Gateway To IoT - Rob McLellan

Thanks everyone for coming. Um going to do a quick talk on some IoT devices that I've come across a few times on Pentest. Um thought they were quite interesting interesting to do some research outside of work. So just a quick run through of those research that I did. Uh so the quick who am I from the pallet reform test I've been started out making machines now break machines senior at trust smart lab most important point of course right then so the devices we're going to look at today these are by a company called electronics um I these a couple of times uh on side gates they made these devices uh where it's basically two connections

on one side and network connection on the other hardware industrial kit, medical kit, RCB2 pretty much across across the board there. You can put these in and you can network that kit. Um, so you

might first

actually make these devices. So the ports across the front of that device there people network ports but they are also actually serial ports apart from the two at the end which are network ports. So the idea is this you passes to the outbound management space of your firewall your routters. You plug these into the into your uh console ports on your routters and firewalls and then you plug a network cable and you connect them across the network manage firewalls. Uh diagram there you can see at the bottom there black box the rack is that console server guys not through the network and get the console ports on your firewalls through stuff like embedded chip um that's like

network stack building so it's just a network port if you're manufacturing your own kit buy one of these chips sit on the board of your kit it has no capability It has like remote management in space on it web based management in space and it's supposed to FTP self access for remote management. Um so this diagram here this is how the screen work. So you have lots of these little devices connected to your hardware. Then you have your admin guy running software which connects across the network to these devices and you can use serial port two ports connected to those devices. Again similar sort of setup you got with an industrial set up here all these boxes

connected to industrial hardware software connected to all these devices. The software this guy runs packages, but there's one called device installer that allows you to connect to these devices and allows you to scan and find those devices manage them. Um, so was quite intrigued by these devices. I look up on a couple of onsite engagements a couple times. instant because they tend to have defaults so it's quite easy to get the web admin on them and noticed that they're connected to quite interesting things but haven't done that I've spoken to contact they said yeah that's interesting just password connected to like one one got away kind of thing I was also on a big industrial site once

where they had these devices and they had like a huge one production line lots of devices on production line lots of them had these devices connected to them for management And they specifically say like do not scan any of those devices because they are really flaky. If you scan them, they will crash. If they crash, the production line might stop. If the production line stops, that's going to cost us lots of money. Do not scan them. Um, so I still want to go away. Like these things are really flaky. How do I not play with them? Um, and then I heard HD Moore of Metaso fame on a podcast. His latest thing is he's got this like

network scanning asset discovery software that is apparently pretty clever at like scanning your entire infrastructure mapping out network finding all the devices that were on it and made this off comment about oh yeah we see these like devices all over the place but you can't scan them if you send any scan them you'll crash them so we have a way of discovering them without sending any packets to them I was like what is on network without seeing any packets to it. Anybody any guesses? Broadcast. Broadcast. Exactly. It took me longer than I went to next station. I thought like a broadcast. Um so I was intrigued. So I had this hypothesis. I like I need to get these play. That's

how it actually works. So on to eBay older devices. Some of them new devices, but you can get the old ones pretty cheap on eBay. woke up with them, stuff out of your home, did a pack capture, turn it on. Yay! Video broadcast. Every 3 minutes you can see them popping up like the ice. So, hypothesis confirmed. So, with that, I thought, right, okay, well, I've got these devices. I might as well carry on poking at them and see what other things I can do with them. Um, so actually the devices seem they're vulnerable at all. Um, and there's loads of like little things about them that like just not good practice. So, we enabled PL management in space on

port 80. Uh, there's FTP enabled by default. These things support encryption. I'm not sure all the military encryption, but it has to be turned off by default. So, everything's going. Um I found one vulnerability in some of the older devices in some of the versions of the firmware where it's like an authentication bypass vulnerability so you can get access to the admin console without authenticating. Um it's a bit of a weird one because in the later version of the is fixed but when you look in the release notes doesn't mention this at all. So I don't know if that's because they just accidentally fixed it without realizing it was there or whether they saw it and thought I

just I'm not tell anybody. Not not sure about that. That's kind of a cool book, but I want something better. I want to be able to multiple devices and get away as I step back thought maybe there's a better approach to doing this. We want to get access to all these devices around it. Um, and I noticed that they tend to have like we default password the same across all of them. Um, so rather than going after all of these devices, this guy up here is running the next software, he already has access to all of them. He can find them on the network and he can connect to them. So maybe this guy is the best target to go

