security and the internet of things (iot)
TRANSCRIPT
About Me● Solutions integrator at Jumping Bean
– Developer & Trainer● Certified Ethical Hacker● Java● JBoss● Alfresco
– Technologies● Java● HTML5/Javascript● Linux
Why IoT and Security?
Several Factors came together:
1) Needed a plan for the next big thing,2) Needed a CCTV solution for the office,3) Needed it to be fun and interesting to talk
about
My 3 Step “StartUp” Plan
Step 1Find something to do with:
– Cloud, – Internet of Things – Security &– Big Data
Step 3Profit!
The CCTV Project Plan
1) Research CCTV cameras,2) Buy some cameras,3) Install cameras,4) Use ZoneMinder,5) Profit!
● Pros– “Hassle Free”– No compatibility issues– Cheap
● Cons– No ZoneMinder!– Lock in, No source– Not easily hackable
● Lots of cheap CCTV camera solutions out there,● 4 – 8 Channels with DVR,● Everything comes in one kit,
Analogue vs IP Cameras
Analogue Cameras● Pros
– Cheap,● Cons
– Low resolution,– Wall wart power supply,– Need video capture card
IP Cameras● Pros
– Use POE,
– High Resolution 1080p,
– No capture card
● Cons– Expensive,
– Requires POE switch
–
Test Cameras
Securi Pro Analogue Planet Dome IP
ImpactVCB – Video Capture Card
Installation
● Didn't die figuring out the live and neutral wire!
● Internet said the black wire is always live. What does the internet know!
● Chose the red wire● I was right!
Use ZoneMinder
● Trouble free install on Ubuntu,● Analogue camera just worked,● IP Camera – needed to figure out the
undocumented stream URL
Profit!
Open Source Wins (again)
– ZoneMinder expandable,
– Configurable,– Hackable,– Source available– ZoneMinder is
awesome
Analogue Cameras:– Good for external
cameras. Who wants an ethernet cable dangling outside the office?
IP Cameras– Bit of a nightmare– Undocumented,– Insecure
● Planet Hardware● Atrocious, I.E no, documentation and really
bad firmware (wasn't surprised.)● Browser app required ActiveX!
● Yay for Windows XP vm – used for tax and other unsavoury purposes.
● No documentation for stream URL!● Nada in web ui :(● Nada on the interwebs :`(
What to do?
●Duck-duck-go!●Run nmap and see what's open!
● Duck-Duck-Go● There is a standards body that develops a
remote camera control API (ONVIF) Yay!● Its a SOAP based service :(● Planet claimed compliance Yay!
● Nmap - scary results23/tcp open telnet
80/tcp open http
554/tcp open rtsp
8080/tcp open Http-alt
16000/tcp open fmsas
68/udp open|filtered DHCP
3702/udp open|filtered WS-Discovery
5060/udp open|filtered SIP
● 23 – Telnet – Can't access, shows login prompt,● 8080 – HTTP-Alt – Query to port 8080 with
SOAP browser plugin responds with wsdl!● 5060 – SIP – ?● Banner Grabbing – running ancient Boa http
server As of January 2006, Boa has the following limitations:● No access control features (HTTP Basic access
authentication, etc.)● No chroot option (planned)● No Server Side Includes (deemed incompatible with server
performance goals)● No SSL support although there are some patches against
0.94.13 that introduce SSL support
● Different profiles for functionality● Got security designed in up-front● Planet implementation
● No SSL,● No password to query web service● Handy web method GetUsers→
● Returns users and plain text passwords,● Got rtsp URL with GetStreamURI YAY!● RTSP stream not encrypted!● No account lockout
How to Fix?
● Put DVR on own non-routable network or VLAN,● Don't use externally,
WOW – Scary Stuff!
Is it just Planet?
● Vivotek Dome IP Camera● Has Wifi, ● Supports ONVIF,● Supports POE,
● HikVision Dome IP Camera● Supports ONVIF,● Support POE,● Support Wifi
22/tcp open ssh
80/tcp open http
554/tcp open rtsp
8000/tcp open unknown (uPnP)?
8200/tcp open Unknown (uPnP)?
3702/udp open|filtered ws-discovery
5353/udp open Multicast DNS
● Hikvision– The Good
● Web interface support SSL,
● ONVIF web service protected by basic auth,
● Can upload SSL certificate,
● Can disable uPnP,
–
– The Bad● Support a cloud
service● Supports PPOE,● Supports Wifi,● Support FTP – built in
SD card slot for recording,
● Upnp on by default,● No SSL by default● Stream not encrypted!● No account lock out
The Ugly● Huge attack
surface for a device directly exposed to the internet– Mobile app
Owasp Top 10 IoT Project
● WWW: www.JumpingBean.co.za● Twitter: @JumpingBeanSA● Trainings:
● Certified Ethical Hacker Training● JBoss Training