Drinking From the Caffeine Firehose 2: Accessing Private and Industrial Systems

This part encompasses the Dan Tentler’s proof of concept with regard to how vulnerable home automation and industrial systems are in terms of third-party access.

Private residences – really rich people tend to use these things, because it’s kind of a home automation thing, it’s kind of cool to heat your house with a web browser, or turn the lights on in your garage (Image 20). They exist, yes.

There’s trending data in a lot of these things, where you can identify at what times the power goes up and down, at what times lights go on and off, at what times air conditioning turns on, and things like that (Image 21).

Home automation

Image 20: Home automation

Trending data

Image 21: Trending data

Image 22: Solar water heater

This one (Image 22) was for a solar water heater, you can see how the hot water comes in and goes through the different water heaters, and goes up to the panels on the roof, and comes out; you can see the temperatures, you can see the pumps – that’s fun.

Temperature controls

Image 23: Temperature controls

Familiar displays – you see that little thermostat there, in the bottom right-hand corner? (Image 23) Anybody ever seen one of those things? I was at Traffic Court last year doing traffic school, and we couldn’t figure out why the room was so incredibly cold and it had one of those inside. And every time we tried to bring the temperature up so that it wasn’t, like, 50 degrees, it went back down again. And after finding this I sat there on my coach saying: “Oh, I see, there’s probably some kid 2 rooms away manipulating it and going ‘ha-ha-ha’.” Glorious! So, you see those things, you know they are connected to a bigger system.

More power systems (Image 24) that will aggregate for apartment buildings; they’ll aggregate the readings from power meters: read-only, you can’t really do much with it, there’s no input, but it’s still interesting stuff, I guess.

Larger industrial systems, like the Siemens systems (Image 25). Who would look at that and say: “I’m going to put a web server on that; this seems like a good idea”? Well, somebody did. And now they’re on the Internet by tens of thousands.

Complex power systems

Image 24: Complex power systems

Industrial system with web server function

Image 25: Industrial system with web server function

Contents under pressure – not safe to mess with

Image 26: Contents under pressure – not safe to mess with

In some of these cases, when you start getting into these larger infrastructures, like you start getting into boilers that control hotels and giant industrial buildings, now you get to contents under pressure, so you start hesitating from the keyboard a bit, thinking: “I wish these water heaters had their own little security measures in them because, really, you could do some damage if you wanted to” (Image 26).

Chrome Ultimate Flag

Image 27: Chrome Ultimate Flag

So, I found a whole bunch of stuff, but what can you actually do with this stuff? Well, OSINT is fashionable, let’s do that, right? So, level 1, simple recon; creeper mode, level zero.

You can install a tool that I was using, called Chrome Ultimate Flag which will tell you a little bit about the IP addresses you are visiting, the city, and stuff like that (Image 27). That’s crafty if you find 10,000 webcams and all you can see is just a square with a video, there is no extraneous information or anything like that. So, it’s cool to know at least what city it’s in.

So, if we look at a camera system like this, what details can we see? (Image 28) Well, it’s daylight, it looks outside, it’s somewhere within some time zone, near you maybe. You can maybe zoom in at the license plate so you could see what state they are in, something like that. But in the top right of the frame, the top right photo here, you can see that the camera is pointed at the door, and the door has the company logo on it. So, that was as easy as just taking a screenshot and flipping it.

What details can we see?

Image 28: What details can we see?

Leaking data in meatspace

Image 29: Leaking data in meatspace

Figuring out the company address

Image 30: Figuring out the company address

And off to the right you can see that there is a desk with a computer on it, and that particular camera was pan-tilt-zoom. So, with no creds, you can log into this system and pan-tilt-zoom around the camera in the lobby of this company. So, I did (Image 29). I don’t want to get anybody in trouble, so I blacked out the name of the place, but you can see the text under the little black box there, it says: “Security integrators”. Good job guys!

So, based on the name of the company and what state I could see they are in, I did a little bit of homework, and this is how far Google Street View got me (Image 30). This is still creeper mode, level zero.

Let’s get to creeper mode, level 1: interactions. Now that you find stuff on cameras, find stuff on the Internet, what can you do if you just want to reach out and touch it just a little bit?

Security cameras in the pizza place

Image 31: Security cameras in the pizza place

I didn’t do any of this. This came to me after I published my first blog post with my script and some of the code that I used to generate the stuff, and I thought it was pretty funny. There were people that found a pizza place somewhere, I am not sure how, and found out what the name of this pizza place was, and ended up on the phone with them doing a bit of social engineering. And they found some really bored people at around 2AM in the back to hold up signs for the security cameras in the pizza place that were exposed to the Internet (Image 31). And some randoms on the Internet found them, called the place and started having them hold up signs. That was hilarious. And they (the staff) were very open to this, like there’s the girl on the phone with the caller, watching the camera. It is simple and pretty benign, but you can see how social engineering in this situation can be pretty hardcore.

'Die Hard 4' scene

Image 32: ‘Die Hard 4’ scene

Next level. You guys ever seen “Die Hard 4”? It’s kind of silly; they were driving a truck and hacking stuff. This guy (Image 32) did it with several million dollars and a truck full of equipment, and a black ops team and all this fun stuff – I did it with my laptop and a bunch of coffee.

Car vs. helicopter

Image 33: Car vs. helicopter

This was essentially, if you remember the movie, just a gigantic social engineering campaign at the end. But the minute you find a device that has telnet open that will let you shoot down a helicopter with a car (Image 33), I will pen-test that system for free.


Read previous: Drinking From the Caffeine Firehose We Know as Shodan
Read next: Drinking From the Caffeine Firehose 3: Vulnerable Infrastructure Systems

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: