Sacon - IoT Hackfest (Sri Chakradhar K)

1. C
IOT SECURITY
WORKSHOP
Presented By
Sri Chakradhar Co-Founder & CTO, Sai Charan (OSCP)
Entersoft (www.entersoftsecurity.com)

2. How public cameras can be accessed remotely?
For the purpose of remote access or surveillance many of the users or cosn keep their video
feed public to watch anytime from anywhere.
Scenario 1
• By using simple search command anyone can access various camera LIVE AXIS MODEL
around the world and you will be able to view the current various devices which are
currently online.
• Ex: “inurl:/view/viewer_index.shtml” AXIS cameras with basic security can be viewed with
respect to what the camera is capturing whether it might be a bank lobby or a simple
home.
Scenario 2
This is another search command we can try or use on google search engine
“inurl:guestimage.html” by this input you can view Mobotix cameras which are online.

3. • While looking for most recent vulnerabilities we found the HikVision privilege escalation
vulnerability which allows any un-authenticated remote attackers to view the device
properties, user details, take a snapshot and most importantly allows to change the
password for any user including the Administrator.
• For this demo purpose we have made use of the below dorks to find several HikVision ip
based cameras which were publicly accessible to anyone who uses a simple google
search by using the below following commands.
intext:"Hikvision" inurl:"login.asp"
intitle:"Login" inurl:"/doc/page/login.asp"
• We have selected a target out of all the search results. It is a bot which is left alone in the
internet space for the demo purpose.

4. • How we have replayed the same attack by exploiting this particular Vulnerability?
• After a quick research we have found what might the root cause of the vulnerability.
• By assessing the firmware we have found out a unique authorization string in the source
code which can be used for all the HikVision Cameras to perform a list of attacks ranging
from information gathering to resetting the administrator password.
• We used the previously found authorization string to
1. Gather Device Information including the Model, MAC and S/N
2. Gather User Information including id, username and role
3. Take a Snapshot with out logging into the application
4. Reset the Admin Password using PUT Method
• A live hack demonstrating all the above attack cases will be followed.

5. Latest IoT attacks
• 'IoT_reaper,' first spotted in September 2017 by researchers at firm Qihoo 360, the new
malware no longer depends on cracking weak passwords; instead, it exploits vulnerabilities
in various IoT devices and enslaves them into a botnet network. It’s a dubbed version ‘Mirai’
which caused chaos last year.
• IoT_reaper malware currently includes exploits for nine previously disclosed vulnerabilities in
IoT devices from following manufactures:
• Dlink (routers)
• Netgear (routers)
• Linksys (routers)
• Goahead (cameras)
• JAWS (cameras)
• AVTECH (cameras)
• Vacron (NVR)
Cont..

6. • Researchers/we believe IoT_reaper malware has already infected nearly two million
devices and growing continuously at an extraordinary rate of 10,000 new devices per day.
Source : https://www.symantec.com/security_response/writeup.jsp?docid=2017-
102304-0245-99
• According to CheckPoint, IoTroop malware also exploits vulnerabilities in Wireless IP
Camera devices from GoAhead, D-Link, TP-Link, AVTECH, Linksys, Synology and others.
• Since these cameras are meant to secure something, like a bank lobby, this could lead to
collection of sensitive information or prevent a crime from being observed or recorded.

7. Conclusion
• Internet of Things (IoT) devices has always been the weakest link and, therefore, an
easy entry for hackers to get into secured networks. So it is always advisable to keep
your Internet-connected devices updated and away from the public Internet.