Cameras, CACs & Clocks: A Story of Millions of Interrogated and Hacked xIoT Devices

hello hello good afternoon uh let's welcome John Betty to the stage he's going to talk to us about all of the millions and millions of devices that he has hacked over time he's come to another from the iot village so give it up and thank you very much [Applause]

kind of allergic to podiums so I'm just gonna talk like this so welcome everybody I'm John Becky um I'm the chief marketing officer at phosphorus cyber security um been in this business 25 plus years I've been on the front of a lot of different categories in this in this industry but this is one that I've always known is very big um and so what I'm going to present today I'm going to talk about this isn't a product pitch I'm going to talk about the state of this industry the types of devices that are out there we're going to walk through some of the issues with these devices I'm going to talk about some of the prominent attacks and attack vectors

that are hitting these devices today and right around the 10 minute Mark I'm going to hurry up over to an actual camera hack because I want to show you guys an actual hack on a camera I don't have much time but I'm going to kind of squeeze that in um so in any event let's kind of get started I call it xiot stands for extended internet of things and what does that mean there are multiple kind of pillars of X iot devices because there's so many and they range from what we call kind of Enterprise iot devices think of these kind of in what I call the carpeted areas of Enterprises right cameras printers VoIP phones layer Layer Two

kind of switches load balancers HVAC controllers smart card and cacs and all those kind of things you'd see in a kind of Enterprise environment then you have OT operational technology these are things like ICS devices plcs critical infrastructure skated devices all those kinds of things right then you have iomt devices internet of medical devices these are things like infusion pumps wearable medical devices all the things you'd find these are oftentimes life critical devices and then you have what's called iiot industrial Internet of Things these would be in kind of discrete and batch manufacturing all those kinds of things so there's tons of these devices you can see some of them here but there's similar things across any of these

devices that are very common right they're all purpose built right they're all basically just Linux servers running a flavor of Linux it might be Android BSD busy box VX Works a host of different kind of operating systems but they're all basically Linux based you can't point you can't put endpoint agents on this right so you can't put Titanium or crowdstrike on these things uh they're not traditional I.T assets they're very different right uh and they're all Network connected they speak tcpip they love to connect right uh and so that's kind of the state of these things right and there are many many of these so there's a different ways to kind of look at how big this is but since I've

been in this industry I'm just showing you kind of let's compare kind of cloud security with endpoint security with this security right so endpoint security right there's about as many endpoint devices on the planet as there are people right it's probably five to six billion on any given day right and just so you know the number of those devices every year is decreasing it's not increasing it's decreasing okay um Cloud security there's about 10 million physical servers that make up the cloud security Market that's not that many servers not counting virtual ones but physical ones right so you can see that when you get to X iot upwards of 60 70 billion of these things already

and by the way that's increasing about 18 to 20 percent every year so these devices are exploding in size right they're everywhere they're smart devices right so let's talk about the state of these because that's really why what I want to talk about today we know how many of these devices there are but in simple terms they're a mess okay these things are absolutely insecure and by any other kind of view of cyber security the state of these devices from a security perspective is an epic fail okay and every day I'm in this business it's kind of like I'm back in 1992. and if you literally think of where we were in about 1992 with iced

tea security that's where we are today with this right the most basic table stake security is not even present in a lot of these devices but they're being targeted in a big way so let's talk about why they're being targeted But first you guys know Showdown you under you see shodanya so showdown's awesome you can just go up and do a search so I did a kind of basic search on Showdown I went and looked for cameras and void phones and printers and UPS right uninterruptible power supplies and I just said how many of these devices at this time and this day when I did this search are available to me that were Network connected on the open internet

so cameras close to five million of them right VoIP phones 250 plus thousand of those right printers at that time but 83 000 Network connected devices all of those like ridiculously insecure and I'll talk about why then you have something like UPS's right and then just kind of look at that and say why on Earth there would be 14 000 UPS's connected to the open internet is beyond me but the reality is 100 of those devices we've been interrogating these things for six years interrogated millions of them 100 percent of them are deployed with default credentials and if I mentioned default credentials today it's not anything secret you can go to Google and do the search on it