after it. So he's running this electronic software software. I wonder like is there any vulnerabilities in that software that allows us to compromise his workstation then we can access all these and like additional gravy if this guy's on network he's got a joint machine we can talk through his machine internal network as well so this guy's a better target so he's running device installer so enter device installer I go off I download it I install it this is what it looks like such as a sky network, you'll find the devices that are connected. Here's some like devices I had sat on my network. And again, I noticed there's this sort of behavior a lot of

applications where you can define global credentials. So these are the admin credentials that are expected to exist across every single machine. Same user password every single machine. Um that's that's that's interesting. I'll play with this. uh it doesn't like over bought some machine network service you can get to so I thought okay how to do this network discovery scanning across the network so did some packet caps sorry it's wireshock I did use various points but I thought for this presentation why look it does so we can see it does this like UDP broadcast across the network

43282647 the devices if they're present will then respond with packets that look like this um so I thought right okay well what if I some respond I can insert myself into the conversation then maybe I can start fuzzing the traffic that's going back to the device the software so I tried doing that I wasn't really able to get anything interesting. I couldn't like make this not stable or anything like that. But in doing that, I noticed I was able to do that structure some of the the packets or some of the bits that are in the packet. So you can see that like 0007 the side there that's the version of firmware that's installed on the

device 55 33 is like a device type of devices which type of device it is. And then in blue at the bottom there, that's the device ID. Each of these devices has a unique device ID which based in my response packet. Um so continue sniffing packets couldn't really figure out what was it text. So when you then click on the device within the device installer, what it does is the device software connects over FTP to the device. and it gives it those 11 credits to authentic and then it pulls down configuration file has the actual configuration device on it. So I thought okay brilliant that's that's a nice easy way we can get quick win device on the network

someone click on this mysterious device appears and those are the same as all of the on so that's cool but I got a little bit better than that so I started looking at the actual config file that gets delivered across FTP and it looks a little bit like this so it turns out it's an XML file Now, I've had fun before with XML files. You can do things like XT into them. I'm not going to go into XT in depth here because 20 minutes on the clock already. Um, if you want to know about it, but essentially what you can do is embed references to data outside of your XML file using XXE injection. Uh

so what you can do with that is you can sort of reference files that might be on hard drive machine XML page those files and you can also refer to network location. So you can connect to web servers, FTP servers, SMB shares. So what that effectively means is you can pull data out the local files, take that data and put in a get request to a web server that you control and send data from local file system to yourself to your web server so you can extract that. So I put together payload to do that and embedded it in the config file and on the device somewhere. So we've got here the top there. Couple of lines of Python that

speaks to my track device. So we hit that off. And at the bottom I'm tailing the log file from the FTP server that it's going to pull the config file down. And on the other side I'm tailing the logs from the web server it's going to connect to. And this is just demonstrating that on the file on the system of the hosting device installed there is a file that contains the text hello world. So in our one device installer we see the screen starting package say device on that 172 that's appeared in devices there that's actually our my laptop that's our device then we see bottom connects the client downloads config fail config file and we see at the top

there hello world is content of the file that is pulled from file system where the echo [Music] contability. The other thing you can do with this is uh you can express vshares. So if I run responder on my local host and then we reference a v sharing file the local file system. We run the same process again spin comes along clicks on our device. It then connect password hash of the user that's running the software. So we can then hash lo spray that hash around the network. If that's joined, happy days. We can start spraying that machine access to it. So I thought, pretty cool, pretty cool. We've got an actual vulnerability. So I thought I better

report this to uh so reach out to them. Hey, I've got a vulnerability. Um sent them an email, got a response, sent another email, get a response, wait a week, sent another email, no response for the week, on and on and on. We sent them on LinkedIn through the corporate account. Hey, I'm the security team. I've got a security run. No response. So, um I then reached out to Cert then you got a problem into the conversation. Then it's up to the comedy turn because electronics join the conversation said oh devices still that's like really old like don't support anymore end of life and I thought that's strange cuz like I downloaded it not long ago um and it

didn't say in the recent release end of life. So I went back to the website just to check is it right? I just missed it. It's disappeared from download page. It's no longer there anymore. Well that that that's really weird. So I'll go back and ask just before I just click a little bit more around the electronics website. So click around again. We've got a discontinued product page and right at the top there there's there's the device somewhere but how can it get discontinued and it was discontinued on the second April this year. Exactly right. Kill the coincidence. They were always going to end up laughing. Okay. So, well, okay. Well, you you killed this like fair enough.

