I’ve been giving and maintaining this talk all year and most recently gave it at SANS NS2008, which was an absolute blast! I taught the one-day “Up and Running With The Metasploit Framework” course, participated in the SEC560 penetration testing course, and got to lead a team of attackers in a three night hacking challenge. More on all that later, as I also presented on how embedded devices continue to be a threat. The goal of this talk was to raise awareness about the inherent insecurities in embedded systems, understand some example vulnerabilities and associated “exploits”, and identify defenses. I covered just how easy it is to “karmetasploit” the iPhone and some of the implications, an SSID script injection vulnerability in DD-WRT, and some interesting things I found on an Axis web camera.
As a side note, I was leaving Las Vegas early in the morning while people were coming out of the clubs, which was an interesting site to say the least. I happened to be standing next to Trent from www.i-hacked.com who stated how nice it would be run Karmetasploit as people were “under the influence” enough to click on anything (I suppose one could argue that people will click on anything even while not drinking). It got me thinking how interesting it would be to take over an iPhone and download all of the pictures stored on the phone, especially after a wild night in Vegas… In any case, you can download the latest (and final) slides here:
Things That Go Bump In The Network: Embedded Device (In)Security
Note: A previous version of this talk, including the audio version of the presentation, can be found here
The EeePC I was using seemed to pique the interest of many during the demo section of the talk. Below is some information about my EeePC setup:
* Eee PC 4G Surf Rev 701
* Madwifi drivers (I’m using this one) with the Karma patches from DigiNinja (I highly recommend these drivers over the ones in Backtrack, they seem to work far better)
* Metasploit 3.1-latest
* A copy of “evilap.sh” from the Backtrack CD with some modifications, primarily to make it work with dhcpd on Ubuntu (Example can be found in Episode 114’s show notes)
I believe this talk served its purpose, many have commented that they were going to bring this knowledge back to their respective organizations and begin to think about embedded system security differently. Mission accomplished? I’m not quite sure, while I believe that many have taken embedded systems security more seriously as end-users of the products, the vendors still have some work to do. I’d like to see more of:
* Vendors allowing the user to create the initial password(s) and security certificate
* Doing their own security evaluations before the product is released to the market
* Using secure protocols for management (SSL, SSH, SNMPv3, etc…)
With respects to defense and active scanning/penetration testing of your internal network, well, more on that later…