Hacking Demos, Dirty Secrets, Dangerous Lies, and Asset Intelligence

all right so it looks like that's most of us going to be here today this morning Welcome to our first talk we've got Brian Kos and he's going to be speaking on hacking demos Dirty Secrets dangerous lies and asset intelligence welcome Brian thank you thank you thank you can you hear me testing yep all right all right you guys ready to rock right you wanted the best they got stuck at Atlanta so you got me so let's uh Jump Right In um you know a little bit of background about me so I've been in cyber for about 25 years and I'm like oh Brian you look so young and not out all overweight or anything

how can that be no it's true 25 years uh I've been building startups for most of the time I started my career with daa down in Fort watuka in Arizona and then I went to Bell Labs I moved to Brazil for a few years uh but when I came back to the US I just started building security companies so riptech arite impera salara silence a whole bunch of companies I've had let's see two IPOs and eight Acquisitions or as my wife measures it about five pounds per company um jokes on her it's closer to six and a half pounds um I wrote my last book with uh Bill croll he was the former director of the NSA uh dozens of

people read it uh it was very verbose it could stop a lowc caliber bullet and I recently did a documentary on HBO and cyber war with General Michael Hayden from the CIA and the NSA that was such a hit that the producers didn't even renew the domain name for $10 so that's a little bit about me so we'll start where any presentation about cyber should start which is the Greek Empire so you know at the time the from a technology perspective the Greeks man they were the bees knes nobody had anything on them they were so Advanced So Sophisticated in fact it's been postulated that had they not been sacked that by 1492 they would have had a man

expedition to Mars now my dad told me that he's from Greece so consider the source but they were still pretty Advanced they ruled the modern world and they pretty much ruled the modern world with irons iron and bronze and they had a failinks unit right did anybody here see the movie 300 so they had iron bronze and they had abs of steel as All Greek people like me have I just have a protective layer of karate fat as well um but they were very successful until the robans came along and they had this new thing called steel it was low carbon steel but it was still Steel and they had this sword design called the Gladius sword which was

actually taken from a Spanish model and by today's standard it's not super technically sophisticated but back then that allowed them to completely change their tactics so they didn't have to fight in a straight line they could flank they could fight in the Hills through the trees it wasn't just one giant unit you were going against so it really allowed them to gain advantage and we see that with all sorts of Technology now we jump forward quite a bit to Turkey the Ottoman Empire 15th century now the Ottoman Empire did not invent gunpowder or the musket and they weren't even the first military to use the musket but they were the first one to embrace it in force and these weren't

very good muskets they weren't even rifled so when you would fire bullet maybe it would kind of go the general direction where you thought it was going but if you have a thousand people statistically someone's probably going to hit somebody else charging at them now there was a lot of complacency on the other end the people fighting them said we don't need to use these muskets we'll use long bows and Spears and swords things like we've been using tried and truee tested Solutions well the problem with that is when you bring a sword to a gunpowder fight it doesn't really end well so that complacency on the other side really took effect in a couple reasons one they

were outmatched but two you can treat teach somebody to use a musket pretty successfully they might not be the best Marksman but they know how to use it in a week or two to be really effective with a longbow could take years meaning that if you kill somebody with a long that fires a long bow it's going to take a lot longer to replenish that than it does somebody from a using a musket just from an nutrition perspective so on the other side of this we have World War II but before we get into World War II let's talk about World War I during World War I the British and the French each had about 3 4,000 tanks

each how many t tanks do you think Germany had at the beginning of World War I you can just yell it out Z zero pretty pretty good actually they had 20 they had 20 tanks and they were shitty they used communication with carrier pigeon not very good not very effective especially in the middle of a battlefield and they essentially would hold somebody in place long enough to get blown up that's what they were good at but somebody was in that war named raml later on he was given the name the desert fox raml said this is the new new if we ever have a war again we want to build tanks so after the Treaty of Versailles

the world said you know what Germany you tried to take over the world we're not going to allow you to build tanks Germany said okay fine we're going to build tractors and this Farm is going to build a tractor and that Farm's going to build a tractor oh look if we plug them together they're not a tractor anymore they're a tank so when they entered World War II how many tanks do you think Germany had 2,000 160,000 tanks and other armored vehicles or a ton of Tanks so they're literally they're 54 tons each and they held five people and has anybody here seen the movie Fury the Panther and the tiger completely outclassed Us Sherman tanks

they were really spectacular on paper they were like a fine tuned clock which is great if you're a clock it's not particularly good if you're driving through mud and over rocks and being shot at all the time so it became really problematic because these things would start to break and when they broke this is really the failure they assumed that if they built this massive tank Arsenal that they would have the supply chains to support them well when a Us Sherman Tank got blown up or broken or something happened they could fix it in the field and if you could drive a car you could drive a tank they're very simple to use not so with the German tanks with the

