities present themselves and then uh give a little demo so turn over to Nick sure thank you do you need some Vaseline before you go on all you good okay maybe later okay all so uh if you look at the code up there actually Lucy the Lua unified configuration interfac is um for open word is actually um a lot like a web framework and so there's a rout node and each uh page inherits attributes from that node so if you look um you have to set auth authentication to false

explicitly so that's our an an authentication bypass um and basically you don't really notice yet but you should if you're logged in have a session token in your url so that's our authentication bypass um this is a back door that's the source of the login page um this is our Command injection um if you look it says Etsy back flot Echo PWD cut C1 um this actually gets passed uh as a URL so we needed a way to make for slashes uh so what we did is just echoed the present working directory and cut everything but the first character off which I mean it's pretty standard and most command injections you're limited in some kind of way so we were

also limited so it it's kind of cool to there's actually a couple different ways Nick discovered later how to work around that limitation of not being able to just put a forward slash in so you can actually create a file and then C that file to create that forward slash but it's a pretty realistic interpretation of a command injection because it has limit itations like all their command injections do is it a c surf it's beautiful a Nick created the slide and I'm like this is a beautiful sear he's like it's just a bunch of God he's like it's not I'm like no dude it's beautiful it's awesome look how beautiful it is sorry um and so this is the the

vulnerable code when I went through I left everything in I just commented certain things out so the code in red is just checking to make sure that uh the token that's been passed is the appropriate token um but it's commented out it Nick makes it look really easy like you know you just you go through the code and then you count those two lines out and look you've got SE surf but it took you a lot longer than five minutes to like go into the code and feel like the ultimate way we you know Nick was able to inject the vulnerability was those two lines ended up commented out but it was like weeks of us testing and theorizing and going

through source code to get there so uh it's pretty cool yeah and this is uh this is what I'll show you um and I'll probably show you a little more but this is just a a kind of scary situation that could happen I mean you do you want me to walk them through the if you like yeah so I was like there's a user they have anti virus in a firewall so they're like I'm safe yay and I can call one of you nerds if I ever get in trouble so I'm just going to browse the internet like there's no regard for any security and then um they load a page that has a sees

surf vulnerability for the device that they're using now since there's authentication bypass that c surf is very effective they don't have to be logged into the router because there's an authentication bypass vulnerability the authentication bypass vulnerability happens to be on a page that we chose that is also vulnerable to command injection the command injection vulnerability can then put malware and essentially shovel a shell back to the attacker so just by the fact that the user's loading a page it goes through all those vulnerabilities in a single click and puts malware not on the user's workstation but on their router this means now I have root command privileges on their route actually the web server runs as root so when it shuels a shell

back to me I get a root prompt um back when they sh me the shell which means I can put any malware I want on there I can change your DNS servers I can sniff your traffic I can do whatever I want on that router that's passing traffic for all of your devices so this was kind of the scenario we came up with good this just walk them through it again I don't know if you just want to do it live or what yeah I think uh yeah let's do some demo okay all right soent sure yeah we've already started I viw and an attack server um one of the things we'll have to do is

log in and set a

password all right so I'm logged in so I'll assume the role of the victim our attack server is here I'll click of course we could hide that um I don't know if you guys saw that but inste applying changes and now we got you were we're g to hideen that in an if frame right exactly yep um and so now we've got a new firewall rule here so 17230 2541 is the land side and the W side is on a 10 Network so if we go here probably should have shown you before that uh actually what I can do is just delete this rule give it save and apply I do have to save and

apply that's right and oh uh what's up click the little arrow thingy next to the little yeah that one I don't like M yeah it's actually not connected it says connecting too and it's just spinning right exactly so um just to show you guys I'll do that

again

that's interesting yeah it's probably

uh the demo Gods frowning it worked the first time you pushed it by trying to make it work again conf that it'll work yeah um um try closing that try closing all of them and then just loging into the land again sure oh I think we yeah we host it beauty of embedded devices but yes I'm about to try turning it off and on again so we'll have to uh I have to wait one second for the interface to boot up um while we do that Paul will probably talk about my Bloody Mar recipe about his Bloody Mar

recipe oh so that's my Bloody Mary recipe couple of things to knowe about the Bloody Mary recipe 4 oz VH juice 4 oz vodka very important half and half equal mixture the other secret ingredient in there is pickle juice very important okay make it as spicy as you want um also celery bitters wor toare sauce you need to have all the right ingredients to make Paul's Bloody Mary it'll come out awesome I promise that's all I had in my Bloody Mary I don't know how long I could have stretched my bloody uh pretty quick and I think we'll be all right so we'll go to the lands side that looks better you got to set

your password again we have to set a password again I apologize

all right now let's check out the wi and we can't get there now we'll go back to our attack server we'll click that link we've got our new rule and we can get there from the W yay drop Shields Paul mentioned this

earlier Paul mentioned this earlier um basically there's there's a a symbolic link to uh file which is just output into this um I just did that to make it harder for students to find um there's also authentication bypass what I can do is show you a script um and what oh okay Paul doesn't have uh the python modules that I need but that's fine um if I just go to admin Network Diagnostics I think you spelled Network wrong yeah I spelled it like very wrong all right we've bypassed authentication or I was logged out right yeah just to show you guys all right there we are okay and predictably we've arrived at a ping utility um you can

kill the reminder for my dinner I have to go to a little while thanks for which for which there is command injection um what I've also put up on the attack server is oh no I didn't put that up so uh on the new attack server I have uh everything you need to basically implant a back door um but I can kind of show you um that uh that forward slash we were talking

about so that's how we get forward slashes um because if I do something like that it doesn't work um and what should I do next I'll probably uh cat a shadow oh I could do that

yeah spell that code

wrong spell that Z wrong

y a password and can you remember the shell off top of your head no I I can't I can't do shot one hashes in my head oh it does it involve a shot one hash what okay the back door like can you run net cat is that how you did oh I could do that too what what I was talking about was uh just writing directly to Etsy password and Etsy shadow um so hopefully oh here we go yeah so I could show you uh I could show you just a simple alert one but hopefully we'll be able to do something a little more interesting um if you want to show them shovel in the Shell can you set have a

listener and do the Shell through the um you want to do that later if we have time yeah that's fine okay yeah so I'll log in I'll go to system system so what I'm going to show you is a stored crosslite scripting attack um okay should work and uh it's in the host name field so that means a few things um it has to be less than 64 bytes or 64 characters it has to uh it can't contain dots which is why I'm using the HTML entity codes um um and it also means that shows up in every page because the um host name of the Box um appears in the title of the page so

hopefully if I do log.txt and then I do something like watch

andt and I log out and log back in that doesn't seem to have worked um so what I'll have to show you for now is just the basic alert

one that could

be okay so you'll see yay cross scripting yay and it's on every single page Nick does have a keystroke logger working but uh basically about four hours ago I completely hosed my system so here we are if you go to i-w work.com you can get all the documentation and it'll come complete with the JavaScript key logger uh there's also examples on there how to use the command injection vulnerability to shovel a shell back to yourself um and a bunch of other things as well so uh when you go to iv.com today you'll be able to download the Elf image and there's instructions on how to run that in emulation Nick I don't know if you

want to show like really quick your ivw uh script that we have sure um but basically we're running the entire firmware distribution in emulation and we have a pre-compiled binary out there that represents our firmware um Nick will be working when we get back to upload all of his source code so uh open wrt uses build root you'll be able ble to compile this vulnerable firmware for any device that's supported by open word now warning before you do that it's intentionally vulnerable don't put this on anything internet facing or someone will pone it um we haven't done anything about this publicly but we already noticed like someone was hitting found us on GitHub and started writing

articles about it so um yeah don't run this on anything production public facing basically anything that you don't want to get pawned uh don't run this on please you support fun fixes yes you uh well not if they fix vulnerabilities because those vulnerabilities aren't bugs they're vulnerabilities and they should be there reverse bug fixes I guess feat list yeah it's the unfeature list but if you want to uh introduce new vulnerabilities that would be awesome which sounds really weird for me to to say but that would be really awesome um and so as I was saying before also Nick's going to work on getting all the source code up there as well so it it is

fully open source everything we've done is open source um again I put that caveat out there like don't think this is like something you should run a production devices make sure you tell people hey there's an intentionally vulnerable wireless router firmware out there don't ever run it on your production systems like help spread the word to prevent people from doing that cuz I'm really kind of concerned about people running that so you have the uh if you just want to run an emulation you have everything out there need today to do that and if you want to compile The Source compile it for other platforms or Hardware you want have a physical Raspberry Pi running a vulnerable ivw

distribution you can do that um so now any questions for Nick and

I how how do you close the CNN articles in Arena uh I don't know I don't think they care that much uh the other one being uh is the appliance going to be made available Appliance uh the appliance that you guys have you guys have yeah so you can uh you can take the elf file it's basically the full firmware image and just in one qmu command you can run that and get the full virtual image and then there's full documentation with all our scripts like all the scripts that Nick was running for the attack server and stuff like that are all being released open source right yeah so you'll have access to everything you should look through uh

the documentation a little bit in order to set up the lands side and the wind side um what we do for the class is basically uh uh tap a dummy and a bridge so the yeah all that documentation how to configure on your own as well yeah we have a mic in the middle of the room if folks want to ask

questions no more questions not even about the

Unicorn are you going to be adding any vulnerabilities that show how your own devices can be attacked so that you can have something where you know you have you have your mom right saying I swear I wiped the system like you said and did the reinstall howco might still keep on getting infected you know or something along those lines where you can show that it's I I don't know but something so show that that if you see this persistent kind of thing these are the impacts that people have that own these yeah it's a good question the question is you going to show anything that's persistent that you know I wipe my system but vulnerabilities are still

there to Showcase that I think it's a really important point I think that a lot of people think hey I'm pawned you know someone's in my bank account something to fais is happening let me wipe my Windows system and reinstall it but now I still have the problems because someone ped my router so I would like to put components inside of this system that um you know maintain persistence that do some packet sniffing that do some attacks that inject traffic uh into the you know TCP streams that do things like that uh and show persistence it's a great point I think you know we're all thinking along the same lines the other thing I want to do and I

encourage others to do this too and share their research you want to take this you want to put it on the internet in a controlled environment and let people hack into it and see what they do and use it as a Honeypot I think that's great too the more we can learn about how people are breaking in these systems the better so that's kind of what we have next too to answer that question is we're going to make some honey pots out of these systems and see what attackers think of them yeah we've got all night I mean you know the pool part is not for enough no I don't didn't you see the alert that

came up I I got to go to a dinner one yeah all the manufactur we you know we probably should have a rolling credit somewhere in there like a little Easter egg if you go to a certain page on web interface you know thank you dink for all of your inspiration we love you all right no uh no further questions then uh have a great night everybody thanks everyone