SlideShare a Scribd company logo

Who Controls the Controllers—Hacking Crestron IoT Automation Systems

Priyanka Aash
Priyanka Aash

While you may not always be aware of them or even have heard of them, Crestron devices are everywhere. They can be found in universities, modern office buildings, sports arenas, and even high-end Las Vegas hotel rooms. If an environment has a lot of audio/video infrastructure, needs to interconnect or automate different IoT and building systems, or just wants the shades to close when the TV is turned on, chances are high that a Crestron device is controlling things from behind the scenes. And as these types of environments become the norm and grow ever more complex, the number of systems that Crestron devices are connected to grows as well. But it is in large part because of this complexity that installing and programming these devices is difficult enough without considering adding security. Instead of being a necessity, it's an extra headache that almost always gets entirely passed over. In this talk, I will take a look at different Crestron devices from a security perspective and discuss the many vulnerabilities and opportunities for fun to be found within. I will demonstrate both documented and undocumented features that can be used to achieve full system compromise and show the need to make securing these systems a priority, instead of an afterthought, in every deployment. In short, hijinx will ensue.

Technology
1 of 46
Download to read offline
Who Controls the Controllers? Hacking Crestron IoT Automation Systems
Copyright 2017 Trend Micro Inc.2 Who am I? • Offensive Security Research on ASR team at Trend Micro – Focused mainly on IoT research – Break things in interesting ways and build cool exploit demos – Report vulns to ZDI and work with vendors to fix issues – 40+ disclosed vulnerabilities • Conference speaker – Defcon, Recon, Ruxcon, Toorcon, etc
Copyright 2017 Trend Micro Inc.3 What is Crestron?
Copyright 2017 Trend Micro Inc.4 IoT Device Controllers • Audio/video distribution • Lighting/shades • Home automation • Building management systems (BACNET) • Access control/security • Etc…
Copyright 2017 Trend Micro Inc.5 Fully Programmable/Customizable • SIMPL – Symbol Intensive Master Programming Language – Write programs for UI and device actions • Device control methods – IR – Serial – TCP/IP – Relay – MIDI – Cresnet • Interact with and program controllers via Crestron Terminal Protocol (CTP) • Crestron devices intercommunicate via Crestron Internet Protocol (CIP) • Programming can be complex, usually handled by professionals
Copyright 2017 Trend Micro Inc.6 Deployment • Universities • Office environments • Sports arenas • Airports • Hotels • Rich people's houses
Copyright 2017 Trend Micro Inc.7 Deployment https://www.crestron.com/getmedia/06b92c9d-c262-4190-bf52-4180d8f77fca/mg_2017_Brochure_Workplace-Tech-Design-Guide
Copyright 2017 Trend Micro Inc.8 Deployment • “Microsoft chose Crestron as its exclusive partner to manage all AV and meeting room resources worldwide.” – https://support.crestron.com/app/answers/answer_view/a_id /4818/~/what-kind-of-security-and-encryption-crestron- deploys • “Crestron and Microsoft are technology leaders now working together to develop future digital media innovations.” – http://www.crestron.com/getmedia/3321a1e7-f0d6-47b8- 9021-a473981f8983/cs_Microsoft_World_Headquarters