German tanks when something broke they had to dependent on a supply chain that wasn't there so it would break if somebody got killed in the tank it would take a long time to replace those individuals so the assumptions that they relied on that hey we're going to build this and we're going to have the infrastructure to support it was wrong and that's largely why those tanks were ineffective because they were way way better than the tanks we had or the tanks Russia had but they didn't have the infrastructure to support them so they had assumption based failures so change is pretty constant I kind of went for a post World War II perspective but after the

transistor in 1947 we kind of start developing all the technology that we in this field depend on everything from tcpip to the internet computers so on and so forth and there's me standing next to a mobile phone mobile because you could stick it on a ship or the back of a truck so that made it mobile and you're probably saying Brian where do I get an awesome shirt like that well you can't it's vintage you can't find it anymore sorry but with constant change on the good side you have constant change on the bad can't have a front without a back light without dark so on and so forth who here has heard of Mari okay good good percentage of you

Mari is like the grandfather of attacks on iot systems is definitely the old school Legacy approach to attacks and what Mari was it says these hackers said look let's start targeting iot devices particularly let's start targeting security cameras and they created this attack which was very simple it logged into these cameras that were internet accessible using telet oo Port 23 okay and then it tried to log into those cameras with well-known default passwords and about 8 to 10 Common passwords that's it that was the extent of this attack it was very successful though logging into cameras with default passwords over telet adding the malware to the camera created a botn net that was larger than Google and Amazon on

combined in terms of processing power and network bandwidth and it was able to take out PayPal Reddit telecom companies Netflix people that have pretty big infrastructures right so it's highly highly effective but it didn't stop there because what they found out was there's so much white labeling and there's so many shared libraries that are used in the iot space and even res sharing of passwords that the same attack was able to take out Voiceover IP phones printers digital door locks through the same hack tetting into the device and typing in the default password that you could look up so we go into organizations today we still find devices that are vulnerable to this this is a 2016 attack they're

still vulnerable furthermore we still find devices that are still infected with marai because nobody ever bothers to update the firmware or check the capabilities of their printers their Voiceover IP phones their security cameras so so this is actually still out there even though it started back in 2016 so as a foundation to what we're talking about today I want to just talk a little bit about asset intelligence because it actually you know applies some some things that I think will be uh beneficial throughout the entirety of the presentation the first one is when you think about asset intelligence this notion of looking across my Enterprise and understanding where are my devices where are my users where are my

applications where are my vulnerabilities all these things that play a role in assets think of it like this four dimensions length bread height and time so length these are asset types when I'm talking about asset intelligence and while in this presentation we're going to focus on just a portion of that think of it in a large ecosystem of types my laptop my virtual machine the applications it runs the vulnerabilities it has and the users that interact with it breath asset locations I care about stuff that's on Prem I care about stuff that's in remote offices I care about stuff that's in the cloud I care about stuff that's work from home BYOD devices Enterprise devices I want all of that hyp this is

where it gets really interesting I want all the details in particular I want to know about presence and state I want to know you're running automo for patch management I want to know you're running crowd strike for your EDR I want to know you're in Microsoft actor directory that's presence but what's the state maybe I'm running n minus 3 I've got a version of crowd strike that's three generations too old or my automox hasn't communicated with the patch Management console in over a year or I'm simply not even in Act of directory that state so having presence and state is the height and finally time yes I want real-time information about my assets and I also

want forensics data because forensically I need to know that 10.1.1.1 belonged to Bob 3 months ago when that device accessed this application well now it belongs to Sheila and it doesn't matter what the real- time data is so having all those capabilities so think about that as we're going through today's presentation we see a lot of failures in a lot of ways people look at assets a lot of folks still try to track it with spreadsheets right that didn't work then it certainly doesn't work today especially Cloud assets that are can be spun up and spun down in in seconds but what we find is most organizations have way more assets than they think they're

supposed to have especially if you look at SAS applications we find out license are both Under and Over purchased I bought 10,000 licenses but I've only deployed it on 8,000 devices or I've got 6,000 devices that aren't even running the products that they're supposed to be running and what this leads to is assumption-based asset intelligence just like we talked about with the German tanks they assumed the infrastructure was there to support them I assume that my EDR is deployed I assume my patch management is up to date I assume active directory is accurate I assume what's coming in the cloud I'm hoping I'm I'm praying and it simply doesn't work it doesn't scale the flip side of this is

