BruCON: How to take over the world by breaking into embedded systems

On September 24 and 25, the community-oriented security conference BruCON made its second appearance in Brussels. Just like last year, the organizers succeeded in gathering a diverse mix of presentation topics and speakers: from overview talks about GSM security, mobile malware and social engineering, to highly technical talks about how to find backdoors in code, mapping the "malicious web", and analyzing malicious PDF files.

Paul Asadoorian, who is currently Product Evangelist for Tenable Network Security (the creators of the vulnerability scanning program Nessus), gave a talk with the provocative title "Embedded System Hacking and My Plot To Take Over The World" (slides [PDF]). His premise is simple: we depend on more and more embedded systems in our daily lives, and because security is largely an afterthought for embedded systems manufacturers, these systems can be used to take over the world.

Indeed, each time we use our home network, print a document, watch a DVD, and so on, there's an embedded system involved. Because these are mass-produced products that have to be manufactured as cheaply as possible, many manufacturers only think about security after the device has been designed—if they think about it at all. This makes embedded systems an attractive vehicle for mounting a large-scale attack on world-wide society. In his talk, Paul looked at some common vulnerabilities in embedded systems, how you can find these vulnerable systems, and what you could gain by exploiting them. His message to device manufacturers was clear: fix this, because the problem is huge!

Before you read further, an obvious warning: much of what Paul suggests may be illegal in some jurisdictions. These are just examples to point out what criminals could do. Don't try this at home unless you are sure you know what you're doing.

How to take over the world

What do you need to take over the world? According to Paul, three things: money, power, and stealth. First, money is needed to get resources, for buying weapons, paying armies, and so on. So how can embedded systems help you to make money? By exploiting devices that have the user's credit card linked to it, such as an entertainment system or a video game console, for example. Another possibility is to break into the user's router and snoop on the network traffic: by getting passwords for their online banking accounts, PayPal, or eBay, an attacker can get access to the user's money. But also think about sensitive information that the user prints or faxes.

Second, embedded systems can also be used to influence and control people, or in other words: gain power. For starters, just think about the adage "information = power": by sniffing people's networks and manipulating what the users see, you have a lot of control over their online life. Just by manipulating a single router, you may be able to influence multiple computers. But it goes even further: embedded systems are integral to many important services, like the power grid, water utilities, and so on. It doesn't take much inspiration to come up with some nasty attack scenarios. Paul referred to research from Josh Wright and Travis Goodspeed along with the paper Advanced Metering Infrastructure Attack Methodology [PDF] from Inguardians.

The third essential element for world domination is stealth: even if you have all the money and power, people will stop you as soon as they know your plans, so your plan is doomed if you don't work in stealth mode. According to Paul, embedded systems are perfect for this purpose:

Combine this practical invisibility with the fact that device vendors focus on profit and leave out security to save resources, and you have an explosive cocktail: a lot of unnoticed vulnerabilities, ready to be exploited, but hidden from view.

Millions of vulnerable devices

The challenge is now to find all these vulnerable devices, Paul says: "Most of the vulnerabilities in embedded systems go unnoticed for a long time because everyone looking for them has just a couple of devices." Of course you can use the internet to find devices. Paul showed the web site WiGLE (Wireless Geographic Logging Engine), which collects statistics about wireless networks. Every practitioner of wardriving can add their data to the web site.

The interesting thing is that you can use the statistics on WiGLE to select possible targets. You can see which are the most popular vendors, and use this information to find vulnerabilities in routers of these vendors to maximize the damage. For example, the statistics show that Linksys is the most popular wireless router vendor, with 10.5% of the routers, or more than 2.7 million routers in the WiGLE database. All these routers are also drawn on a map. Just look up your home town to see how many routers there are in your neighborhood, and take into account that many of them are vulnerable to some attack.

And vulnerable they are. Paul pointed to a study last year, where researchers from the Columbia University Intrusion Detection Systems Lab scanning the internet found nearly 21,000 routers, webcams, and VoIP products with an administrative web interface viewable from anywhere on the internet and a default password. Linksys routers had the highest percentage of vulnerable devices in the United States: 45 percent of the 2,729 accessible Linksys routers still had the manufacturer's default administrative password. An attacker who finds such a router can do anything with it, including altering the router's DNS settings or reflashing the firmware.

The researchers have provided ISPs with their findings, in the hope that they would do something to protect their vulnerable customers, e.g. stop providing these devices with a default password and an administrative interface that is publicly accessible. But in general, ISPs are not responsive to these kinds of vulnerabilities.

How to find vulnerable devices

So there are a lot of vulnerable routers out there, but how do you find them? Paul gave some tips. First, just use Google: try to find the popular ISPs that provide cable modem routers to their users, and try to find out which model it is. Then use the ARIN (American Registry for Internet Numbers) database to discover the IP address ranges assigned to those ISPs. After that, you can use the port scanner Nmap to discover all devices that have port 80 open, and try to identify the HTTP banner.

Of course scanning big IP address ranges is slow, even if you limit it to one port, but with the right tuning of Nmap parameters it is doable: Paul showed a scan of 2.7 hours for half a million IP addresses and a scan of 37.5 hours for 2.2 million IP addresses. You can then manually poke through the results or write a script to find vulnerabilities, exploit them, or upload custom configurations and firmware.

It's not always necessary to scan a whole IP address range to find computers. NTP can be used to identify devices, as has been shown by Metasploit creator HD Moore. For example, by executing:

    ntpdc -c monlist <ntpserver>

Paul also gave the example of Netgear routers that were shipped in 2003 with a hardcoded NTP server. After a while this had been patched, but now if you use HD Moore's trick on this particular NTP server, you can still find Netgear routers that query this server and thus don't have the firmware fix. That's an easy way to find outdated routers, which probably have a lot of vulnerabilities. For example, the open source penetration testing framework Metasploit has this test.

Or you can brute-force DNS subdomains. Paul referred to a method to hunt for Linksys IP cameras on the net. Some IP cameras can use dynamic domain names, and by using the tool dnsmap an attacker can brute-force subdomains to discover these cameras. Of course this can be enhanced with an automatic check for default credentials or the ability to anonymously view the video stream.

Another interesting resource is SHODAN, a search engine to find computers. You can search for computers or routers running specific software or filtered by geographic location. If you want to attack the internet infrastructure of a specific country, this is the place to begin your search. Google is also useful for this purpose: just query content that is unique to a target device.

Example vulnerabilities

For the rest of the talk, Paul ran through a lot of example vulnerabilities he has encountered and how easy it is to exploit them. For example, too many wireless routers have just default, weak, or even missing passwords. Paul even found a Zyxel router that had the password already filled in on the publicly accessible web interface. He only had to click "Login" to gain administrative access.

Paul also found some publicly accessible multifunction printers that didn't use authentication. He showed how he got access to the printed documents on a Lanier printer: he could download all documents that were printed recently, without any authentication. The type of espionage enabled by this vulnerability is perfect for social engineering purposes: he found the person's name, company, department, what applications he runs, and so on. The same printer allowed anyone to copy data from an SD card that is accidentally left in the SD card slot.

HP scanners were especially nasty: they have a webscan feature that is turned on by default with no security whatsoever: everyone can scan a confidential document that is left on the scanner and retrieve it via a web browser, because the URLs used for scanned documents are completely predictable. This is a perfect tool for corporate espionage.

More recently, HD Moore discovered several flaws in the VxWorks embedded operating system, scanned 3.1 billion IP addresses and found 250,000 vulnerable systems accessible on the internet. And then there's the DNS rebinding attack that Craig Heffner discovered in several routers, allowing attackers to gain control of the administrative interface.

Luckily, some vendors are learning from their vulnerabilities. The Linksys WET610N wireless router's setup program forces the user to change the default password "admin" to something different on the first log in. However, Paul's happiness ended quickly when he saw the next screen where Linksys recommended saving the password in a text file.

How to fix this

Paul didn't talk about all these security exploits to spoon-feed the bad guys. He wants to convince embedded systems vendors to create safer devices. They could start just by implementing some elementary, but too often ignored, security measures: don't use a default password ("Why does the concept of a default password even exist?") but force the user to choose a password, allow the user to disable protocols, and by default only enable secure management protocols like HTTPS and SSH. Moreover, Paul wants ISPs to block the inbound port 80—though it makes it hard for anyone wanting to run a web server—and to take responsibility for keeping the devices of their users secure.

To raise awareness about obvious security failures and to try to change the industry to implement better security on devices, Paul has started the website www.securityfail.com, which is a public wiki where people can point out the ways in which their devices are not secure. It's a promising initiative, but your author fears that this is not sufficient to change the industry: as Bruce Schneier has been saying for years, vendors will not improve their software's security until it is in their financial interest. A wiki will not change that, so it looks like we'll remain in the situation where anyone with enough dedication can take over the world.