Copyright 2017 Trend Micro Inc.9 Deployment • Massachusetts Bay Transit Authority – https://www.crestron.com/en-US/News/Case- Studies/Massachusetts-Bay-Transit-Authority • Chicago Police Department – https://www.crestron.com/en-US/News/Case- Studies/Chicago-Police-Department • American Water Corporate Headquarters – https://www.crestron.com/en-US/News/Case- Studies/American-Water-Corporate-Headquarters
Copyright 2017 Trend Micro Inc.10 Deployment https://www.crestron.com/en-US/News/Case-Studies/Senate-of-Virginia
Copyright 2017 Trend Micro Inc.11 Deployment http://hughsaudiovideo.com/hospitality_showcase.pdf
Copyright 2017 Trend Micro Inc.12 Products • 3-Series controllers – CP3, MC3, PRO3 – DIN rail • Touch screens – TSx – TPCS, TPMC – “One in every room” type deployments
Copyright 2017 Trend Micro Inc.13 Products And more…
Copyright 2017 Trend Micro Inc.14 Platforms • Mainly Windows – Most products run WinCE 6 – Some other embedded Win versions allegedly • Some Android/Linux – Touch screens (TSx) – Video processors and digital media streamers (DGE-100, DMC- STR, etc) – More? • If something is specific to either the Windows or Android platform, I’ll do my best to call it out
Copyright 2017 Trend Micro Inc.15 Discovery • Magic packet to UDP 41794 (broadcast or unicast) – "x14x00x00x00x01x04x00x03x00x00" + hostname + "x00" * (256 - hostname.length) • Response gives: – Hostname – Product – Firmware version – Build date
Copyright 2017 Trend Micro Inc.16 Discovery • Shodan results between 20,000 and 23,000 • Most common product is split between CP3 and MC3 results from 2018/06/11
Copyright 2017 Trend Micro Inc.17 So What is Crestron? • A lot of different things • Running different programs • On different platforms • In different environments But there are a couple universal truths…
Copyright 2017 Trend Micro Inc.18 Anonymous Admin on CTP Console
Copyright 2017 Trend Micro Inc.19 CTP Console • Main programming interface for devices • Telnet-like console on TCP 41795 • Sandbox file system/commands • Auth is available – Different user levels (Administrator, Operator, Programmer, User, etc) – Active Directory tie-ins – Encryption • Auth is disabled by default – Reliant on programmer/installer to be security conscious – Adds more complexity to already complex system – Enabling is a multi-step process – Never gets turned on
Copyright 2017 Trend Micro Inc.20 CTP Console
Copyright 2017 Trend Micro Inc.21 Standard CTP Functionality • Change system and service settings – Auth settings – Web portal settings – SSH/Telnet/FTP – Basic SIP settings (Android?) • Networking info/config • Arbitrary file upload – fgetfile/fputfile - HTTP/FTP file transfer – xgetfile/xputfile - XMODEM file transfer
Copyright 2017 Trend Micro Inc.22 Standard CTP Functionality • Firmware updates • Run and control user programs • Control output to other devices – Display messages on OSD – Play audio/video files
Copyright 2017 Trend Micro Inc.23 Hidden CTP Functionality • Running processes: taskstat
Copyright 2017 Trend Micro Inc.24 Hidden CTP Functionality • View/modify stored certificates: certificate
Copyright 2017 Trend Micro Inc.25 Hidden CTP Functionality • Dr Watson dumps: drwatson (WinCE)
Copyright 2017 Trend Micro Inc.26 Hidden CTP Functionality • Direct chip communication: readi2c/writei2c (WinCE?)
Copyright 2017 Trend Micro Inc.27 Hidden CTP Functionality • Browser remote control: browseropen/browserclose (Android)
Copyright 2017 Trend Micro Inc.28 Hidden CTP Functionality • UI interaction: fakekey/faketouch (Android)
Copyright 2017 Trend Micro Inc.29 Hidden CTP Functionality • Record audio via microphone: recwave (Android)