evidence-based I want to know if I log into crowd strike crowd strike can tell me everything I need to know from a crowd strike perspective it doesn't know anything about automo or active directory or Google or anything else so we all know the the story of the elephant and the Blind Men oh it's a snake no it's a tree no it's a side of a 10 until they take all that information and correlate it then they can determine what it really is is and just like the Sim Space right where we took IPS data and firewall data and CIS log information and endpoint data and we correlated all this information so it was better than some of its

parts we can do the same thing with asset intelligence and have a very rich integrated picture of what we're actually trying to protect now if you look at nist you look at PCI you look at CIS you look at any regulatory mandate or framework it always talks about having this capability but we've always jumped over it in security because it's just such a pain in the butt to do and we had to do it manually so that's it on that so keep that in mind as we go through these so let's talk about X iot or extended internet of things and there's really three areas that this includes the first one is Enterprise iot this is what we

usually think about when we think about iot printers cameras um voice over IP digital door locks HVAC lights out management uh UPS systems things we you know think we're going to find the Enterprise the other side is network devices these are wireless access points Nas load balancers right and the last group are OT scate devices PLC seens Honeywell digital devices that control physics flow temperature um position and we're actually going to hack some robots later which is kind of cool I wish I could bring it but the thing that we're using is like uh 800 lb so I couldn't check it um so we'll talk about that so what these things all have in common are one

they're Network connected almost all of them there's some old monolithic stuff on the ska side that might not be but for the main part everything's Network connected the other thing is they run specialized firmware your printer is usually not your camera and the thing that's controlling a turbine is usually not a digital door lock it has they have very specific use cases right and finally you can't really secure these things in a traditional way even though they're usually running Linux uh Android Linux derivative busy box auntu on the OT side something like VX Works which is a real-time operating system you're not putting EDR patch management or local IPS or local firewalls and any of these

devices right so by and large they're pretty vulnerable now let's look at the volume of these think about this characterization so there's about 10 million servers in the cloud not virtual machines actual physical servers you can touch I tried to make the analogy to to horses here there's about 60 million horses um if we look at the number of devices like a laptop that have a keyboard connected to it that number keeps on going down every year but there's about 5 billion so I said roughly the number of people people are about 8 billion right let's look at the number of xot devices there's about 50 billion or about the number of birds that's a lot that's a Target Rich

environment if I'm a nation state if I'm a cyber criminal I'm going to go after this this is a great place for me to start my attack so I did this uh very non-scientific search um who here has you Showdown okay I don't have to give any background then it's like Googling what's what's online and connected to the Internet so I typed in things like camera you know printer things like this to see what's internet accessible remember we talked about marai that used the the big tnet to Port 23 and type in a password hack right almost 5 million devices and every if you do this tomorrow or you do this next week that number will change a little

bit but that's quite a bit but look at the one at the far end UPS systems uninterrupted power supply what's the use case for having a UPS system internet accessible like that and let's say some of those are honeypots but even if they are maybe 5% at most right that's a lot of UPS systems right and we talked about some of the default passwords the shared libraries the white labeling that make these things so vulnerable what do you guys think is the most common UPS system out there this APC very good so I said well I bet almost all of those are APC UPS systems and I wonder how hard it would be to figure out what the default password is

so I used this hacking tool called Google and I said default password for APC UPS and I said oh Brian the default password is APC the default username is APC we have a running joke in our company if we ever come across a UPS system that's not APC or is not running the default passwords APC APC everybody in the company gets a steak dinner we've eaten a lot of chicken I've yet to ever see anybody ever anywhere change this password and generally speaking if you have a UPS system you probably have something kind of important plugged into it or else you wouldn't have a UPS system and now I can just log on to it

you can go to showan and find not that you should but you could find 13 ,000 of these devices and wreak some Havoc so here's some other stats just on volume there's about three to five exiot devices per person in a company so a company of 10,000 people has 30 to 50,000 xot devices now there's a bit of a bell curve to this like law firms will have a little bit less healthc care and critical infrastructure have a little bit more but on average three to five that's three that's 30 to 50,000 xot servers in a company of 10,000 people these are all Linux pretty much all Linux servers generally speaking pretty insecure and when you ask companies when

you go in you say how many of these devices do you think they have almost to the decimal point they're off by 50% oh I guess we have 20,000 oh you have 40 in fact when somebody tells me they have 50 I know they have a 100 because they go oh I forgot about Voiceover IP phones oh I forgot about lights out management oh I forgot about this you know idra ipmi things like that so there's a lot of these devices out there so a little bit more audience participation what do you think the percentage is not on UPS systems because we know that's 100% but what do you think the percentage is of default

passwords generally speaking on xot devices just yell it out I heard 90 such pessimists in this group it's about 50% 50% let's go back to that previous step 30 to 50,000 devices let's say 30 I've got 15,000 Linux servers with a default password that I can Google well that's not good is it that's a problem and the other 50% generally speaking the password was changed once because at the time of implementation it had to be changed and think of the people installing these like security cameras they're rolling up in a van with some boxes and a drill and some fiber optic cable and bolting them they're not thinking about security development life cycle they're not thinking about best

practices and uppercase lowercase special characters they're thinking I want to bolt this in and not electrocute myself and hit a wire right so it's a different perspective okay end of life firmware what percentage of these devices do you think is running EOL okay about a quarter and the ones that don't the average age is six years so you all have a smartphone would it even work if it was six years old the the OS the apps probably wouldn't work if they were six years old but these Enterprise devices are and with end of life devices comes CVSs scorps right so about 70% have level eight 9 or 10 and if you're familiar with that level 9 and 10 means

for little to no skill I can take full administrative access over your device from a remote location like that fancy marih hack where we tell that in and use a default password so here's the dangerous lies so we talked a little bit about Legacy attack certainly marai falls into that category of what a legacy attack would be but these are attacks that simply go after an xot device because it has the audacity to be online you're online I found you through showan or some other source I'm going to try to compromise you so I can add a bot and now that you're part of my botn net I can use you for malare distribution fishing blackout search engine

optimization which is really popular now uh do off so on and so forth all the things were used to with that there was a a recent takedown the US South Korea Australia and a couple other countries were involved it was called arxs and this was a massive massive Russian botnet what was interesting about this is it targeted OT devices skated devices to add to the bot not to blow up an oil pipeline or shut down a Refinery or screw up a pharmaceutical development company's uh new drug they simply wanted to add these devices to their botnet army at about a rate of 90% it was about 90% OT Focus going after real-time operating systems like VX works and a

few others it had some Enterprise iot it had some wireless access points it had some uh cameras and things like that but it was mostly mostly OT now what they did with this this Russian cyber gang is they rented this out so if you wanted a botet you could borrow their botnet for only $100 a week it was a pretty good deal but it was even better for $150 a week they would provide you with online support So if you said hey I I really want to play with a botnet but I'm not sure can you guys add some help help well yes we can so that was nice of them so it's very effective we did the taked down we took

out the the head of the botn net and they usually pop up about a week or two later the next one is physical attacks you see a lot of these associated with nation states has anybody ever played with a tool called Fronton it's a it's an illegal tool it's a hacking tool but you might want to play with it and I'll tell you why you can and tools like this are generally designed to open up doors spy through security cameras sh off HVAC systems you know physical based attacks well Fronton was designed by a group of contractors for the Russian FSB it was a very very powerful tool very focused on finding xot devices exploiting xot devices and basically

maintaining persistence and evading detection unfortunately for the Russian FSB it got stolen by digital Revolution hacking group and after they stole it they released it online I know nobody here would ever download music or games or movies illegally this group clearly wouldn't do anything like that but on those sites if you were to You'll also find Fronton if you speak Russian or you can use Google's English to Russian translate you two can have a nation state design military grade xot hacking tool so that's very very good actually and by the way they're certainly not the only country to have this they were just the only ones that got it stolen um next one is OEM attacks this

is really interesting because sometimes these devices well they ship maliciously not with malware their architecture is designed to be malicious so there's certain security cameras out there that record both audio and video okay pretty standard and when they're doing that they have a little green light that comes on and you can say hey stop recording audio and video and they say okay and I'll turn that little green light to red but that's all that changes now only is it still recording audio and still recording video but it's streaming that to a remote location and many cases and the cases I'm showing here ends up in China now some of these cameras are in manufacturing facilities military

they're in boardrooms they're in places that you have a security camera in there for a reason so there's massive massive data laks where this information is being pulled through they're doing pattern Discovery anomaly detection P um temporal and uh volumetric analysis on this looking for anything that might be valuable and if 90% of it is garbage that means 10% has some gold and some companies that ship with stuff on there wuwei ZTE hick Vision so on and so forth these are all cameras that are made in China now in November of 2022 we made it illegal to import or sell these cameras in the United States but we knew they were pretty naughty for the last few

years because we didn't allow them to be used in government organizations or with government contractors now you might say okay that's pretty good we're stopping this so we're not allowing these cameras well the problem is organizations all over still have hundreds if not thousand thousands of these cameras deployed within their companies right they're all over the place because no one's really paying attention and it's not like these companies have gone out of business has anybody here ever been to jisc in Dubai okay it's massive it's a great show there's Jac and gitech so I was just there it's about what' you say 100 150,000 people it's huge absolutely huge who do you think the biggest sponsor

was it was hick Vision you literally couldn't walk in without going through the hick Vision entry point right so it's not like they're gone globally they're still all over and they're super bad they're super naughty little cameras now a little funny story about cameras um we're working with a casino and casinos have more cameras than I've ever seen they have cameras that as far as I could tell were only watching other cameras um and so this this one Casino I think roughly 120 maybe 130,000 cameras which is a lot but apparently it's pretty standard um they noticed something fishy was going on because their power bill was exceedingly high now I don't know what the power bill is generally like at

a casino but I'm guessing it's not low but it was so much higher that they started researching what was going on what they found out it was their security cameras had been breached now these are very powerful cameras more powerful than most of our laptops as far as memory CPU processing capability so on and so forth so big powerful cameras lots of storage lots of capability um and they're all I think in this case they're all running busy box right which is a Linux derivative so what was happening well they had all been taken over and somebody was using them to mine crypto so they're all they were crypto jacked so you have a 100,000 cameras all mining

crypto Prudence dictat your power bill is going to go up a little bit right so pretty interesting now cameras aren't the worst what do you think the most hacked xot devices out there printers because printers are super super promiscuous when I hear that Nelly Fado song promiscuous I think promiscuous printer it just wants to be connected to oh connect to me through Bluetooth connect to over Wireless wired you know just a direct serial connection whatever I just want to print use my ink so they're so open to be connected to it's easy and the great thing about printers is it's a great place to stage and attack once you get to a printer you can attack the rest of the it Network

and hang out and they usually have big fat hard drives so you can download a lot of content you can upload tools it's a great place to camp out and guess what most companies don't just have one printer they have hundreds or thousands so why hang out on one when you can hang out on hundreds or thousands so again you can maintain that persistence and the last type of attack are pivot attacks this is an attack where I want to get access to your environment through a traditional means and then I want to Pivot to attack other devices so a real popular example of this is quiet exit which mandiant discovered um I guess it's about a year

and a half ago now maybe two years this is the way it worked I'm going to do a fishing attack I'm going to go after your network in so many way shapes or forms I'm going to find somebody on LinkedIn or Facebook and find out oh this executive has a daughter and that daughter plays soccer so I said hey I got a great picture of your daughter scoring a goal at the last game who's not going to click on that and then they get infected or over some type of me messaging mechanism whatever we all know how fishing works so they get in through fishing but they don't want to hang out on the laptop because there's

application security there's data security there's network security there's all these controls but what they do want to do is use that device as a jump off point so once I get in and I'm on your laptop I'm going to start looking for xot devices because one I know you're going to have a lot of them two 50% default passwords if the password is not default you probably have old firmware which means it comes with a lot of vulnerabilities it's easy and I'm not just going to get on one device I'm going to get on hundreds of devices and that's the way quiet exit works so they got in fishing they pivoted when they pivoted they

specifically uh compiled a version of drop bear SSH that would run on these network devices a lot of wireless access points but also phones cameras some Naas things like that so on the wireless access points and the network devices was mostly BSD on the other side it was mostly Android so they created a dropbear SSH and installed it that was probably the most advanced part of the attack once they got there because that wasn't their end goal once they got there they made API calls to local Microsoft Exchange and also Office 365 in the cloud and they just started pilfering all the information they could find all the attachments they built out the or chart they read all the emails

they tried to get as much information as they possibly could once they took that information they got it in they did a reverse SSH tunnel outbound and they were able to get access to any sensitive data they wanted in particular they're uh targeting a lot of uh BISD um m&a teams Finance legal things like that so looking to say okay this company's going to buy this company you know there's some stock advantages if I want to invest those types of things so that's what it seemed to be tied to the average dwell time that we found in these organizations before they found out that they were even compromised was two years which is really bad it's not

really good when you have a situation where you're on not one not a hundred not a thousand but tens of thousands of exiot devices for years that's pretty rough right I'm gonna actually show you a camera hack in just a minute how how easy this stuff actually is but the fact that quiet exit was so successful was kind of an alarm on the darket and people said whoa this is something we really want to go after hard and there was tools like fronted and other things like that that people had access to but it really started peing interest in the Cyber criminal organizations not just nation states and as we know a lot of people that are nation state actors by

day are cyber criminals by night so they use a lot of the same tools and techniques and things of that nature so quiet exit super successful this is the new new so when people are talking about attacks on xot this is this is the type of thing you should think about well let's go all the way back to the early part of this presentation I was talking about assets xot is only one little slice of your asset posture you still have to think about applications and identities and vulnerabilities and laptops and virtual machines and all these things xit is just one piece of that so you can't shouldn't just have a solution that just focuses on this you should have a very

eclectic solution that looks at all of these things all right let's get to some really interesting bits

