Retail POS System compromised through Video Security System

teal credit card digits close-up

I have been harping on the dangers of insecure embedded systems and physical security systems posing a huge security risk for your internal network. Recently I was talking with a Retail Point of Sale (POS) software expert and was told how a POS system was hacked by an attacker that had gained access to the network through a video security system!

It is so simple now, in the name of convenience, to put various devices online by using extremely cheap embedded systems that act as web servers and remote access devices. With the rush to put everything online, called the “Internet of Things”, security is massively taking a back seat.

I particularly find it hard to believe that physical security devices meant to protect your building or premises from a physical attacker are being made with old, outdated or even wide open online services that will allow an electronic attacker full access.

Even heating and air conditioning system could be targeted by hackers. The Target hack from recent memory was made possible by hackers stealing login information from an HVAC system.

HP recently released a study on the Internet of things and found:

HP Internet of Things

Analyzed device included:
  • Televisions
  • Webcams
  • Home thermostats
  • Remote power outlets
  • Sprinkler controllers
  • Hubs for controlling multiple devices
  • Door locks
  • Home alarms
  • Scales and garage door openers

Sadly many of these insecure devices can be found worldwide using Google and Shodan searches.

I personally have seen a video security system that used a short lower case letter password for admin access to it’s Telnet interface! With further research I found that the company had been notified of the issue years ago and never rectified the situation. New devices are still being made by this manufacturer with the weak password that is publicly posted on the internet!

It is time that the Internet of Things is held to the same security standards as the rest of the computer world. But until manufacturers begin to care about YOUR security or regulations are put into place, I don’t see this problem going away anytime soon, in fact it is going to get much, much worse.

In the mean time, business owners need to add physical security and “Internet of Things” type devices to their list of systems that need to be scanned for security issues.

Advertisements

Wide Open “Online Enabled” Physical Security Devices

Embedded Device Security

Online enabled devices or the “Internet of Things” as it is now being called is all the rage. Take that fancy hardware gizmo, add an embedded web server and blamo you can view and control it from anywhere in the world – What a great idea! But sadly with the mad rush to make things more user friendly and convenient, security is being left aside, even in devices that are being used to protect facilities!

Physical security devices are used to help secure important buildings, rooms, data or material. These hardware devices along with security personnel help defend a company from thieves & trespassers, and also protects employees, equipment and data.

These items include:

  • Motion detectors
  • Windows & door alarms
  • Smoke & fire detectors
  • Security cameras
  • Electronic locks

With the convenience of the internet and mobile devices, it just makes sense to give these devices an online interface so that they can be more easily monitored by reduced security staff, small business owners that are out of the office, or home owners that are away on vacation.

But what if these devices themselves were not secure? Worse, what if these devices themselves were a security threat to your network?

I recently ran into a very feature rich physical security device and to boot it was internet enabled so it could be monitored from anywhere or from any smart device. Just having this thing at your facility gave you the warm fuzzies. But with a little research I found that the device wasn’t that secure at all.

The device was being run on a Local Area Network (LAN), but the manufacturer recommended that the device be allowed outside your firewall so it could be monitored from anywhere via smart devices. And why not, it had all the surface hallmarks of security. Layers of passwords were needed to access the device, and you could even set up account access allowing some users guest viewing privileges and various levels of configuration access to manager or admin level employees.

This item seemed very secure, and why wouldn’t it be? It was a physical security device, it must also have very strong online protection. But a quick pentest of the device (took about 15 minutes) painted a totally different picture.

To test it, I first ran a standard nmap probe against the device and found that it had several open ports. A couple common ports and several high level ports were open. That partially made sense, it would need some open to be able to be monitored and configured over the web. But the sheer number of open ports just didn’t seem right.

I then ran a more indepth nmap scan to determine what software and version numbers were running on the open ports:

nmap -v -A 192.168.1.130

From the returns, I could see that the device was running some pretty standard services.

I picked the Telnet server software name and version that nmap displayed and did a quick Google search for exploits.

Low and behold the Telnet server on this manufacturer’s device seemed to have used the same default password on all devices at one time. The post even listed the default password. But this article was from 2012, there is no way that brand new devices would still use this password, or would it?

To be sure, I tried to connect to the Telnet service on the device using Netcat and the default password that I found. From a Kali Linux terminal prompt I started Netcat with the IP address and port of the device:

nc 192.168.1.130 23

It then prompted me for the username and password.

host login: root
Password: ******

I then received this:

BusyBox built-in shell
Enter ‘help’ for a list of built-in commands.

~ #

Typing “help” returned this screen:

netcat embedded server

A quick “whoami” command tells us all we really need to know:

netcat embedded root

We have “root” or god level access rights to the device.

Nice…

The password the manufacturer used to protect the root level account was not only publicly available, it was also a short simply password, under 6 characters, and all lowercase letters! Just imagine if this “Physical Security Device” was allowed outside our firewall?

A quick view of the device password file (cat /etc/password) showed that the developer created over 40 usernames(!), what is the chance that they used simple passwords for all of the other users too? Worse yet, they were notified about the root password being publicly displayed over two years ago and still haven’t rectified the issue.

All embedded or online enabled devices must be tested for basic security compliance along with your workstations, software and servers. With the rush to make everything “online enabled”, basic security practices are being brushed aside in the name of convenience… or maybe even incompetence.

To learn more about basic security check out the book, “Basic Security Testing with Kali Linux“.