Copyright 2017 Trend Micro Inc.30 DEMO
Copyright 2017 Trend Micro Inc.31 A Few RCE Vulns…
Copyright 2017 Trend Micro Inc.32 Cmd Inj Vulns on Android Platform • 22 command injection vulns so far in CTP console – ping (CVE-2018-5553) • Simultaneously discovered by Cale Black and Jordan Larose of Rapid7 • https://blog.rapid7.com/2018/06/12/r7-2018-15-cve-2018- 5553-crestron-dge-100-console-command-injection-fixed/ – But also adduser, cd, copyfile, delete, dir, fgetfile, fputfile, isdir, makedir, movefile, removedir, routeadd, routedelete, udir, updatepassword, wifipskpassword, wifissid, wifiwephexpassword, wifiweppassword, and more…
Copyright 2017 Trend Micro Inc.33 Cmd Inj Vulns on Android Platform • Commands implemented programatically on WinCE platform • Just punted to shell on Android • Most were simple to exploit – EX: isdir `cmd`
Copyright 2017 Trend Micro Inc.34 Cmd Inj Vulns on Android Platform
Copyright 2017 Trend Micro Inc.35 routeadd/routedelete Exploitation • First problem – Arguments get up-cased before use – Linux commands are case-sensitive • Solution – Create shell script containing desired commands – Name it “BLAH” – Upload it with fgetfile command
Copyright 2017 Trend Micro Inc.36 routeadd/routedelete Exploitation • Second problem – Uploaded script doesn’t have exec perms – $SHELL/$BASH not set • Solution – $0 returns name of calling program – When used in system() call, it returns name of shell instead – Final injected string: `$0$IFS./BLAH` – Could have also used . (as in the command) in place of $0
Copyright 2017 Trend Micro Inc.37 DEMO
Copyright 2017 Trend Micro Inc.38 Round 2? • Kept finding more vulns while root causing others • Had to cut myself off due to time constraints • Pretty positive there is more to find
Copyright 2017 Trend Micro Inc.39 I Want More! • Significant amount of control by default • Can escape CTP sandbox on Android using vulns • But what about WinCE?…What about a more “legit” escape on Android?
Copyright 2017 Trend Micro Inc.40 SUPER SECRET BONUS DEMO
Copyright 2017 Trend Micro Inc.41 Conclusions • Potential for good security practice is there but disabled by default – Installers/programmers not security conscious or just concerned with getting everything working – Normal users unaware of problem – If security isn't enabled by default, it is probably not going to be enabled
Copyright 2017 Trend Micro Inc.42 Conclusions • Wide deployment, including sensitive environments – High potential for abuse by insider threats • Boardroom spying/corporate espionage • Messing with building/access control systems • Hotel guests spying on other guests – Even “isolated networks” are not good enough
Copyright 2017 Trend Micro Inc.43 Conclusions • Android platform seems much less secure than WinCE platform – Surprising at first, but makes sense • Crestron has long history with WinCE • Microsoft partnerships • Newer to the Linux/Android world • Too much product fragmentation?
Copyright 2017 Trend Micro Inc.44 Huge Amount of Auditing Left • More CTP attack surface – More RCE vulns? – SIMPL and PUF • Other services – CIP, HTTP, FTP, SIP, SNMP, SSH, Telnet, etc… • Other products – Fusion, Xpanel, AirMedia, XIO Cloud, etc… • IOAVA
Copyright 2017 Trend Micro Inc.45 Questions? Hit Me Up • Twitter – https://twitter.com/HeadlessZeke • Email – ricky[underscore]lawshae[at]trendmicro[dot]com • Github – https://github.com/headlesszeke
Copyright 2017 Trend Micro Inc.46 Thank You