every single one of them has the default credentials anyone want to guess APC APC isn't that amazing 100 of them right um again across all of these pretty much all deployed mostly with default credentials and so let's talk about the target of these devices so if you're familiar with front on maybe you've heard of it right so front end is a serious piece of enterprise software okay I mean at phosphorus we built a platform to secure these devices and it's a serious piece of enterprise software this is a serious piece of enterprise software designed by the Russian FSB to pretty much hack any X iot device on the planet right in addition to that it has incredibly

sophisticated social networking per capabilities on it so it can launch hundreds of social media accounts right and spawn them and upload disinformation right so this thing is a serious piece of enterprise software but what happened is the digital Revolution which is a hacking group hacked the Russian FSB and just release this on BitTorrent right so now it's on all your favorite torrents it's a military nation state piece of of software hacking and it's basically out there available to anybody today right and so this thing is sophisticated but it brings up a point why would Russia the Russian FSB spend all this time to build a piece of firmware like this software like this for hacking

because they know no one's looking at this stuff right they're a mess they're deployed with default credentials they they ship with critical cves of eight nine and ten right uh The Firm were six seven years old ports and protocols open all over the place no one's looking at it why what could go wrong right so why would they not focus on this stuff right so that's that you're gonna see this more and more then you have things like banned iot devices so back in about you know 2018 HR 5515 basically from the US you know federal government said you cannot deploy certain technology made by China on on U.S federal networks right well last last year at the end of last

year the FCC actually banned this stuff everywhere so you can't import or deploy because of a national security threat why would they do that well because this stuff comes into the country pretty much ready to hack and I talk about this wise the wyze camera for from about 2018 to about 2021 or so if you went to Amazon and said show me the best security camera on Amazon Amazon's favorite it was the wise camera right uh and that thing was pretty special because it just it just bypassed all kind of middlemen that just shipped the minute you plugged it in it deployed nmap on your network did a complete scan started just capturing terabytes of video and audio remember

these things don't just capture video These cameras that are all over the place they capture audio you might not know that but they capture audio and just ships it back so if you went into this device for example and shut off audio or video the red light would come up shut off doesn't matter it's still capturing audio and video right so that's kind of this this state of some of these devices and they're all over the place right so some of the other attacks Bots are prevalent I'm you know I don't get terribly excited about Bots I mean it's not like a Slammer or a Melissa virus or something but it really shows kind of

the intent and what's happening with these devices so Mirai is kind of like I call it kind of the grandfather of X iot attacks it's a massive botnet it basically uses a cable modem a couple routers some access cameras and there you go you can go exploit these things on telnet Port 23 they're all wide open default credentials uh and you can you can see the damage that was done on that thing right then you have things like quiet exit so we all understand you can exploit kind of a 10 year old cve on an X iot right with a with a critical vulnerability but this was designed for x-fill so this targeted you know

printers cameras even Network gear right for x-fill and I'm going to show that to you and show you kind of how they did that uh but this thing you know example of this thing 18 month dwell time that's actually pretty short this thing is all over the place so it's sitting on your critical devices they take command and control they get in just with the default credential they get into command and control and now they can go x-fill anything on Prem up into the cloud that's what they did here and that thing's pretty serious as well plcs I'm going to talk a little bit so these things are are also very vulnerable right you don't know where they are you

can't touch them very old software these things are very old all kinds of problem with plcs as well pipe dream this is ripped from the headlines the Vulcan files this is a piece of Russian software that's specifically targeting plc's oil and gas critical infrastructure Railways airports it's pretty pretty nasty right hospitals and fusion pumps I mean the list goes on and on right three to five of these devices you know fifty percent of them deployed with default credentials the other half are basically changed once when provisioned and never thought about again and the the the password on those things when they were Provisions terribly weak right so I'm going to keep I'm going to kind of speed

