Wide Open “Online Enabled” Physical Security Devices

Embedded Device Security

Online enabled devices or the “Internet of Things” as it is now being called is all the rage. Take that fancy hardware gizmo, add an embedded web server and blamo you can view and control it from anywhere in the world – What a great idea! But sadly with the mad rush to make things more user friendly and convenient, security is being left aside, even in devices that are being used to protect facilities!

Physical security devices are used to help secure important buildings, rooms, data or material. These hardware devices along with security personnel help defend a company from thieves & trespassers, and also protects employees, equipment and data.

These items include:

  • Motion detectors
  • Windows & door alarms
  • Smoke & fire detectors
  • Security cameras
  • Electronic locks

With the convenience of the internet and mobile devices, it just makes sense to give these devices an online interface so that they can be more easily monitored by reduced security staff, small business owners that are out of the office, or home owners that are away on vacation.

But what if these devices themselves were not secure? Worse, what if these devices themselves were a security threat to your network?

I recently ran into a very feature rich physical security device and to boot it was internet enabled so it could be monitored from anywhere or from any smart device. Just having this thing at your facility gave you the warm fuzzies. But with a little research I found that the device wasn’t that secure at all.

The device was being run on a Local Area Network (LAN), but the manufacturer recommended that the device be allowed outside your firewall so it could be monitored from anywhere via smart devices. And why not, it had all the surface hallmarks of security. Layers of passwords were needed to access the device, and you could even set up account access allowing some users guest viewing privileges and various levels of configuration access to manager or admin level employees.

This item seemed very secure, and why wouldn’t it be? It was a physical security device, it must also have very strong online protection. But a quick pentest of the device (took about 15 minutes) painted a totally different picture.

To test it, I first ran a standard nmap probe against the device and found that it had several open ports. A couple common ports and several high level ports were open. That partially made sense, it would need some open to be able to be monitored and configured over the web. But the sheer number of open ports just didn’t seem right.

I then ran a more indepth nmap scan to determine what software and version numbers were running on the open ports:

nmap -v -A

From the returns, I could see that the device was running some pretty standard services.

I picked the Telnet server software name and version that nmap displayed and did a quick Google search for exploits.

Low and behold the Telnet server on this manufacturer’s device seemed to have used the same default password on all devices at one time. The post even listed the default password. But this article was from 2012, there is no way that brand new devices would still use this password, or would it?

To be sure, I tried to connect to the Telnet service on the device using Netcat and the default password that I found. From a Kali Linux terminal prompt I started Netcat with the IP address and port of the device:

nc 23

It then prompted me for the username and password.

host login: root
Password: ******

I then received this:

BusyBox built-in shell
Enter ‘help’ for a list of built-in commands.

~ #

Typing “help” returned this screen:

netcat embedded server

A quick “whoami” command tells us all we really need to know:

netcat embedded root

We have “root” or god level access rights to the device.


The password the manufacturer used to protect the root level account was not only publicly available, it was also a short simply password, under 6 characters, and all lowercase letters! Just imagine if this “Physical Security Device” was allowed outside our firewall?

A quick view of the device password file (cat /etc/password) showed that the developer created over 40 usernames(!), what is the chance that they used simple passwords for all of the other users too? Worse yet, they were notified about the root password being publicly displayed over two years ago and still haven’t rectified the issue.

All embedded or online enabled devices must be tested for basic security compliance along with your workstations, software and servers. With the rush to make everything “online enabled”, basic security practices are being brushed aside in the name of convenience… or maybe even incompetence.

To learn more about basic security check out the book, “Basic Security Testing with Kali Linux“.

Chinese Clothes Irons, Coffee Pots and Online Thermostats… That can Hack You…

The BBC covered some interesting news coming out of Russia this week. Apparently Russian hackers put chips inside Chinese made irons and kettles that would hack local networks. This shouldn’t be too shocking as for years security researchers have been warning of the dangers of embedded devices.

