Drinking From the Caffeine Firehose 3: Vulnerable Infrastructure Systems

Dan Tentler, aka Viss, provides a walkthrough of more systems that are exposed to outer intrusion, including massive cooling, power and i.LON controls.

So, next – massive cooling equipment. This is a warehouse I found somewhere in Central America that had 14 gigantic evaporative coolers connected to it (Image 34). This is a food storage facility somewhere, it could have been a medical storage facility but each one of these evaporative coolers presumably could cool a room like this.

Its panel has details (Image 35), and you can connect to them and get specific data on what their names are and what buildings they are talking to, and things like that. So, if you are doing pen tests and you wanna do recon on a target, and maybe it is a retail organization, this is interesting stuff to get into.

Massive cooling system stats

Image 34: Massive cooling system stats

Image 35: The cooler’s details – pretty informative

Some Scada systems keep logs

Image 36: Some Scada systems keep logs

Some of these things actually keep logs (Image 36). This is really funny because once you get in and it is completely open, there are the names of the laptops of the people that run that thing. So, entirely without trying or by happenstance, there is intelligence leakage happening through this Scada equipment.

Massive UPS gear

Image 37: Massive UPS gear

This one was a pretty hilarious find. Anybody familiar with the company Liebert that make giant UPS things at data centers? (Image 37) You can put them in test mode from the Internet. Test mode turns off the battery. What happens when you do that to a data center? People get angry! I didn’t do it but…

VNC system controls

Image 38: VNC system controls

Some of these, like I mentioned earlier, have VNC Touchpanels. This one has some sort of liquid control flow valve operation, and you can pause and change the flow of the chart (Image 38). I didn’t really go much farther than this thing, but presumably you can change the flow rate of the valves that operate this thing. The numbers here read out something between 2000 and 2500 on the top end; I don’t know if that’s feet, or meters, or what, but a water pump that has these kind of figures might be doing something interesting.


Image 39: i.LON

Ok, it’s interesting but it’s not like a ‘firesale,’ like a movie, right? Well, meet i.LON (Image 39). i.LON is kind of neat; it is a piece of hardware that was made to control LonWorks networks. Now, LonWorks was something where you have industrial equipment that needs to talk but people didn’t feel right putting it to the Internet, so they made their own network. They made their own network topography for these sorts of things, and they called it LonWorks. And then with anything else, somebody took a web server and Ethernet and put that on top of the thing that wasn’t supposed to be on the network.

And these, hilariously, are stackable, just like devo hats. You can have one of these controllers talking to 500 more, or, in this case, 3 dozen more (Image 40). This is a controller that I stumbled upon randomly, and they show several IP addresses which I blanked-out as I don’t want to get anybody in trouble, but when you open this little plus symbol there and the submenu items come in, they look kind of interesting.

i.LON is stackable

Image 40: i.LON is stackable


Image 41: Gigantium

Gigantium's floor plan

Image 42: Gigantium’s floor plan

One of them I saw was Gigantium. Well, that looks cool, let’s google that, what’s Gigantium? Oh, it’s a stadium thing (Image 41), and under that wood there is an ice rink that you can defrost if you want. They host big events, and all of their alarms, all their lights, and the garage doors, and all of these things that you hear about in the movies are connected to this system – no creds, no passwords, nothing. Conveniently, they have a floor plan for you should you decide to target a particular area (Image 42).

i.LON controlling strand camping infrastructure

Image 43: i.LON controlling strand camping infrastructure

So, I went back to the list and kept looking what else could be there. There is this strand camping place (Image 43) that has water slides and a lot of solar equipment, and I can’t imagine that their i.LON systems are controlling the water slides, maybe the valves there, maybe some of the solar power stuff, but that’s interesting.

Another camping place

Image 44: Another camping place

Another one, that’s another sort of camping place that has cabins that you can rent, and the website of this place looks kind of cool (Image 44). It’s a facility that is somewhere out in Europe, and they market this to Americans too. You can go take a vacation there.

That’s fun: I can control ice skating rink, the lights, the HVAC, the power, garage doors, water pressure, boilers of something like 36 businesses in some downtown part of some city in Europe. So, we are getting a little closer to the movie. But in the movie (“Die Hard 4”), they were able to control stoplights and signs, and things like that.

Read previous: Drinking From the Caffeine Firehose 2: Accessing Private and Industrial Systems
Read next: Drinking From the Caffeine Firehose 4: Pen Tests As a Source of Trending Data

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: