IoT Devices and why they desperately need help

yes it makes you feel better about yourself for eating them cholesterol they don't mix very well but in the the one enables the other to make to make you feel better about eating the other one exact or drinking you've got two minutes

yes how do you do that I don't want to get tased

okay do we need to switch it really like to give it like switch the mic this is good test okay awesome Jim hello everybody I know if we can take 20 minutes of your time thank you so much welcome to our talk our talk is about IOT devices and why they desperately need help my name is ISA ha fury I'm a second year masters student here at RIT currently pursuing a degree in computer security I am interested in penetration testing hardware hacking I like to know how stuff work how to break them and how to make them better no I was not named after the information system security Association the people down there is just a coincidence and me

my name is Christian Calvert I'm a bachelor student here at RIT I work in the safe lab as an applied research assistant I'm a I'm a very big person into security enthusiasts and I'd like to read a lot of the different articles and figure out a bunch of the new malware any type of exploits that come out I'm a future security pen tester I have an offer to or maybe even look into other offers for once I graduate and walls okay so Christian and I are part of the RIT safe lab RIT safe lab is a project that attempts to bridge the gap between the security industry and the students basically what happens is the companies

approaches and they ask us to do the penetration testing or their security assessment and we get students to work on this project we do all kinds of stuff from infrastructure testing pen testing code audits social engineering if you're a security vendor or a company or a student who wants to get involved please contact professor Robinson he's the guy in the back he will be more than happy to give you info so every now and then we get some free time and we don't always get to work on projects but we try to keep working on our pet projects and the last one that we got is we just wanted to see we always hear about how IOT is insecure and to the

point that when is when you say that name IOT the first thing that people think about is insecurity and a number of vulnerabilities out there but we just wanted to test that theory one of the things that we went through and looked at obviously everyone who's heard of the Mirai botnet what was it everyone knows that it's a collection of IOT devices that were taking control of by some malicious user and used to distribute a denial of service how did it spread obviously a bunch of really bad badly designed badly configured IOT devices as for the actual devices themself highly insecure credentials a lot of them are running off of base credentials or default credentials something that you

could easily break into in about five minutes maybe services a lot of IOT devices run a selective group of services that might be required might not be a few of them will have services that are just running that you kind of look at and be like why why are you even running this connections they also make random connections to different countries don't understand why but a big one is China and as a result of these three main things it's kind of understandable dipper I read it was not really a coincidence okay so what we did is we just went on Amazon and we said let's buy a couple of random products and see put that theory to the test can we hack

them what can we find there we went and you know we went on the assumption that we might not you know hack into those systems but let's give it a shot so the first target that we bought is a wall-mounted surveillance camera the thing is like $45 on Amazon basically you mount it on a wall and you power it through an AC adapter or a power over ethernet and what's interesting about it it's how easy it is to set this thing up from the moment you plug it in to the moment you have feed on your mobile lab we started with the box and the box says set has worldwide control well that's that's good and what we notice

immediately is if all of them came with default creds they all use the same credentials which are admin admin so to set this thing up you it's simply it's two basic steps you download this mobile app you connect your mobile phone to your local network you search for the land you search over your land network for the camera this UID field gets auto populated with the camera that it detects and the manual little literally say leave the password as the default there is already populated and hit connect anybody have an idea why this may be the case with these products exactly but do you can you like what why exactly what we think is that when you

must produce a cheap product like this and you want to push it to the market one things you want to make cut-down is your customer support if you can set it up in a very easy way there is a good chance that customers will not call you and say well I changed the password I locked myself out I cannot you know log to the camera back back to the camera this product didn't even have a website for support you just buy it and you're out you're on your own so what's really interesting is how does this work in the background I mean you have your mobile app but whenever you travel you can use your mobile app to

access the camera while it's at your home so what we did is we plug the camera we put a curly box in the middle between the camera and the internet connection we connected the mobile using Android debug and put that behind the callee box and we just wanted to see how it works so apparently what happens is as soon as you plug in your camera the camera sends beacons to three servers in cha connecting that camera ID it says hey listen I'm behind this public IP address and this is my camera ID your mobile app does the same similar thing it sends it sends a request to those public IP addresses in China asking for the IP

address of that camera the server responds it says this camera is behind that IP address and the connection takes place the problem is all of this happens in clear-text now I'm not gonna give you the scenario that well imagine you're in Starbucks and somebody is sniffing your packets and they get your user ID and that camera ID chances are people will not follow you to Starbucks I mean I don't know why like I feel sad for them they get there like the number one example for bad Wi-Fi or bad Wi-Fi security but what we see here is a UDP packet that contains the camera ID and then the username and password then another UDP packet there is base64

encoded here's here is the big issue that we found with this product when we were testing the mobile app the mobile app has had a mechanism to check whether you have a valid camera ID or not it was completely offline which made us think what could be there to check if this is a valid ID or not so what we did is we downloaded the apk reverse-engineered it and we found those so if your camera ID have the camera ID has three digits or three parts the first and third part has to be one of those predefined strings which leaves us with an integer of six digits in the middle now there is a good

chance that those cameras want this once they're sold they have default credentials we know the IP address of the Chinese website the Chinese servers and there is a good we can definitely brute force a six digit number what's so it's it's kind of scary that this thing is being sold you know for the public and it's being used but nobody knows how it's working in the background anybody who is is sniffing those camera IDs on the way if you believe that you know foreign governments whenever it hits that foreign server gets your camera ID they have a good chance to log into this camera there was but the interesting thing that when you read the

