Drinking From the Caffeine Firehose 4: Pen Tests As a Source of Trending Data

Dan Tentler further exemplifies the stunning exposure of digital systems to virtually unimpeded access, and provides a summary of his Defcon talk.


Image 46: Autoplate

Econolite system

Image 45: Econolite system

Ok, how about listening on telnet? These are intersections, like, stoplights, you can telnet into them and put them in test mode, and the warning says: “Don’t do this, you can kill people!” (Image 45)

Autoplate is another fun one (Image 46), these are red light cameras that photograph your car, OCR license plates and send it to cops. These are glorious because you can telnet into them and tell them to send the pictures elsewhere, no creds. And what’s really funny is if you look at the screenshot it says: “Basic VES with no security”. Awesome!


Image 47: DakTronics

Controlling freeway traffic regulations by accessing DakTronics systems

Image 48: Controlling freeway traffic regulations by accessing DakTronics systems

So, DakTronics (Image 47) – I got to give these guys a thumbs-up because everything was protected, but these guys make signs that do this sort of stuff over freeways, and they are also listening on port 88 and you can also telnet into these. So now I got red light, cameras, road signs, stoplights – check it (Image 48).

Ruggedcom passwords

Image 49: Ruggedcom passwords

What else? Let’s do some current events. Anybody remember Ruggedcom? Ruggedcom was a fun one, right? So, if you hit a Ruggedcom box with a web browser you see something like this (Image 49: see left-hand part). Anybody want to take guesses on what those passwords might be? Because they send them to you and then they obfuscate them. So, if you view the source, or if you have any browser plug-ins that can de-obfuscate passwords, there you go (Image 49: right-hand part).

And the next one actually was an interesting one, the next one was sort of like: anybody familiar with those movies where some hacker dude does something, and then his phone blows up, and the government says: “Hey, hacker guy”. It actually happens.

Malware or not?

Image 50: Malware or not?

I hit this (Image 50), and I thought it was not malware or anything. Maybe some kid defaced something. Look at all of these Java applets that I am not gonna let run. I took a screenshot and put it on Twitter. I had a discussion with a gentleman that pinged me afterwards and said that was actually safe, and I could run that.

Now it looks 'better'

Image 51: Now it looks ‘better’

So, I get my VM, take a snapshot, pop this thing open – and it looks like this (Image 51). Oh, megawatts? Yes, those are megawatts. This is a hydroelectric plant in Fumel, France, with their Scada equipment open to the Internet. They have 2 turbines and each turbine is generating something about 3 megawatts each. Oh, that’s kind of a big deal.

I didn’t put this screenshot on Twitter but the gentleman I was talking to said: “You’re gonna get a call from some interesting people”. I thought, yeah, some dude saying that to me on Twitter randomly, whatever. At 8:45 the next morning, I get a phone call: “Hi, my name is Anthony, I am calling from DHS”. So, that was interesting, that was one of those occasions when you hear about feds calling the hacker guys.

Satellite systems also listen on these things and, hilariously, they are a lot more boring than you think (Image 52); like, I remember as a kid I was like – yeah, I’m gonna get one of those satellites. Well, this is lame. They are open and they are listening, and you can see how many frames go back and forth. This, I think, is a television setup somewhere in Europe that is completely open.

Satellite systems

Image 52: Satellite systems

NAS storage arrays

Image 53: NAS storage arrays

Car wash system

Image 54: Car wash system

This one is new – NAS storage arrays (Image 53), this came out recently, like several weeks ago. You get one of those storage arrays, and it’s a network device, and you can plug it in and do NAS and SMB to it. Awesome, go ahead and put that on the Internet too.

This one was glorious, I was in tears laughing: you can telnet into a car wash (Image 54). What the hell? That was interesting. The first time I saw this I thought it was Mission Impossible stuff, like you have your foreign diplomat go to the car wash, and you put the barriers up and spray the soap.

This one was double hilarious, this is massive humidifier systems that are in hospitals and industrial settings (Image 55). These things are the size of about 3-4 refrigerators side by side: 6 feet tall, 10 feet wide, 3 feet deep, and they make vapor. You think, ok, that’s not so interesting. They have a marketing video where you can connect directly to the board (Image 56). They have no idea what they are doing. Their marketing material boasts that their equipment is in the White House. Ok, good to know!

Massive humidifiers

Image 55: Massive humidifiers

Some thoughtless tips

Image 56: Some thoughtless tips

Emergency Telco gear

Image 57: Emergency Telco gear

Emergency Telco gear (Image 57) is like VoIP stuff that first responders use; and it’s open and listening on the Internet. Ok, you wanna put some fake 911 calls in? You can do that.

Netscape 6 support!

Image 58: Netscape 6 support!

Occasionally, some really old forerunner kind of stuff comes around and you see stuff like this, which I can give you a second to read (Image 58); and if anybody can spot the hilarity in here please point and yell. Yeah, support for Netscape 6, guys! This code was taken from geocities.

Did you know speakers have web servers? (Image 59) This one – you can send it an .mp3 and it will play it!

Speakers with web servers?

Image 59: Speakers with web servers?

Massive wine cooler controls

Image 60: Massive wine cooler controls

Wine cooler functioning stats

Image 61: Wine cooler functioning stats

A wine cooler, a gigantic ridiculous wine cooler that has a champagne alarm in a giant hotel somewhere (Image 60). This is great stuff, often it is just funny during pen tests, and I can’t wait till I can put this kind of stuff in my report (Image 61).

So, thinking longer term, I mentioned the trending stuff earlier; there are tools in the battery equipment that will let you trend over months and weeks. You can start building profiles based on these things, like when people come in and when people leave, when the alarms go off, when the alarms are turned on, when the gates open and shut – all that stuff, doing profiles in long-term investigations.

Lots of public cameras

Image 62: Lots of public cameras

Scanning the whole Internet is getting a lot easier, we can do this stuff, we can measure it now. If anybody saw any of my previous talks I presented a few months ago, I saw a whole bunch of ridiculous TrendNet cameras (Image 62) and I have some numbers.

Media impact

Image 63: Media impact

The first time I did this I found 560 cameras. There was a BBC article scaring everybody, talking how creepy it is that people can see cameras on the Internet. And then I did a re-test and found 25% less cameras or so. Then U.S. Media picked that up and the number went up. And then I did the test again just a little while ago and the numbers went up almost to what they were before, so scaring the crap out of people is a great tactic but it’s temporary (Image 63).

It does scale well and I’m working on it, so when I have some more interesting information with these numbers, I intend to come back and present some more. And if you want to stalk me this is how you can find me: atenlabs.com/blog | @viss.

Read previous: Drinking From the Caffeine Firehose 3: Vulnerable Infrastructure Systems

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: