rootedcon 2017 - workshop: iot insecurity of things?
TRANSCRIPT
Su Seguridad es Nuestro Éxito
Marzo 2017 - Luis Enrique Benitez
IoT
Insecurity of Things?
3 © Internet Security Auditors
Luis Enrique BenitezQuality Manager - Ethical Hacking & Vulnerability Assessment
https://www.linkedin.com/in/luisbenitezj
4 © Internet Security Auditors
55 © Internet Security Auditors
6 © Internet Security Auditors
LG 43uf6407
TV LG LED de 43", Resolución 4K, Panel IPS, 900 HZ PMI, SmartTV (webOS 2.0)
SAMSUNG UE32F5500AW
TV SANSUMG de 32" Full HD Smart TV Wifi
7 © Internet Security Auditors
Barra Sonido OKI Sb Media Player 1gFull HD 1080p, Sintonizador TDT Alta Definición, Sistema de sonido Dolby, Base para IPod / IPhone. Conexión a Internet mediante cable o WIF
Panasonic TX-40CX680E
TV LED 40" - Panasonic TX-40 CX680E, 4K Ultra HD,
Firefox OS Quad Core
8 © Internet Security Auditors
9 © Internet Security Auditors
10 © Internet Security Auditors
11 © Internet Security Auditors
12 © Internet Security Auditors
13 © Internet Security Auditors
14 © Internet Security Auditors
Samsung UE32F5500AW
Puerto Servicio Versión
80 http Samsung Swift httpd 1.0
443 http Samsung Swift httpd 1.0
4443 Pharos
6000 X11
7676 upnp AllShare UPnP
52345 http Sansumg AllShare http
55000 unknown
55001 tcpwrapped
15 © Internet Security Auditors
LG 43uf6407
10107 (4) - HTTP Server Type and Version
Linux/i686 UPnP/1,0 DLNADOC/1.50 LGE WebOS TV/Version 0.9friendlyName:[LG] webOS TV UF6407manufacturer:LG Electronics.manufacturerURL:http://www.lge.commodelDescription:LG WebOSTV DMRplusmodelName:LG TVmodelNumber:1.0
16 © Internet Security Auditors
LG 43uf6407
Puerto Servicio Versión
1113 upnp
1672 upnp
2026 upnp
2043 upnp
3000 http LG Smart TV http service
3001 http LG Smart TV http service
7778 Interwise
9955 Unknown
9998 http LG television page list http
18181 Opsec-cvp
36866 Unknown
43035
43036
43037
43038
17 © Internet Security Auditors
LG 43uf6407 http://192.168.88.246:3000/
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Wed, 06 Jul 2016 10:18:13 GMT
Pragma: no-cache
Expires: Mon, 01 Jan 1990 00:00:00 GMT
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Server: Golfe2
Content-Length: 35
Cache-Control: no-cache, no-store, must-revalidate
Age: 282559
Respuesta:
18 © Internet Security Auditors
Panasonic TX-40CX680E
58662 - Samba 3.x < 3.6.4 / 3.5.14 / 3.4.16 RPC Multiple Buffer Overflows
90508 - Samba 3.x < 4.2.10 / 4.2.x < 4.2.10 / 4.3.x < 4.3.7 / 4.4.x < 4.4.1 Multiple Vulnerabilities
76314 - Samba Unsupported Version Detection
19 © Internet Security Auditors
OKI Sound 1G
20 © Internet Security Auditors
57825 (1) - PHP 5.3.9 'php_register_variable_ex()' Code Execution (banner check)
58987 (1) - PHP Unsupported Version Detection
60085 (1) - PHP 5.3.x < 5.3.15 Multiple Vulnerabilities
18037 (1) - XAMPP Default FTP Account
58183 (1) - Dropbear SSH Server Channel Concurrency Use-after-free Remote Code Execution
58988 (1) - PHP < 5.3.12 / 5.4.2 CGI Query String Code Execution
42263 (1) - Unencrypted Telnet Server
73289 (1) - PHP PHP_RSHUTDOWN_FUNCTION Security Bypass
34324 (1) - FTP Supports Cleartext Authentication
OKI Sound 1G