manual it doesn't say anywhere or it doesn't advise you to change the password it just says leave it as it is

so this is from the when we D compile the application this is the source code of the mobile app another thing we found is that when you use its web UI the cameras web or UI to access the video feed what this camera does it sends a bunch of JPEG pictures and you don't need rocket science to you know export those objects from the HTTP traffic and end up getting the feed so that was for product one now Christian's gonna talk about the second product we tested so the second product we found readily available for $35 a lot of people would get it it's a nanny cam baby cam something that can either be wall-mounted or you can mount it right

on top of like a dresser or something just to keep an eye on children or activity in your house uses AC power and you can connect it via Wi-Fi which is the two metal the two rods in the back or you can connect it with an ethernet cord and just have it go to a central location uh ports why so many I'm just doing a simple MF scan of it brought up a ton of forts I don't know what half of these are even doing we know that the camera obviously has to use our the port 855 for our TSP but the other ones are kind of questionable about why it needs it also as you can see there's

another port at the top which is very questionable about why you would need a telnet but okay no so this we found using the web UI through just just a little bit of Investigation that all the authentication you can entirely bypass you can put in any type of username or password and if you know like the next part it'll say oh hey you know you authenticate it badly but if you just strip out the bottom the the end of the stream and just put main it takes you right to the page anyway it doesn't care as you could see it just ignores the authentication failure message and you type in the correct you the correct URL

everything's fine replayed what's that

yeah you can we've tried both you can do both there's some times where the more the one you're talking about won't work so all you need to do is issue we discovered that you could do replay attacks fairly simply put requests a lot of its using put it does not implement any authentication or replay prevention at all you can literally just continue to spam the same thing over and over and it's completely fine with it this one we used several different things to do we could black out the feed turning the brightness down to zero and you can't see anything we created several new users without any authentication we won't even like logged in to the actual UI at all if it just

accepted it and we could turn it tilt it whatever we wanted with it mm-hmm and only in 27 mine's not that hard and a big portion of it was just making the payload so in reality maybe seven here's a little bit of the exploitation the one on the top left is just adding or changing users so if you had a current user that was already on there you could just type the actual the name of the user the type of the users at the end for our script that we wrote and what you wanted the password to be is in the middle we had to specify the host as well and it's as you can see it's ok with you

doing that you can add users you can change users do whatever you want and it says ok we're fine you don't have to be authenticated be good and you can actually log in with those credentials in the web UI immediately after you run the script the one on the bottom right shows us moving the camera and we do not have video of the camera actually moving but it does turn tilt do whatever you want with it and nice little tongue net back door we after realizing that we that we seen telnet on there we decided to look around and try some regular passwords it only took maybe two tries for the password and it was like oh okay

and we found it we decided to try this built-in shell and it was perfectly fine with you doing that and as you can see the Etsy shadow file is perfectly able to be cracked using md5 some final thoughts throughout this process of just testing these two cameras we found out that a lot of the that if it was just these two if it wasn't just these two there are a lot of cameras that are cheap on Amazon on eBay any type of platform for buying these hyper biotics that it's probably gonna have some similar services or some similar issues so one of the main things you should really do is do some research before buying a lot of the things can be easily

prevented by just doing a little bit of research on it seeing if there's any exploits that have already been found or if some of the services are actually documented if you buy from a reputable vendor there is a good chance that you're gonna end up with good customer support this apparently both the products that we bought lack customer support if you had an issue didn't know who to call and we know that this is difficult to keep but try to look for updates and try to update and keep your firmware update and this is basically it but any thoughts questions we had three cameras but we didn't get time enough to get to the third camera we had these two

cameras on we had we had bought and we decided to test we tried but so we have this kind of already strict policy not to go beyond testing the actual you know beyond the product and so now most of those were like customly built services I'm sure there is a way to put up you know put a fingerprint but we didn't go that [Music]

but I would say that the main driving reason behind buying those cameras is cheap and they're very easy to use I don't think that oh yes customer education is number one we have to educate customers the QR code so both of them have two different QR codes the second product this QR code is a URL for the mobile app to get you there and download it but the most the more interesting one is we're not showing it the one for the first product is there was a QR code on the box itself with the camera ID and the password the interesting stuff is that it's also available on the web UI but when you change the user name and

password this QR code remains the same and it's still valid for the camera yes I would say I would recommend you know when you have a web server running on one of those devices have it you know a standard web server instead of you know custom building your own web server and use packages that are more professionally developed something we noticed as well as there this software that is being that is being used on one of the cameras was run on other products and had the same bond abilities but in my opinion you know

you Apple one point I want that so it would be it would be cheaper to buy a new one yes right because you have to set up a BPM and like care about like reviewing all like you're not hiding anything so something look at my house who cares I'm not saying I agree with what you're saying I totally agree with what you're saying but I I just remembered one thing is that when we went to the Amazon page some guy was freaking out because the camera was moving at your hand was first

we have two minutes when they use the term standard package we look at a lot of these especially with the MJ Xtreme it is the exact same software across what hundreds of millions of products so so that is more standard that he secured software is available here in the United States or summer 2012 where these are coming out of this is the snail this is the most sense for developers to move forward and deal with a product with a camera in a motor big classic and still a product type so in children is that there's like someone pushing upstream to these things to change it even where the urban development I agree [Applause]