here okay hacking security cameras I tried to put some call outs in this so because I know this is text based um unlike uh the movies where there's like skulls laughing for whatever reason um so this is just C Linux this is your everyone everyone I think is relatively familiar with this U the first thing I'm going to do is I'm just going to log into this camera just to show you that there's a camera there's no hacking here this is just logging in to to show us a camera and when you log into a camera you can do a couple things uh one thing is you can look at what the camera sees of course and the other thing that you

want to be able to do is configure that camera that's it it's nothing really crazy so we log into this camera here and we can look at the uh it's actually looking at one of those naughty naughty hick Vision cameras and by the way when those were made illegal we went on eBay and bought like 50 of them as soon as we could before they they dried up um and you can look at the network configs okay so most of you have probably played with security cameras or other devices this is this is really nothing novel at this point okay so a camera we've got a camera on our Network now let's go back to Cali I'm going to try to blow this up

a little bit so I'm going to use showan like we did before I'm just going to see how many of these cameras are actually inline I Ed that URL the end of that string to look for the specific hi vision camera we say wow there's about three and a half million of those things worldwide how many are in the US about a half a million so any given point there's a half a million of these cameras again based on that URL string on the end of HIC Vision okay so now I'm going to go to exploit db.com because it's free I could go on the dark web and pay for an exploit I could go to other

sources but this is a great place to go it's free and easy to use I'm going to type in hick Vision I'm going to look for the specific vulnerability there's the uh cve 2021 36 2260 based on that URL stren that we just showed you now I can take this and I can export it and I can use something like metlo I can modify it but just to make it easy if you're not familiar with Metate we're just going to run it as a python script so I'm going to make a directory on Cali operation hick vision and I'm going to run this python script with that exploit we just downloaded with the shell command with check it

says yes this camera is in fact exploitable and now I just change it from check to Shell and that's it I'm root now on busy box that was it oh it's so hard to hack xot so I'm going to make a directory I'm in the camera now I'm going to call the directory bad because I'm going to do some naughty things so I'm in my directory bad I can do a directly listing there it is there's bad but now I want to maybe upload some tools I could upload some anything I want at this point I could upload password crackers upload scanners um you know reverse SSH tools whatever I want to upload in this case

I'm going to use um I'm going to go to this bad directory I'm going to use tftp so I'm going to do a tftp uh remote get I'm going to grab a file called doad from my Cali Linux device 69 is the default port for tftp I didn't make that up um and there we go so I was able to tftp a file down again it's just Linux a lot of people go oh how can you do that on a camera I'm going to make it so anybody can read write and execute this file so 777 doad and let's see what we did what did we download with all this work so we look at doad and we downloaded a Shrek video

cuz why not you can you can upload anything you want so now that's cool so we know we can upload things to this camera well if I wanted to download something I could then go from here I could scan it devices I could grab sensitive information pull it over but just for the sake of being easy here I'm just going to grab some uh server keys so your public and private Keys your pem pen files and instead of tftp because we already used that we're going to use FCP so again Port 22 SSH we're going to grab those pen files I'm going to send those pen files to my Cali Linux server the same one that we use for TF P so nothing

special and I'm going to just uh type that IP address so I can download things to this camera and then I can export things out of this camera and there it is there's the password boom boom boom and now I can open up Cali Linux now go back and there they are there's my files it was that easy to to pull the information out and the thing to think about again I know I've said this a few times is these are just Linux servers they're just very insecure Linux servers because they've never been hardened they've never been patched they're running default passwords again the average age of the firmware is 6 years so it makes them very vulnerable and

easy to go after now this attacks a little bit more visual this one's going after robots which is kind of fun so we bought this robot it's a Fook robot I've heard it pronounced Fook and fanic I'm not sure which one's right but I've heard people say it both ways so I'll probably use it interchangeably so we bought this robot the latest greatest OS nothing you know nothing modified just kind of out of the box default configuration like most organizations would run it and that is the controller remember back in the day when you had remote control cars and it had like a wire connected to the car you could go like six feet and it kind of sucked you like

B into the kitchen chair well that's kind of what these guys are like as well they're they're controlled via this wired controller uh but you can do a lot in fact the first thing we did after we mounted it to the uh shipping crate that it came in uh because it's a very secure way to mount a a very heavy robot is we made it do push-ups so I mean why not um so it was really cool so we set this thing up in the lab we said let's go ahead and run run this thing and see what we can do so never playing with one of these Fini robots before this was all kind of

new so we said let's just write a program that just very gently touches the top of this can and that's all it does just a really really basic program there's a lot of x YZ access and things that are called set points that you can configure in these which is very simple now the thing to know about these types of devices is all the intellectual property of how you make a drug or how you make a Volvo or how you mix something or paint something or cut something is stored in these devices that's where the IP is so if you can Hack That device you can steal a lot of sensitive information you can also

control them with plc's like Rockwell and Seamans that we have up here on the rack but there's a third way to control them oh look at this it's connected to the network I can ping it okay this is interesting so if I can ping it what else can I do do you think it's running a web browser by default well let's go ahead and type the IP address in and see what happens look at that it's running a web server from like 1989 um but this little robot has a little web brows web server in it okay that's cool well what can we do is it just like documentation and stuff let's let's find out so let's look at the configuration

information well there's the OS from January 2023 there's all the serial number information and you know configuration information um okay that's kind of cool so again I didn't type in any password or username I just put a IP address into the web browser at this point and this is the actual running programs and we can actually click on the program and oh sure enough there's that can file there's all the set points all the configurations and if this was a pharmaceutical device it might say mix this drug at this temperature with this much UV light this is where all the IP is so that file is called can. LS okay so we're finding configuration files

that the code it's running we know about the device itself what else can we do well it actually has a relatively Advanced system where you can do um a remote or online version of that physical remote control and look at all the things here it's got tell that it's got mail it's got FTP FTP Anonymous FTP well that can't be right so let's go to the online documentation that anybody can get to let's see what it says if you see an anonymous username you may be able to connect through FTP without credentials uh oh well that can't be right can it well that must be a typo so let's see if we can FTP into this device

now and what happens FTP type that same IP address again no username no password nothing special here boom we're in so now we can FTP to it okay well maybe we can just look at what's here we can do a directory listing and say okay there's all the files and I don't know if this is really going to give us much value but let's see what can we find here we'll look for the running file there it is there's can LS that's the actual operating file but we can just look at it I'm sure there's no way they're going to allow us to do a remote get and download a file oh my God we can so we can actually download this

file now so now we've downloaded can. LS which is again the running config so I'm I use this hacker tool called Notepad so there's can LS and I'm going to change the name to can crush and change one set point from a two to a three that's all I did I changed one set point on the z-axis we'll come back to that a little bit later but that's all it is I'm going to save this as because I need the extension so nothing crazy so can crush. LS now again this is on my laptop this isn't on the on the robot okay so now I've got my can Crush file now I know I can download but there's no way

it's going to let me put a file because that would be ridiculous to be able to upload a file oh shoot so here's both LS files and we see the can which is the original and we see the can Crush now upload to the robot so now it's uploaded on the robot but it's not doing anything yet because the robot says okay it's just another file I don't I don't know I'm supposed to do anything with that so now we're going to open up the virtual pendant so the pendant that physical remote control this is the virtual or I pendant but we're just going to confirm first that can crush is installed or or on the machine and sure

enough and there's our our z-axis variable with a three instead of a two okay so we know it's there let's go to the interactive virtual remote control we go into the menu system and by the way learning how to use this is actually a lot easier than we thought it would be because none of us had experience with this particular uh OS so even if you don't know what the tag is for the default program if you see default Prague that's probably a pretty good guess so we're going to change it from default program to be can to be can Crush so now that's the default Pro well Brian is it so important to make that a

default program well these robots get rebooted every few days to every few weeks to clear out the cache it's just pretty common practice they reboot really fast and they've got a lot of Blinky lights it only takes about 5 Seconds um and it's actually pretty cool how they reboot um so you want to put it in the default program so no matter how many times it's rebooted it's still running your malicious program so now instead of running can it's running the can Crush program and we'll see what it does I'm sure you couldn't guess what it does based on the name and there it is we had way more fun with this than we should have had

um this thing makes Volos and can crush a cult cam um now we make it do a little dance too this actually took much longer to do than the hack to make it learn how to dance now the cool thing about this hack is it's two things really we talked about the fact that we were just down able to download the can file and leverage that that's a big deal because that's where all that intellectual property is stored so this was a pretty simple program but something that's making an integrated circuit or something that's making a chemical so for batch or discrete manufacturing that's a big deal because that IP is not sitting on an Oracle

database or in a a file server somewhere the other thing is yeah I I modified the program to do something that was clearly obvious right it's like oh okay yeah you crushed a can and before the can wasn't crushed but what if it was a gear and it was supposed to be 2.5 mm thick and I made it 2.51 mm thick it'll probably pass QA it'll probably still work but maybe after a couple months or a thousand miles or something that car or that refrigerator that weapon or whatever there's going to be too much friction and it's going to break down right so that's a really really powerful capability um by just being able to