Welcome to the new world of computer security!

When is the last time you updated the system patches on your Coffee Pot? Downloaded the latest Anti-Virus for your Thermostat? These may be questions that become common in the next decade. Especially as the push to put everything online climbs and the “Internet of Things” continues to grow.

According to the BBC report, Russian hackers put chips inside Chinese made clothes Irons and electric kettles that look for local Wi-Fi networks, and then hacks them. The devices then spreads malware to systems it finds:

“Its correspondent said the hidden devices were mostly being used to spread viruses, by connecting to any computer within a 200m (656ft) radius which were using unprotected Wi-Fi networks.”

Security experts have been talking about the subject for years now. And this exact scenario sounds eerily familiar to a couple recent security conference talks by Daniel Buentello about weaponizing innocuous every day items like Coffee Pots and Thermostats:

In the talks, Buentello mentions the possibility of compromising an online thermostat and using it to hack systems on local networks and infect them with malware. He also explained that the device could be programmed to monitor the compromised computers and re-infect a system in the case someone removed the virus.

And of course the compromised thermostat would be programmed to continue to also act like a normal thermostat to belie its true intention.

Attacks like this are made possible by the use of embedded servers that are being used in these online devices. These chips are basically fully functional (mostly) Linux based servers that are vulnerable to attack just like any other server on the web.

Except that companies normally don’t make Anti-Virus for thermostats…

Sadly now we will need to keep an eye out for firmware updates and security issues for any electronic devices in our homes or companies that connect out to the internet.

It was just a matter of time before hackers started taking advantage of these embedded chips and it seems that Russian hackers may be leading the charge.

And as a twist to what one Reddit commenter mentioned, In Soviet Russia you don’t hack the Coffee Pot, The Coffee Pot hacks you!

Microsoft wants to add Billions of Clients to your Network

That’s the news from Microsoft last week during the Embedded Systems Conference in San José, California. Windows 7 Embedded Standard 7 is now in the RTM stage. This means a whole lot more devices will be available for network connectivity. According to an article on The Register, IT professionals will be ‘blessed’ with the ‘opportunity’ to connect and mannage these devices.

“For an IT professional, it’s now becoming critical that you think through how to be able to manage, provision, monitor, and provide security to [embedded] devices just like you do today with a laptop or a PC,” says Kevin Dallas, GM of Microsft’s embedded unit. “That’s the radical change that is starting to happen, and that’s the future that we’re building to.”

Dallas’ suggestion that you add embedded devices to your worry list is due to the fact that Windows Embedded Standard 7 is in essence a “componentized” version of Windows 7 that can provide all the internet connectivity of that operating system. And when your share of billions of internet-capable embedded devices start to communicate with your company’s servers, you’ll be the one who’ll be told to manage them.

Estimates are that their will be around 15 billion embedded devices by 2015 and 40 billion by the year 2020. Windows 7 Embedded is actually Windows 7 broken down into a couple hundred components that vendors can pick and choose from to create custom solutions. This includes network and SQL connectivity.

“All the benefits of Windows 7 in the PC, laptop, netbook, and server arena can now be extended into the specialized devices space, into the embedded space.”

The good news, from Dallas’ point of view, is that since Windows Embedded Standard 7 is at heart Windows 7, all of the Microsoft back-end services that IT pros now use will be available to manage embedded devices.

“These devices need to connect seamlessly to back-end services. These services can range from management, to System Center, be able to participate in an Active Directory so you can set policies, you can push out software updates,” Dallas said.

I hope Microsoft really focuses on security with Windows Embedded 7. Some nefarious groups may be salivating at the chance of multiple new targets on your network running a componentized version of an operating system. Especially with the fact that Internet Explorer was recently hacked in two minutes at a security conference. I am curious too how the units will get Windows updates and security patches….

But if they do it right, Windows 7 Embedded clients will have a much smaller attack surface and be more secure than a standard pc. Time will tell. For more information see The Register.