Freelance pentest guy Dan Tentler, aka Viss, delivers a talk at Defcon 20 about different digital control and supervision systems that can be accessed online.Welcome to “Drinking from the Caffeine Firehose We Know as Shodan”! Anybody recognizing that scene? (Image 1) Did everybody watch old “Weird Al” movie?
So, a little bit about me. My name is Dan, people call me Viss. I’m a freelance pentest guy. This is not just another shodan talk; today we’re going to be turning shodan into a gateway drug.
Normally, what people put on the Internet is what shodan will find, and that’s kind of boring. We know you can find switches and routers, and servers, and cameras, and stuff like that. What else is there?
I don’t know if anybody is actually doing this yet, and I don’t think there is any kind of accountability, so I figured that I’d poke that bear.
So, a little bit on editorial policy. Anybody work for an organization that prevents you from scanning yourself? Like, under penalty of death, no Nmapping or they will drag you out to the parking lot and fire. So, the bad guys can scan us, but I can’t scan us? Great! If you don’t know your own attack surface, then you’re crippling yourself against the bad guys, right?
So, before we get started, this is entirely read-only. Yes, I was connecting to random stuff on the Internet, but it was for screen charts only, there were no changes made, nothing like that. No systems were altered, entirely read-only.So, first and foremost, let’s get straight to the fun stuff. A lot of cameras – like, thousands, tens of thousands of cameras. These are March Networks cameras (Image 2), which is really funny. And when I connected to this camera, I saw something that seemed pretty interesting. There’s a dude looking at monitors that appear to have exactly what I’m looking at on them. So, who watches the watchers? Me! I watch the watchers (Image 3).
Scada gear, that’s popular, right? Let’s beat up on that. So, Scada gear on webcams… well, you have Scada equipment, it’s bad for you to put Scada equipment on the Internet, we know it; so put a camera on it and put that on the Internet, great move! (Image 4)
Other random stuff on webcams. This is some German thing counting cubic meters of gas, ok (Image 5). But generally speaking, cameras are horrifically, horrifically boring. At the moment, I have about 3900 cameras, and when I look at them in the browser, it looks just like this: people’s garages, old dude in the living room – boring (Image 6).
And then I came across something like this (Image 7). What on earth is this thing? What is a T-2000? Who’s ReliOn? I’ve never heard of these guys. What’s the deal? So, Google to the rescue. It’s a hydrogen fuel cell that is used for industrial stuff (Image 8) that you can telnet into, no creds. That’s fun – now you can telnet into these things.
It looks pretty industrial, you can find a bunch of documentation about the thing online (Image 9). A lot of military installations tend to use this thing (Image 10), and they’re apparently happy with, you know, random PDFs on the Internet containing what military installations use this thing – great! Here is how you use it (Image 11); it’s a simple electrical connection diagram, right?
So, where would you normally find these things? Ok, now I know this thing and I know you can telnet into it, and I know you can find it randomly on the Internet by looking for 5 minutes. That’s where you find them (Image 12).All the things that you connect to randomly on the Internet, that are not servers and switches, and routers – their security is horrifically, horrifically bad. Here is an example of a file that I pulled off of an energy meter of some kind (Image 13). The link to this file existed in the source code of the main index.html, and if you just hit this thing with Wget and you literally open it in VI, I won’t tell you what the password is, but it’s there, and that’s in clear text. Thanks dudes!
Wind farms, giant fans that generate power from wind – this one is generating 37 Amps, not bad (Image 14).
Lighting, HVAC, alarm systems: this is some Cathedral or something I found – no creds, you just hit it with a browser and it shows you: “Here is our stuff, and here is what the temperature of everything is.” (Image 15) Even down to the room, you can find out what temperatures in different rooms are, you can mess with them if you really want to (Image 16).
Power meters – some of these things are really cool. The graphs – I’ll come back to this later – but you can do trending based on the stuff you find here (Image 17). If you really want to be ultra creeper mode, you can watch these graphs and see when people turn the lights on and when people turn the lights off – it’s creepy.
Heat pumps – this starts getting into the interesting side of things (Image 18). This is what you’d see in a building or in a large hotel, or something like that, where you have this giant thing and it’s feeding multiple rooms. No creds, point a browser at it, good to go. And they get bigger. This one (Image 19) has 3 water heaters, it’s got some sprinklers, it’s got a pump, it’s got some other stuff. Ok, this is getting interesting, right?