modify that the other takeaway was we didn't hack anything we logged into it and the stuff that we didn't know we found public documentation on how to do it and then we made a modification and none of that none of that information was like on hacker websites this was the the website that they provided and nothing against this vendor either we're calling them out but it's it's not really Fook this is a industrywide issue that these devices operate in this way so quick question for the audience why were bank robbers so successful in the 1930s and there's two main reasons just yell it out if you think you know police I hear state lines yep fast cars with V8 engines and the

interstate highway system at the time if I robbed a bank in Texas I could get on the freeway and I had a fast KN car I could then get to Louisiana and they couldn't follow me across state lines well why Brian because it wasn't a federal crime there was actually very few federal crimes at this point even kidnapping just became a federal crime a couple years before this so Roosevelt says you know what we're going to make robbing a bank a federal crime and in doing so we're going to go ahead and increase our visibility by using this thing called The Bureau of Investigation it wasn't the federal Bure of Investigation yet it was Hoover's

Bureau of Investigation I don't know if you've ever seen how they used to do Old Wire Taps but they used to actually go to the Telos with those old uh record players the ones that would actually like scribe into the records and they would sit there and plug it in to record the call and they record it onto these records right which what's that yeah actually what predated the vinyl records it was um you can melt it down lacquer it was like those lacquer discs um and I'd like to think that that was the guy that really screwed up that they made sit in that Telco with the vinyl records like oh man I really messed up I'm GNA

go have to sit in here um so they were able to increase visibility and be far more effective because at that point it was kind of the criminals against local police officers and it was It was kind of synchronous and this made it asynchronous this really put the the value or the the strength in the in the hands of the Bureau of Investigation now the Bureau of Investigation this happened in February 3 before body and Clyde were killed in May Dillinger in July baby face which he didn't like to be called in November it worked really really well this asynchronous type of fight being brought to these gangsters in the 1930s was highly effective so

effective that Roosevelt uh had no choice but to make the Bureau of Investigation the FBI the Federal Bureau of Investigation it was highly successful they found out that visibility was absolutely Key Well bringing this full circle again I talked about you know this presentation was a lot about xio but again remember that's just a part of your asset story so yeah you're going to have xot devices robots and printers but you're also going to have laptops and users and and vulnerabilities and applications and all these things luckily those devices all feed up into some kind of Management console crowd strike manages crowd strike tenable manages tenable Sentinel one phosphorus does that Google does that so there's

all these great sources and all these segments that you can pull information in from well you can make API calls to those management consoles using what's called an asset intelligence platform these are usually Cloud native they don't run any agents they sit in the cloud sometimes they can have an on Prem capability too for older Solutions but they make API calls into all those different segmented sources not those individual devices because that would be crazy and then you can do all that correlation analysis you have a asynchron Ness approach now because you have so much more visibility a lot like the FBI did with those bank robbers right now you have everything all together and it also can

help improve your sim your sore your cmdb your ticketing systems as well because those systems are predicated on knowing good information about your assets so a teeny bit of a sales pitch here just because it's free and any of you could kick this kick the tires on this um it only takes about 60 minutes to try one of these platforms out and say hey I'd like to uh set it up through the cloud I'd like to connect it through crowd strike or automox or silance Microsoft active directory or tenable or Sentinel one or whatever there's hundreds of different sources set up an API do a little bit of POC there's a QR code there's a URL but right outside

this room we have a little setup sevco does where you can talk to the guys there learn a little bit more about the solution but try one of these things out and less time than it took to listen to me go on and on about this presentation you can go ahead and get some great awareness about all your security controls oh I have 3,000 devices that are in active directory but 2,000 of them are running crowd strike of those 2,000 three 1,000 of those don't have patch management and the ones that do 50 of them it's on an older version and 10 of them haven't communicated with the management Council in over a year get

all these little bits of information like that just all with v diagrams it's really really simple it's really easy to use and it's kind of a tool to make all of your other tools better I only suggest it because there there's no charge for this stuff again it's it's free try it out if you really like it and you decide to move forward you add more sources and you said okay not just devices but now identities and applications and vulnerabilities and now I want to use it to update my and improve my cmdbs and my Sims and my sores so it's a really capable solution that to make everything you're doing already even better it's called the

sevco asset security platform so very simple very simple to do 60 minutes and with that I'll just open it up to a a couple questions but I've got some giveaways here so real quick for the uh afla uh wireless access point uh what what you have to raise your hand for this what was the operating system that we were running on the robot uh not on the robot no that that was the camera did anybody else yes sir no the actual op I'll give you a hint it starts with v VX works okay come on up when you're done with or you can come up after the talk next question what was the name of

the operating system running on the security camera busy box this is yours this is a okay yours is going to go on this side so you guys don't get them confused all right uh we have just a couple minutes are there any questions I can address for you guys awesome if you want to talk to me after the fact I'll be right across the hall at the sebco booth thank you [Applause] everybody