As you have probably already recognized, some of us here at ERNW are doing research in the area of smart home technologies e.g. KNX. Recently, we took a deeper look into a device which is used to control a smart home system produced by the vendor BAB TECHNOLOGIE GmbH called “eibPort”. This device can be used to control smart home systems based on different technologies e.g. EnoCean or KNX depending on the version of the device. Continue reading “Analyzing yet another Smart Home device”
This is the second entry in our research diary on IP cameras. If you haven’t done so yet, you should read the first entry in advance. This time we focused more on analysis and exploitation.
Another entry vector
After running a vulnerability scan on both devices, it was revealed that the M1033 has multiple buffer overflow vulnerabilities (CVE-2012-5958 to CVE-2012-5965), which are readily exploitable via Metasploit. This gave us another shell (in addition to the root shell mentioned in the last post), though this time it was not a root shell. By using the find command, we searched for executables having the setuid or setgid bit set. We hoped to use one of those to escalate privileges. To do so yourself add the parameter -perm -4000 to find and it will search for files having the setuid bit set. If you try that on your own unix-like device, for example it should yield /bin/passwd which is perfectly reasonable as you’re able to change your password without being root.
As you probably know we perform research on a regular basis at ERNW. This post is the first entry on our – Benjamin’s and Pascal’s – research diary. You might already have seen Oliver’s post on setting up an research environment or Brian’s posts on IoT botnets (here and here). With that in mind we want to take a look at one of the market leaders for network camera equipment: AXIS.
just recently i bought a wireless plug on Amazon with the main use of controlling my coffee machine with an app. The installation of the wireless plug was quite easy and only requires me to set my Wifi SSID and my passphrase – that’s it. But what happened behind the scenes? I visited the control interface of my router and saw that along with the other devices there was a new one with the network name HF-LPB100 and a local IP address in my case 192.168.0.235. First of all i wondered about the name itself, but ignored that and kept on looking for open ports.
How to provide updates to IoT devices – yes, I’m aware this might be a overly broad generalization for many different devices – has been the topic of many discussions in the last years (for those interested the papers from the “Internet of Things Software Update Workshop (IoTSU)” might be a good starting point).
Given Matthias and I will moderate the respective session at tomorrow’s IoT Insight Summit I started writing down some points that we consider relevant in this context.
Today Kevin and I had the pleasure to to present at the German 15. Cyber-Sicherheits-Tag in Berlin which is organized by the Alliance for Cyber Security. This iteration covered security aspects of the Internet of Things and we enjoyed some great conversations. The presentations were limited to ten slides and can be found here:
The newest addition to ERNW, ERNW Insight which now hosts TROOPERS, is launching a new concept this year. Based on the successful TROOPERS Roundtable sessions, ERNW Insight will host a series events every year covering current and relevant topics in the field of IT Security. While the style of the events may vary the in-depth knowledge sharing that you have come to know from TROOPERS will not! Continue reading “IoT Insight Summit November 15, 2016”
Embedded devices often serve as an entry point for an attack on a private or corporate network. The infamous attack on HackingTeam, for example, followed exactly this path as was revealed here. Although the attack may have been for the greater good (refer also to this great keynote), such incidents demonstrate that it is important to properly secure your embedded devices. In a recent blog post, Niklaus presented how he analyzed the security posture of a MAX! Cube LAN Gateway. Moreover, Brian reported a few weeks ago on the security posture of IoT devices (and in particular on one of his cameras). With this post I would like to share my experiences with analyzing another embedded device: the IC-3116W IP camera by Edimax. Continue reading “Setting up a Research Environment for IP Cameras”
I suppose there are many people out there who want to achieve a greater good, fight evil corp and “show those guys”. So why not set a statement and become part of a botnet? #Irony!!! Of course I suppose (hope) that none of you actually want to be part of something like an IoT botnet, but joining could in theory be dead easy. So quite a while back I bought a dead cheap WiFi camera for use at home. It was kind of just as insecure as I had expected, so it got it’s own VLAN and stuff and here is why….