up because I want to I want to actually use the time to talk about the worst biggest offender of any device is the camera it's a mess think about these things they love to be connected uh they have open ports and protocols every password's default they're all shipped out of the box with critical vulnerabilities these things are an absolute mess so what I'm going to do now if I have some time actually just going to show how we can hack one of these cameras so bear with me because I'm going to do this on my keyboard and I might screw this up if I click it's going to go back but I'm going to try to do this right so we're

going to try to go through this hack and kind of show you a hack okay so this is Kali Linux right and this is the laptop we're going to use to hack an actual Live security camera this is Live security camera that we're going to log into this device isn't the hack yet we're just logging into it but just remember right that the Hat kind of starts here because I can just go to Google and ask this is a Hikvision camera what's the default credentials admin one two three four or admin one two three four five wow that's a so you know I can just Google the 12 credential I can log into this and we're

just going to log in we're going to take a look at what's happening in this camera once you get into the camera you can see a couple things right first of all you can see what is the camera watching this is a live camera on the network so we're going to show and watch so there it is it's it's it's watching a very secure layer 2 switch on a table very secure so that's what the cameras uh watching so we're going to be able to see that and then we're going to be able to go in and just take a look at the the kind of settings the configurations the gateways the IP address the passwords

and all those kinds of things you see that all in here right at the end of the day this is a Linux server that just happens to be performing camera functions right so when you see a camera I see a Linux server so do the hackers right so there it is so what we're going to do on here if I can just go back so we're going to kind of I I showed you Showdown right so let's do the first thing a hacker might do is say all right I want to go up to Showdown I'm going to just search Showdown and see how many of these network accessible Hikvision cameras are there on the open internet that I can

see it if we do the global search you're going to see there's about three and a half million of them in the world right and you say okay well let's what about the US right so let's just do the us so we do that there's about a half a million of these things available right so so again remember most of these attacks aren't happening from the open internet they're going to attack it and then pivot over to your X iot but still half a million of these things available right so that's that's pretty good I see that then I say okay what about let's go get an exploit right so I'm going to try to go up I'm

going to go up to exploit here's exploit database DB right so again there's a lot of kind of um paid places you can get exploits you can go on the dark web and pay thousands of dollars for these things there are public sources of exploits I'm really cheap so I'm going here this is free right so I'm going to go up and I'm going to see so here we go here's the exploit you can see it for this hickvision camera I'm going to pick that exploit okay so there's the exploit then I go in here there you go there's the exploit right and here's the code right there right so I can modify this copy it whatever I

want right so now what I'm going to do though is I'm going to I'm going to download this exploit right which is just a script and I'm going to download and put it on my laptop right okay so then when I do that I'm going to create a directory you're going to see me I'm going to create this directory here which is called operation hickvision or optic vision I'm going to create that directly I'm going to put that exploit right on it right so there it is I'm right there there it is I got it right so I put that on there right so now I'm gonna make this thing executable I'm going to make that so there it is

there it is so now what I'm going to do is I've got that on the camera so now what I want to do is I'm going to do a check and I'm going to check this Remote device which happens to be this camera on Port 80 and I'm going to ask is it vulnerable to this exploit right so I'm going to do a check and you're going to see there it's going to come right and so it's verified I'm going to go back just a little bit and show you this see that right there it's verified exploitable right so I just did a check and it said verified exploitable perfect now I know this particular exploit on

this device is exploitable now what I'm going to do I'm going to change from check to Shell which is actually going to execute the code on this device and here's where the exploit begins to happen I change it to Shell Bingo there it is right so I've got it you can see here busy box version 12.126.2 2019 is the last time that thing is updated pretty typical right so there it is I just exploded this camera it means I have root privilege on this device Way Beyond the administrative control for all intent and purposes we own this camera right now okay totally own this camera right so now what I'm going to do I just verified

