Who's Watching Who - Hacking IP Cameras

Presented at CactusCon 11 (2023), Jan. 27, 2023, 7:55 p.m. (245 minutes).

The Internet of Things (IoT) can be referred to as, “A system of interrelated, internet-connected objects that are able to collect and transfer data over a wireless network without human intervention” (Aeris, 2021). IoT devices can be broadly categorized into five categories: Consumer, Commercial, Industrial, Infrastructure, and Military (Maayan, 2020). Billions of devices are installed across these categories globally. It is estimated that there will be more than 75 billion connected devices by 2025 (Maayan, 2020). This represents a 10x increase since 2018. IoT devices generate an estimated 500 zettabytes of data annually and is expected to grow exponentially (Liton, 2018). These devices have been plagued with security issues since inception due to weak, guessable or hardcoded passwords, unsecure network services, insecure ecosystem interfaces, unsecure and outdated components, and a variety of other security problems (Stahie, 2020). These factors present a unique opportunity for a workshop to present these concepts and teach participants how to identify vulnerabilities and how they would be used in an attack against unsecure devices. This workshop is tailored to beginner to intermediate participants. Below is our proposed outline for our workshop factoring in 10 minute breaks each hour. Content and exercises will be packaged for distribution to all CactusCon participants. Workshop Outline: 4 hour (50 minutes with 10 minute breaks) Hour 1 – The first hour of the workshop will focus on concepts, terminology, and foundation setting for advanced concepts and hands on in later sections. - Pentesting concepts and overview - Students will review the basics for pentesting and how a pentest would be conducted at a high level. - Security Architecture Discussion - Students will then learn about security architectures and how to implement within small businesses and enterprise networks. This is to demonstrate the defensive aspects of cybersecurity and its interaction with offensive operations. It will also provide the specific architecture of our “lab environment” that students will interact with. - IoT Devices Overview – Students will learn about IoT devices across the various categories of devices, the common protocols these devices use for networking, and specific protocols and nuances to these devices. Hour 2 – Focus on this session will be on how to identify information and vulnerabilities associated with IoT devices. Students will be introduced to Shodan, Google Searching, and other reconnaissance techniques. From these results students will evaluate vulnerabilities and how they may be used to carry out attacks on the environment or a specific device. - Reconnaissance – Students will be introduced to reconnaissance tools and techniques associated with pentesting in general and then use tools and resources more specific to IoT devices. - Vulnerability Identification and Analysis – Students will learn how to analyze IoT vulnerabilities and determine which are viable options to begin the attack phase. - Attack Methodology – Students will learn what an attack methodology is, the different components, and how to develop the methodology to improve chances of success during an engagement. Hour 3 – Focus of this section will be developing the tools necessary to carry out the attack on the device. This will include three different options (Logging In / Default Passwords, Phishing, Malware / Script) and focus at a high level considering the time constraints. - Scripting – Students will receive a basic introduction on scripting and use that to develop an attack that will allow the attacker to control the cameras. - Conducting the Attack – Students will use the tools, techniques, and script learned during the workshop to impact the target environment. Hour 4 – The final hour will focus on exfiltration, effects, and actions on objectives. During this time we will discuss what the access has allowed us to do and what the potential impacts are. This will lead to a review and key takeaways. - Exfiltration / Effects / Actions on Objectives – Students will learn what valuable information could be obtained from this type of attack. Additionally, students will understand the specific information that can be obtained from these devices and how they can possibly be a pivot point into other systems within the environment. - Review / Key Takeaways / Q&A – The workshop will wrap up with a review of the material covered, key takeaways and answer any student questions. Aeris (2021). What is IoT? Defining the Internet of Things (IoT). Aeris. https://www.aeris.com/what-is-iot/. Liton, M. (2018, February 7). How Much Data Comes From The IoT? Sumo Logic. https://www.sumologic.com/blog/iot-data-volume/#:~:text=IoT%20data%20is%20measured%20in,to%20grow%20exponentially%2C%20not%20linearly. Maayan, G. (2020, January 13). The IoT Rundown For 2020: Stats, Risks, and Solutions. Security Today. https://securitytoday.com/articles/2020/01/13/the-iot-rundown-for-2020.aspx. Stahie, S. (2020, October 19). Lack of Security in IoT Devices Explained. What Can We Do About It. Security Boulevard. https://securityboulevard.com/2020/10/lack-of-security-in-iot-devices-explained-what-can-we-do-about-it/#:~:text=Weak%2C%20guessable%20or%20hardcoded%20passwords,services%20are%20another%20big%20issue.

Presenters:

• Paul Wagner - University of Arizona, Cyber Security Faculty
  Paul is an Associate Professor of Practice for the University of Arizona’s Cyber Operations Program. Additionally, he provides virtual Chief Information Security Officer consulting services to multiple companies. Prior to working with the University of Arizona, Paul spent 20 years in the Army including time as Infantry and Recruiting during his 12 years of enlisted time and a Signal Officer for his remaining 8 years. Paul’s educational background includes BS in Social Psychology and Business Management and Marking, MBA, MS in Cyber Security, and is pursuing his PhD in Cyber Defense. He holds ~20 certifications from SANS, ISC2, EC-Council, and CompTIA.
• Michael Galde - University of Arizona, Assistant Professor
  Michael Galde is a career-track assistant professor of practice for the cyber operations program at the College of Applied Science and Technology (CAST) at the University of Arizona. Before being appointed as a full-time faculty in 2020, Michael worked in industrial control systems research at the Nebraska Applied Research Institute (NARI) in Omaha, Nebraska as a cybersecurity engineer II. As a contractor, Michael previously worked as an intelligence analyst with the Defense Intelligence Agency (DIA), where he developed digital tools and procedures in the agency’s prisoner of war / missing in action (POW/MIA) mission. Michael earned a Master of Science in Cybersecurity at the University of Nebraska in 2019 and a Bachelor of Science in Political Science in 2013. Michael’s research areas of interest include developing automated recovery of industrial control systems, increasing Industrial network visibility to aid intrusion detection systems, and cyber security implementations.
• Dalal Alharthi - University of Arizona, Assistant Professor of Cybersecurity
  Assistant Professor of Cybersecurity at the University of Arizona. She got her Ph.D. in Computer Science from the University of California, Irvine. She is equipped with work experience in both academia and industry. Strong engineering /architecture skills, skilled in Cloud Computing (AWS, Azure, and GCP); Cloud Security; Container Security; Automation; Network Security; Violent Python; Palo Alto Networks; Active Directory; Web Development/Security; Pentesting/Ethical Hacking; Digital Forensics and Incident Response (DFIR); Cybersecurity Strategy, Standards, Policies, and Controls; Awareness Training Programs, and more. Prior to joining the University of Arizona, Dr. Alharthi worked as a Cloud Security Engineer at Farmers Insurance, a Resident Engineer at Palo Alto Networks, and Prisma Cloud Consultant at Dell. She was awarded the Division of Teaching Excellence and Innovation (DTEI) Fellowship by the University of California, Irvine, and obtained both CompTIA Security+ and AWS Solutions Architect certifications.

Links:

• https://cactuscon-11.sessionize.com/session/392089

Similar Presentations:

• BSidesLV 2017 / Auditing Of IoT Devices
• THOTCON 0xA (2019) / When Refrigerators Attack - Defending (and weaponizing) IoT
• CactusCon 11 (2023) / Exploiting IoT devices through Physical Embedded Security