21 © Internet Security Auditors
OKI Sound 1G
Puerto Servicio Versión
21 FTP Pure-TPDd
22 SSH Dropbear ssh 0.52 (protocol 2.0)
23 Telnet
80 http Lighttpd
81 http BusyBox http
7171
8082 Blackice-Alerts
9010 SDR
9020 Tambora
22 © Internet Security Auditors
OKI Sound 1G
inout TV mediacenter 4g
23 © Internet Security Auditors
OKI Sound 1G
inout TV mediacenter 4g
24 © Internet Security Auditors
25 © Internet Security Auditors
Canal IP
Atreserie 52.28.85.115
BeMad 54.231.134.36
Discovery Max 46.31.56.161
La sexta HD 8.254.98.126
La sexta 8.254.98.126
Energy 54.231.134.100
Boing 54.231.134.100
La 1 72.247.210.17
La 2 72.247.210.17
24h 72.247.210.17
Clan 72.247.210.17
TV3 HD 8.254.36.126
Telecinco 54.231.136.13
Cuatro 54.231.136.13
Canal IP
Cuatro HD 54.231.140.77
TV20 Terrassa 85.25.218.231
tdp 72.247.210.10
tdp HD 72.247.210.10
TV3 8.254.50.126
Super 3/33 137.117.170.224
3/24 8.254.50.126
Esport3 8.254.50.126
Canal Terrassa Valles 92.54.15.210
Disney Chanel 46.31.56.161
Paramount Chanel 46.31.56.161
FDF 54.231.136.13
Diviniti 54.231.140.77
Telecinco HD 54.231.140.77
Canales que envían información cuando se accede a ellos
Canal
Antena3
Antena3 HD
Neox
Nova
Mega
13TV
8TV
Barça TV
RAC105
EL PUNT AVUI
MOLA TV
TV SANT CUGAT
DKISS
TEN
IB3 GLOBAL
Rel Madrid TV
Canales que No envían información cuando se accede a ellos
Canal C
Telecinco 1
Cuatro 2
FDF 3
Diviniti 4
Telecinco HD 5
Cuatro HD 6
http://beacon.hbbtv.mediaset.es/topics/test?c=1|B49E0ABB9570335EB4A
64895EFA14CCB|k|{%22keyset%22:{%22ALPHA%22:512,%22BLUE%22:8,%
22GREEN%22:2,%22INFO%22:128,%22NAVIGATION%22:16,%22NUMERIC
%22:256,%22SCROLL%22:64,%22VCR%22:32,%22RED%22:1,%22value%22:
0,%22YELLOW%22:4},%22currentChannel%22:{%22channelType%22:0,%22
ccid%22:%22ccid:23%22,%22dsd%22:%22Z\u000b\u0004)\u0010@\u001f
%C2%81;%C3%BF%C3%BF%C3%BF%C3%BF%22,%22name%22:%22Telecin
co%22,%22onid%22:8916,%22sid%22:186,%22tsid%22:16},%22channelList
%22:%22Channel%20list%20items:%201:%20atreseries%20HD,%202:%20B
eMad%20tv%20HD,%203:%20Realmadrid%20TV%20HD,%204:%20antena3
%20HD,%205:%20antena3,%206:%20laSexta%20HD,%207:%20laSexta,%20
8:%20neox,%209:%20nova,%2010:%20Energy,%2011:%20Boing,%2012:%2
0mega,%2013:%2013%20Tv%20Definitivo,%2014:%20La%201,%2015:%20L
a%202,%2016:%2024h,%2017:%20Clan,%2018:%20La%201%20HD.,%2019
:%208TV,%2020:%20Bar%C3%A7a%20TV,%20%22}
Petición
Host: beacon.hbbtv.mediaset.esOrigin: http://hbbtv.mediaset.esAccept-Language: en-us, en, fr, itUser-Agent: Mozilla/5.0 (Unknown; Linux armv7l) AppleWebKit/537.1+ HbbTV/1.2.1 (+DRM; LGE; WEBOS2.0; 03.11.00; HE_DTV_W15B;)Referer: http://hbbtv.mediaset.es/hbbtv.xhtml?c=1Accept: */*Accept-Encoding: gzip, deflateConnection: close
Grupo de canales que información constantemente (cada 4 segundos)
Entre los datos que envía está la lista de canales del TV y el orden en que el usuario los tiene
ordenados en su dispositivo
29 © Internet Security Auditors
Lo que nunca leemos pero todos aceptamos….
30 © Internet Security Auditors
Seguridad / Privacidad
31 © Internet Security Auditors
Seguridad / Privacidad
32 © Internet Security Auditors
33 © Internet Security Auditors
34 © Internet Security Auditors
35 © Internet Security Auditors