Recommended

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 

Recommended

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical HackingPriyanka Aash
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on VehiclesPriyanka Aash
 
Web hacking using Cyber range
Web hacking using Cyber rangeWeb hacking using Cyber range
Web hacking using Cyber rangePriyanka Aash
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkPriyanka Aash
 
Telecom Security
Telecom SecurityTelecom Security
Telecom SecurityPriyanka Aash
 
Creating New Models To Combat Business Email Compromise
Creating New Models To Combat Business Email CompromiseCreating New Models To Combat Business Email Compromise
Creating New Models To Combat Business Email CompromisePriyanka Aash
 
Cyberterrorism. Past, Present, Future
Cyberterrorism. Past, Present, FutureCyberterrorism. Past, Present, Future
Cyberterrorism. Past, Present, FuturePriyanka Aash
 
Rethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native eraRethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native eraPriyanka Aash
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

More Related Content

More from Priyanka Aash

Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing Priyanka Aash
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on VehiclesPriyanka Aash
 
Web hacking using Cyber range
Web hacking using Cyber rangeWeb hacking using Cyber range
Web hacking using Cyber rangePriyanka Aash
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkPriyanka Aash
 
Creating New Models To Combat Business Email Compromise
Creating New Models To Combat Business Email CompromiseCreating New Models To Combat Business Email Compromise
Creating New Models To Combat Business Email CompromisePriyanka Aash
 
Cyberterrorism. Past, Present, Future
Cyberterrorism. Past, Present, FutureCyberterrorism. Past, Present, Future
Cyberterrorism. Past, Present, FuturePriyanka Aash
 
Rethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native eraRethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native eraPriyanka Aash
 

More from Priyanka Aash (20)

Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 
Web Application Penetration Testing
Web Application Penetration Testing Web Application Penetration Testing
Web Application Penetration Testing
 
Hardware Security on Vehicles
Hardware Security on VehiclesHardware Security on Vehicles
Hardware Security on Vehicles
 
Web hacking using Cyber range
Web hacking using Cyber rangeWeb hacking using Cyber range
Web hacking using Cyber range
 
Hacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT FrameworkHacking IoT with EXPLIoT Framework
Hacking IoT with EXPLIoT Framework
 
Telecom Security
Telecom SecurityTelecom Security
Telecom Security
 
Creating New Models To Combat Business Email Compromise
Creating New Models To Combat Business Email CompromiseCreating New Models To Combat Business Email Compromise
Creating New Models To Combat Business Email Compromise
 
Cyberterrorism. Past, Present, Future
Cyberterrorism. Past, Present, FutureCyberterrorism. Past, Present, Future
Cyberterrorism. Past, Present, Future
 
Rethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native eraRethinking Application Security for cloud-native era
Rethinking Application Security for cloud-native era
 

Recently uploaded

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 

Recently uploaded (20)

Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

Who Controls the Controllers—Hacking Crestron IoT Automation Systems

  • 1. Who Controls the Controllers? Hacking Crestron IoT Automation Systems
  • 2. Copyright 2017 Trend Micro Inc.2 Who am I? • Offensive Security Research on ASR team at Trend Micro – Focused mainly on IoT research – Break things in interesting ways and build cool exploit demos – Report vulns to ZDI and work with vendors to fix issues – 40+ disclosed vulnerabilities • Conference speaker – Defcon, Recon, Ruxcon, Toorcon, etc
  • 3. Copyright 2017 Trend Micro Inc.3 What is Crestron?
  • 4. Copyright 2017 Trend Micro Inc.4 IoT Device Controllers • Audio/video distribution • Lighting/shades • Home automation • Building management systems (BACNET) • Access control/security • Etc…
  • 5. Copyright 2017 Trend Micro Inc.5 Fully Programmable/Customizable • SIMPL – Symbol Intensive Master Programming Language – Write programs for UI and device actions • Device control methods – IR – Serial – TCP/IP – Relay – MIDI – Cresnet • Interact with and program controllers via Crestron Terminal Protocol (CTP) • Crestron devices intercommunicate via Crestron Internet Protocol (CIP) • Programming can be complex, usually handled by professionals
  • 6. Copyright 2017 Trend Micro Inc.6 Deployment • Universities • Office environments • Sports arenas • Airports • Hotels • Rich people's houses
  • 7. Copyright 2017 Trend Micro Inc.7 Deployment https://www.crestron.com/getmedia/06b92c9d-c262-4190-bf52-4180d8f77fca/mg_2017_Brochure_Workplace-Tech-Design-Guide
  • 8. Copyright 2017 Trend Micro Inc.8 Deployment • “Microsoft chose Crestron as its exclusive partner to manage all AV and meeting room resources worldwide.” – https://support.crestron.com/app/answers/answer_view/a_id /4818/~/what-kind-of-security-and-encryption-crestron- deploys • “Crestron and Microsoft are technology leaders now working together to develop future digital media innovations.” – http://www.crestron.com/getmedia/3321a1e7-f0d6-47b8- 9021-a473981f8983/cs_Microsoft_World_Headquarters
  • 9. Copyright 2017 Trend Micro Inc.9 Deployment • Massachusetts Bay Transit Authority – https://www.crestron.com/en-US/News/Case- Studies/Massachusetts-Bay-Transit-Authority • Chicago Police Department – https://www.crestron.com/en-US/News/Case- Studies/Chicago-Police-Department • American Water Corporate Headquarters – https://www.crestron.com/en-US/News/Case- Studies/American-Water-Corporate-Headquarters
  • 10. Copyright 2017 Trend Micro Inc.10 Deployment https://www.crestron.com/en-US/News/Case-Studies/Senate-of-Virginia
  • 11. Copyright 2017 Trend Micro Inc.11 Deployment http://hughsaudiovideo.com/hospitality_showcase.pdf
  • 12. Copyright 2017 Trend Micro Inc.12 Products • 3-Series controllers – CP3, MC3, PRO3 – DIN rail • Touch screens – TSx – TPCS, TPMC – “One in every room” type deployments
  • 13. Copyright 2017 Trend Micro Inc.13 Products And more…
  • 14. Copyright 2017 Trend Micro Inc.14 Platforms • Mainly Windows – Most products run WinCE 6 – Some other embedded Win versions allegedly • Some Android/Linux – Touch screens (TSx) – Video processors and digital media streamers (DGE-100, DMC- STR, etc) – More? • If something is specific to either the Windows or Android platform, I’ll do my best to call it out
  • 15. Copyright 2017 Trend Micro Inc.15 Discovery • Magic packet to UDP 41794 (broadcast or unicast) – "x14x00x00x00x01x04x00x03x00x00" + hostname + "x00" * (256 - hostname.length) • Response gives: – Hostname – Product – Firmware version – Build date
  • 16. Copyright 2017 Trend Micro Inc.16 Discovery • Shodan results between 20,000 and 23,000 • Most common product is split between CP3 and MC3 results from 2018/06/11
  • 17. Copyright 2017 Trend Micro Inc.17 So What is Crestron? • A lot of different things • Running different programs • On different platforms • In different environments But there are a couple universal truths…
  • 18. Copyright 2017 Trend Micro Inc.18 Anonymous Admin on CTP Console
  • 19. Copyright 2017 Trend Micro Inc.19 CTP Console • Main programming interface for devices • Telnet-like console on TCP 41795 • Sandbox file system/commands • Auth is available – Different user levels (Administrator, Operator, Programmer, User, etc) – Active Directory tie-ins – Encryption • Auth is disabled by default – Reliant on programmer/installer to be security conscious – Adds more complexity to already complex system – Enabling is a multi-step process – Never gets turned on
  • 20. Copyright 2017 Trend Micro Inc.20 CTP Console
  • 21. Copyright 2017 Trend Micro Inc.21 Standard CTP Functionality • Change system and service settings – Auth settings – Web portal settings – SSH/Telnet/FTP – Basic SIP settings (Android?) • Networking info/config • Arbitrary file upload – fgetfile/fputfile - HTTP/FTP file transfer – xgetfile/xputfile - XMODEM file transfer
  • 22. Copyright 2017 Trend Micro Inc.22 Standard CTP Functionality • Firmware updates • Run and control user programs • Control output to other devices – Display messages on OSD – Play audio/video files
  • 23. Copyright 2017 Trend Micro Inc.23 Hidden CTP Functionality • Running processes: taskstat
  • 24. Copyright 2017 Trend Micro Inc.24 Hidden CTP Functionality • View/modify stored certificates: certificate
  • 25. Copyright 2017 Trend Micro Inc.25 Hidden CTP Functionality • Dr Watson dumps: drwatson (WinCE)
  • 26. Copyright 2017 Trend Micro Inc.26 Hidden CTP Functionality • Direct chip communication: readi2c/writei2c (WinCE?)
  • 27. Copyright 2017 Trend Micro Inc.27 Hidden CTP Functionality • Browser remote control: browseropen/browserclose (Android)
  • 28. Copyright 2017 Trend Micro Inc.28 Hidden CTP Functionality • UI interaction: fakekey/faketouch (Android)
  • 29. Copyright 2017 Trend Micro Inc.29 Hidden CTP Functionality • Record audio via microphone: recwave (Android)
  • 30. Copyright 2017 Trend Micro Inc.30 DEMO
  • 31. Copyright 2017 Trend Micro Inc.31 A Few RCE Vulns…
  • 32. Copyright 2017 Trend Micro Inc.32 Cmd Inj Vulns on Android Platform • 22 command injection vulns so far in CTP console – ping (CVE-2018-5553) • Simultaneously discovered by Cale Black and Jordan Larose of Rapid7 • https://blog.rapid7.com/2018/06/12/r7-2018-15-cve-2018- 5553-crestron-dge-100-console-command-injection-fixed/ – But also adduser, cd, copyfile, delete, dir, fgetfile, fputfile, isdir, makedir, movefile, removedir, routeadd, routedelete, udir, updatepassword, wifipskpassword, wifissid, wifiwephexpassword, wifiweppassword, and more…
  • 33. Copyright 2017 Trend Micro Inc.33 Cmd Inj Vulns on Android Platform • Commands implemented programatically on WinCE platform • Just punted to shell on Android • Most were simple to exploit – EX: isdir `cmd`
  • 34. Copyright 2017 Trend Micro Inc.34 Cmd Inj Vulns on Android Platform
  • 35. Copyright 2017 Trend Micro Inc.35 routeadd/routedelete Exploitation • First problem – Arguments get up-cased before use – Linux commands are case-sensitive • Solution – Create shell script containing desired commands – Name it “BLAH” – Upload it with fgetfile command
  • 36. Copyright 2017 Trend Micro Inc.36 routeadd/routedelete Exploitation • Second problem – Uploaded script doesn’t have exec perms – $SHELL/$BASH not set • Solution – $0 returns name of calling program – When used in system() call, it returns name of shell instead – Final injected string: `$0$IFS./BLAH` – Could have also used . (as in the command) in place of $0
  • 37. Copyright 2017 Trend Micro Inc.37 DEMO
  • 38. Copyright 2017 Trend Micro Inc.38 Round 2? • Kept finding more vulns while root causing others • Had to cut myself off due to time constraints • Pretty positive there is more to find
  • 39. Copyright 2017 Trend Micro Inc.39 I Want More! • Significant amount of control by default • Can escape CTP sandbox on Android using vulns • But what about WinCE?…What about a more “legit” escape on Android?
  • 40. Copyright 2017 Trend Micro Inc.40 SUPER SECRET BONUS DEMO
  • 41. Copyright 2017 Trend Micro Inc.41 Conclusions • Potential for good security practice is there but disabled by default – Installers/programmers not security conscious or just concerned with getting everything working – Normal users unaware of problem – If security isn't enabled by default, it is probably not going to be enabled
  • 42. Copyright 2017 Trend Micro Inc.42 Conclusions • Wide deployment, including sensitive environments – High potential for abuse by insider threats • Boardroom spying/corporate espionage • Messing with building/access control systems • Hotel guests spying on other guests – Even “isolated networks” are not good enough
  • 43. Copyright 2017 Trend Micro Inc.43 Conclusions • Android platform seems much less secure than WinCE platform – Surprising at first, but makes sense • Crestron has long history with WinCE • Microsoft partnerships • Newer to the Linux/Android world • Too much product fragmentation?
  • 44. Copyright 2017 Trend Micro Inc.44 Huge Amount of Auditing Left • More CTP attack surface – More RCE vulns? – SIMPL and PUF • Other services – CIP, HTTP, FTP, SIP, SNMP, SSH, Telnet, etc… • Other products – Fusion, Xpanel, AirMedia, XIO Cloud, etc… • IOAVA
  • 45. Copyright 2017 Trend Micro Inc.45 Questions? Hit Me Up • Twitter – https://twitter.com/HeadlessZeke • Email – ricky[underscore]lawshae[at]trendmicro[dot]com • Github – https://github.com/headlesszeke
  • 46. Copyright 2017 Trend Micro Inc.46 Thank You