But there'll still be guys, you know, still people have got their hardware they want to manage. So, what do they do? Is there another product that they can use to manage it? And they said, "Oh, yeah, sure. We've got this new software called Provisioning Manager. um they can use that version like this. So you start it up with a wizard to connect. Again, it's the same thing where just assume you're going to have the same admin credentials all right. I think this is this is going to be the same thing as right. So is it going to be the same if I run the same payload again this also has some sort of weird like cloud integration thing that

dug into yet. Not sure what that is. We'll run through it. finish. It does the same thing again. Discover devices. Just imagine software. Yeah, they have completely rewritten it. It's completely different. We know that because ah that's a shame. But the heart is right. We don't. So dug into a little bit more found another interesting thing that this software does. Tried some slightly different attacks on [Music] it. Another go discovering devices. What we get this time is a little bit different. We've got so this one's got like a remote code execution really. Now, I'm not going to go into detail of what that is because obviously I went straight to there's another one that you

have to pick my joints for and my gut the table but it's not yet. So interesting. So this was like interesting fun research. I just thought I'd like run through it and go through the process of of you know how I did it. Um quick conclusion. I'm watching 21 minutes yet. So lots of fun to be had with IoT. I think there's still within the devices there's still loads more stuff there not yet I can definitely play with. So looking forward to doing that. There's other manufacturers out there that make similar or like clone devices. So I'm sure the same report seems to be required and yeah not loads more angles here that you definitely issue like one

of them is look one of these devices itself like a malicious device put a payload on the device and then you plug into just go and plug what looks like an ordinary device into a network leave it and I report everybody who tries to scan that network. So yeah that's that's me. Hopefully you found that interesting. Any questions if we've got time? Any questions? Yes. So doing this based on

IP46. So is that angle possibly look at where? Um yes almost certainly. Um, to be honest, some of the devices that I bought cuz I just went on eBay and was like, let's get the cheapest one I can get hold of. I got the really old ones that like 20 30 quid. I don't think they actually support IP6. The newer ones, I guess they probably will and you probably have some fun with that. But yeah, definitely another angle to exploit to look at. I expect um if they're used industrially and used commonly, then they won't get swapped out too often. So it's a long persistent threat on the hardware and if you've got new software

talking with the old hardware that doesn't have a firmware upgrade the opportunities are going to remain for many fruitful years to come. I suspect so and you know found vulnerabilities for the old versions of firmware. I'm almost certain that people running these are not upgrading the firmware regularly because you'd have to reboot the device to do that. That means like D is connected to potentially they're not doing that. They're going to be running the old firmware. They got to be running the old software to connect to it. When Lon said, "Oh, that software is end of life." They said, "This is really old. Nobody uses this." I don't believe that for a second. Like I

definitely see out there in the wild place that I think there's a big issue about end of life software in terms of how you communicate that because it isn't a standard that you get. There are people looking at that now in Cisco because software is software is current even if you're using it like A lot of people spend their lives about it. Yeah. If it works, they got to stick with that. It's the one you know the industrial stuff because it's expensive to change. Yeah. Again, there's there's a discontin page there, but can't imagine people going check it out. Make sure just a bit of comment on that. There is the website now sponsored by so that is a very good resource for a

lot of open source container Kubernetes things coming out end of life. have a look at

it trying to do standards trying to communicate this information. So tend to live and support ending support. So there's a whole industry getting that okay because it needs to be communicated on standards for IoT stuff. There's a sort of funny thing I discovered up along the way with this one management quite a long time ago. So the default password is pass straight in there. That's pretty in 2022. I think it was California was the standard for IoT hardware where they say but IoT hardware has a prevision admin account on it can't give it the same password. So electronics went cool we'll give a unique password to everything that's manu 22 on the prevision account they chose to use was the device

ID which is that thing that it gives you prioration and is also the same as their MAC address. So if you want to say oh that's right the default password that straight. So the compability is what regulation but in a way where it's probably awesome.