Security Penetration Through IoT Vulnerabilities By Troy Mattessich, Raymond Fradella, and Arsh Tavi Contribution Distribution Arsh Tavi Troy Mattessich Raymond Fradella Conducted research and compiled the report while ensuring integrity of results Obtained research equipment and conducted video and audio editing for the demonstration Conducted the exploitation for the demonstration and collected data for the report
Table of Contents I. Abstract... 2 II. III. IV. Preliminaries....2 Problem Description....2 Acquiring Access....3 V. Reconessiance.....3 VI. VII. VIII. Exploitation.....3 Conclusion......4 References.....5 1
Abstract Exploitation of nodes in a network will be done through a weak point in the network, which is a device with privileges in a network, but low security. Through the device, other hosts will become compromised by using initial reconnaissance followed by social engineering which will establish a tunnel for remote access. Preliminaries Internet of Things (IoT) are small network devices that are integrated into more modern products that can use network connectivity. File Transfer Protocol (FTP) servers are used to directly transfer files to any connected users. Telnet is used for remote access to a terminal for command execution. Wireless evil twin is a surface copy of a wireless access point that stores traffic and relays it to the router. Problem Description Many unpatched IoT devices allow secure networks to become compromised as there is a lack of security in these devices. Common IoT devices with vulnerabilities are IP cameras and baby monitors. These vulnerabilities are due to improper coding and weak encryption algorithms. This paper will focus on expansion of access on connected hosts in a secure network. 2
Acquiring access The public IP address is opened through a browser and a authentication prompt indicates the camera s web interface login. Default credentials are tested and default credentials are in use for the AXIS camera with username as root and password as pass. The initial page has a live video feed of the camera. The options on the left panel allow for the user to change settings. The exploit affects the following pages: app_params.shtml, app_license_custom.shtml, app_license.shtml, and app_index.shtml. The HTML GET value of app allows for remote code execution on Linux operating systems. By inserting a ; as the value for app in the form of the ASCII unicode (%3B), with app=%3b as the basic example, any code that follows will be executed as root. As a root user, you have unrestricted access to the files and can run commands that will change the way they run. It is important to consider proper ASCII conversions when using commands in the browser, as certain characters such as spaces have to be indicated in their ASCII variant, in this case, %20. Reconessiance Discovery of attached network nodes is priority therefore these commands will be utilized initially: nmap, netstat, apt-get, telnet, ifconfig, and ping. After experimentation, only ping and netstat are available, indicating a very limited Linux kernel. Ping successfully works on commonly assumed IP addresses as positive attempts were made on (192.168.1.1-192.168.1.5). Netstat does not return information regarding connection on a consistent level, as IP addresses were shown during some attempts while they were not during the majority of the attempts. Exploitation As commands such as apt-get, wget, and scp were not available, installation of toolkits for wireless/local exploitation was not possible. After an FTP connection was established using the default credentials for the AXIS camera, it was discovered that the file system was read-only. 3
This prevented modification of the HTML files for any backdoors or social engineering tactics. This also prevented any malicious files to be transferred to the camera, such as bash scripts. Commands involving formatting or deleting files were not tested, as permanent sabotage was not the objective. A fork bomb (infinite loop command to drain CPU resources) was attempted, however, the command would not execute. After discovery of the availability of the iptables command, the alternative route for temporary sabotage was taken. The IP addresses initially discovered through reconnesiance were added to the iptable rules to drop all packets. This allowed the attackers to maintain camera visual feed access, while the owner was unable to access the camera. Through a hard-reset, the iptable rules were set to default and access was restored which would not raise any suspicions as users may blame the connectivity problem on the network or the hardware and not necessarily an outsider s attack. Conclusion We have shown that AXIS cameras can be exploited and used maliciously. Many IoT devices share the same vulnerabilities and faults with the AXIS camera. Our success shows that you cannot rely on manufacturers to protect you from threats. It is important to utilize additional security measures, like changing the default admin account, using a firewall, and keeping an updated antivirus running. There are many ways in which an attacker can infiltrate a system so it s important to have multiple supplemental security measures, and checks. It is also important to make sure that employees are trained on the different types of attacks and prevention techniques. 4
References Vulnerability Details : CVE-2015-8257. CVE-2015-8257 : The Devtools.sh Script in AXIS Network Cameras Allows Remote Authenticated Users to Execute Arbitrary Commands via Shell, www.cvedetails.com/cve/cve-2015-8257/ 5