Monday, January 5, 2015

Internet of (#FAILING) things

I've recently been called to deal with mysterious behavior of home controller device or as they called it "smart home" system, apparently the system will stop working every few minutes and causing inability to control the devices that are connected to the system , which means , no lights.

So after few head scratch I checked for the controller model and for it's IP, as you probably guessed , it is a static IP in order to be able to control the system remotely.

I found out they have Control4 HC-800 controller and the controller IP.

For those of you who are not familiar with "smart homes" systems it is basically a system that controls electric components from a main controller, either wired or wireless.
control can be done via several devices such as remote controls, iOS Devices, Android Devices, PC and even your PBX phone.

As usual I started with scanning the IP for open ports:


Oh Wow this should be interesting , port 22 open ...and what is port 5800 (VNC-HTTP) and port 5900 (VNC) ... very interesting now it got my attention ...

A quick search of the term "control4 root ssh password" will get you to this result:

login: root / password: t0talc0ntr0l4!


Voila! I got ROOT ;) It also got BusyBox installed ... Much fun !

I checked what type of commands it have:


Ok I got some basic linux commands but I need the controller commands , then I checked another port , 5800 which indicates VNC-HTTP and port 5900 which indicates VNC.

Using Hercules - Hercules is a tool for working with serial and Ethernet devices and interfaces.

Tried port 5800:


Tried port 5900:


Great Success ! I logged in and didn't have to authenticate with user and password ... now lets check what commands we have here.


This is obviously insecure and leave many controllers vulnerable to cyber attack, the gears in my head started to turn and i thought , if this is the case i can probably access and get full control of any control4 device that is online , and when I say control I mean as ROOT.

For example I can send commands , like KILL command which will stop the daemon and cause system to halt and to not respond until reboot.

Running a quick search in Shodan for the term "control4" Will get more than 5000 devices online , YAY ! ALL the devices have port 80 open and either port 22, port 23, port 5800 or port 5900 open And the root user and password is the same :(



So if I was not able to login via SSH or telnet I was able to login via TCP client (Hercules) to port 5800/5900, one of them will work for sure!

I have notified Control4 about this issue which is very serious one, as I can control all their controllers as long as they are online without even using username and password. There is no need to use any Exploit as this is just a case of bad practices.

Update - 7/1/2015:

After getting many feedbacks from different sources i decided to test some more controllers and this time from a company called Crestron, the findings were close to the control 4 issue but here port 23 is actually almost ALWAYS open as you will see in shodan search results.
some of the controllers telnet connection is password protected and although it asked for password it was not hard to find it.

This time I started with searching shodan for Crestron controllers, I found over 400 controllers online (350 of them with port 23 open)



Here I can actually see the difference between the controllers as far as authorising login.

Login without any authorisation, you can see at see "connected to Host-wm-130-crestron":






Login with authorisation , here it will ask for telnet password , which was not hard to find again a quick search will get this password ... password :(




I also notified Crestron about this issue as it also seems that Universities and Education facilities favor Crestron controllers for their automation systems.

Resources:

1. http://en.wikipedia.org/wiki/Home_automation
2. http://www.control4.com/products/system-overview/C4-HC800-BL-1
3. http://www.control4.com/products/system-overview/control4-operating-system
4. https://nitdroid.wordpress.com/2013/07/30/how-to-access-control4-through-putty/
5. http://www.hw-group.com/products/hercules/index_en.html
6. http://www.shodanhq.com/search?q=control4
7. http://www.shodanhq.com/search?q=crestron
8. http://www.crestron.com/downloads/pdf/product_manuals/mp2_mp2e.pdf