that's exploitable okay so now I'm going to list the directories in here I'm in this camera I now have full control if you know Linux this is very Linux like just going to list the directories then what I'm going to do is I'm going to create another directory on here called bad and you're going to see me create this directory and I'm going to highlight it here just to make sure it's there just want to make sure that directory is there it's called bad you're going to see me highlight it okay so there it is there it is bad zip directly okay so I just exploited this camera with the exploit I got I'm now

listing and creating directories that in itself isn't Earth shattering but we'll get there right so here I am now let's kind of do some interesting things here right so I'm going to clear this out just to make space so you can see a little bit better I'm going to re-execute the Shell okay so there it is okay so now here I am now let's let's do something let's let's bring up some hacker tools and get them on to this directory right so I want to I want to get some tools so what I'm going to do is I'm going to use tftp just to show some other protocols I mean from tftp I'm going to

do a remote get from this camera I'm going to go to my laptop and grab a file file called do dot bad and I'm going to grab that file from my laptop and I'm and I'm going to put it here on the camera okay so I'm going to do that I'm going to put it on the camera there it is now what I'm going to do is I'm going to make this executable I'm going to use read write 777 so that I make that route executable there it is there's 777 it's now executable and there I go I've got now this file on here now I could have uploaded anything I wanted I could have put hacker tools

password crackers you name it anything I wanted right I could have done anything I wanted right but in this case I just brought this video in and here's the do dot badge so I'm going to let this come in I made it executable and in this case I just uploaded a Shrek video I just wanted to show you I could do anything I want okay um so now let's do something interesting okay so presumably I have some hacker tools on here anything I wanted I could have just piled them on there okay so now let's X fill right remember that's the point of these things I take command and control like an axle so now I can go

to your it assets I can go to your Exchange Server I can go to your cloud and I can start X filling data right but what I want to do here for the sake of time is let's just look for some interesting stuff that's sensitive on this camera and so what I'm going to do is I'm going to look in the directory and I'm going to see a pair right I'm going to see a pair of dot pem files public Keys private and public Keys okay so I'm going to find them on this camera you'll see them here I'm going to highlight them right so there they are servecert.pamservkey.pen a pair of public and private Keys oftentimes these

can be um into a single file but in this case they're bifurcated into two okay so real quickly what I'm going to do is I'm going to use SCP okay secure copy protocol which uses SSH Port 22 I'm going to exfiltrate these pem files of which there are two I'm going to exfiltrate them and I'm going to put them in the same directory on my laptop that I had the video that I uploaded okay so here you go so you see SCP there you go I'm going to see the files I'm going to tell them please exfil go over to my directory on my laptop and we're going to place those files in the laptop I'm actually going to see them

there they are there's the two files serve cert serve key here it comes and now bingo these files are going to be placed right over in the same directory right there where I got the video here's the do dot bad video there's the two files I could have exfiltrated anything I wanted it could have been passwords proprietary information emails your Exchange Server your Cloud I don't care I could have done anything I wanted I just showed you that right so that's kind of uh where we are on this right I don't have time to go through the fixes of this come on over to our booth but we can actually fix this by talking to these devices

finally doing a profile and them discovering them and then let's take care of default passwords and credentials right it's a big problem if you're worried about a critical cve and your passwords are default you're misplaced go back and fix the password so we can rotate passwords we can shut off telnet SSH Bluetooth Wi-Fi all these extraneous ports and protocols we can upgrade and downgrade firmware and we can maintain State on these devices so that we know if they went from a secure State back down to an insecure State someone can just go put a paper clip into these devices I want to be able to know that there was environmental drift we can do all that today for the very

first time ever right we can actually start fixing this stuff because believe me all the nation states are focused on it as well as the botnet armies and all the Cyber criminals just think about what I just showed you I could have done a host of things and I could have had ransomware easily deployed on that device right so I don't have time for much else I'm way over but I'll stop there and see if anyone has any questions and sorry for going over a couple minutes but I wanted to show you the hack any any questions or anything there cool awesome well we're over in the I.T Village it's phosphorus cyber security thanks for joining me today and have a

great rest thank you John [Applause]