May 30, 2022 • 34 mins
In this episode Global Bob (Brian Varner) reflects on hackers that gave their life’s in the service of their country. He also outlines a antimony of a exploit by walking you through how he developed a ZeroDay exploit into a connected power command and control relay system.
Transcripts are automatically generated.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Unknown (00:17):
All right. All right, here we go. It is time for the
global show. Globalbob show weare the crossroads, technology,
and politics. This is episodenumber 11. The timer the release
is Memorial Day. And so as westart this Monday, and think
(00:44):
about the ultimate sacrificethat our military folks have
given to ensure the freedom ofthis country, I want to talk a
little bit about here in theintro of some other people that
gave the ultimate sacrifice tosecure our nation. And to in
(01:06):
particular, are our brothers andsisters at the Central
Intelligence Agency, and ourbrothers and sisters, at the
National Security Agency. Yousee, when you go through the
turnstiles at those agencies,you're greeted with a very
(01:28):
somber reminder of just howdeadly this hacking and
exploitation can be. Now, I knowthat on the CIA side, not all
the stars on the CIA MemorialWall represent those that were
in a capacity for hacking. Butthe CIA does have what they call
(01:52):
tops officers, or technicaloperations officers. And I'm
pretty confident that some ofthose stars on that wall could
be from some of the CIA hackersor the tops officers. But
nonetheless, some of these folksare civilian. And to me, I think
(02:12):
we need to include them atMemorial Day as well. Now, the
NSA, which is part of theDepartment of Defense, they also
have a wall. And they callthere's the wall of honor. And
NSA Wall of Honor hasapproximately 178 stars on
there. Now we know NSA ischartered with making and
(02:36):
breaking codes. And so I wouldrest assured that most of those
stars on that wall are actuallyfolks that gave the ultimate
sacrifice while trying toexploit the enemy's
communication systems. And so Iwant to stop for a brief moment
and have just a moment toreflect of those guys than girls
(03:02):
that gave their life to securethis nation. Okay, moving right
along. So this week's topic, Iwanted to talk about how hackers
hack. Last week, we talked aboutwhy people get into hacking. And
(03:23):
as I mentioned, the CIA and NSAare always hiring hackers. So if
you have the skills, and youfeel like you want to apply that
you can go to their websites andupload your resume. And if you
have something that they'reinterested in, then they will
recruit you. And you couldbecome a government hacker, if
(03:46):
that's what you're into. But Iwant to talk about how hackers
hack and I'm going to talk aboutalso a exploit that I found, and
so we can kind of talk about theanatomy of that. So if you have
listened to previous episodes,you've heard me talk a little
bit about the internet. And alsowe've had some light
(04:08):
conversation about firewalls andNat, right. And I need to
introduce you to this just alittle bit. So you understand
that at your house. Most of youguys, I would probably say all
of my listeners have at least aNAT and a NAT and a firewall and
(04:29):
this term can kind of besynonymous.
With the NAT or firewall let'sjust call it a firewall from
here on out. The firewall isassigned an IP address that's
public on the internet, in mostcases, so anywhere on the
internet, there is an addressfor your house and it's always
(04:54):
changing. And that's where yourrouter sits. So router NAT
firewall what you Some allinterchangeably. And basically
what that does is allow yourdevices at your house, your
Smart TV, your phone, yourtablet, your computer, all of
that to be connected throughthat single IP address. And then
(05:19):
a derivative of that is is thatthe device is at your home or
not directly accessible on theinternet. So that's why it's
kind of called a firewall insome instances. So what's
important about that is, is thatif someone knows your internet
address for your router, yourpublic IP address, then they can
(05:43):
send packets and communicationsback and forth. But if your
devices are behind thisfirewall, then they cannot, for
all intents and purposes get tothat device that's behind the
firewall. So how do packets getin and out of that firewall?
(06:04):
Well, the simplest terms, yourphone at your house or tablet,
when you go to say Facebook,then it goes through your
firewall. And your firewallkeeps track of that
communications go into Facebook.
And so when Facebook returnsthat web page, or picture, it
goes through the firewall, andthe firewall then sends it down
(06:25):
to your device. So just think ofit that almost everything can
get out. But not everything canget in. Now, with a firewall at
your house, if you guys havesecurity cameras, you probably
have done this before, you'vehad to forward a port. Now, when
you forward a port on yourfirewall, that takes your public
(06:51):
IP address, and it puts a map into the device behind the
firewall, which in this case, itwould be your camera. So what
you do is if you're away fromyour house, you can type in your
IP address into the camera appon your phone. And then you can
(07:12):
view your camera camerasremotely. So I know that's kind
of really technical, but I'msetting us up for what we're
going to talk about here in asecond. So just to bring it all
together, your firewallbasically controls what packets
get in and out of your homenetwork. And in most cases, it
(07:33):
is very restrictive. So yourdevices cannot be accessed
directly from the internetunless you forward a port. Now
for all my technical listenersout there, I know this is like
101 stuff. And as always, ifanybody wants to dive in deeper,
we totally can. Now, when Ideveloped this exploit that I'm
(07:59):
going to tell you about, it wasa device that is used to control
electrical switches, andelectrical relays. And I'm going
to walk you through how Idevelop the exploit. Now this
(08:19):
takes many, many days. But Iwant you to kind of understand
that how these things aredeveloped out. And in this, it
was a device that when Iarrived, it's packaging. It said
that this is optimized formilitary installations, casinos,
(08:40):
hospitals, and other high secureareas. It's like alright,
well hope I can find somethinginto this. Now why did I go out
and get this device. I've beeninvolved for many, many years,
developing out cyber ranges orcyber simulations. And what a
(09:04):
Cyber Range is, is where wewould find all kinds of devices.
I mean, I think probably thenumbers north of 200 devices
total that we found throughoutthe years. And we would set up a
scenario. And we would havefolks from various governments
around the world and also folksfrom industry. And we would set
(09:28):
up the cyber range so they couldpractice their hacking skills.
And so it was always an armsrace between my team and the
best hackers in the world. Onewe need to define zero day
exploits. And now there's a termwe should talk about. A zero day
exploit means that the no oneknows about it besides the
(09:54):
person that found it or the teamthat found it. And it's called a
zero day book. Has themanufacturer hasn't been
notified. And that this can beweaponized to exploit things.
And so every year as we'redeveloping out these cyber
ranges, there was a lot ofpressure on us to find zero day
(10:15):
exploits. So in this particularone, this was a zero day exploit
that I found. Now, I should alsomention that anytime I bought
any of these components, andwe'll talk about this on, on the
next podcast that are coming upand things like that, but just
know that every time I boughtany of these components, I
(10:36):
always bought them in true namewith my personal credit card.
And the reason why I did thatwas because I didn't want any
special treatment, treatmentbeing good or treatment being
bad. If you contact amanufacturer and tell them that
you're a security researchers,such as myself, and that you
(10:57):
would like to have one of theirdevices, so you can exploit it
well. Either they hang up thephone on you, or they'll send it
to you, and give you maybe somecode that's not in development
and, and other things like that.
And I didn't want, I wanted to,for me, I wanted to go out and
buy one of these if I was aregular person that was just
(11:20):
buying them. So I would buy themfrom on a credit card and get
them shipped here to my house.
And so I bought this particulardevice, and started to look into
it. And I went through my normalprocedures, you know, anybody
(11:40):
that's in this industry, theykind of you know, have their
strong suits with myself, I am ahardware hacker, I would say
that I'm more proficient atthat, which means getting into
devices, and compromising them.
And some folks are softwarehackers, that and researchers
that their forte is to actuallyexploit software that's
installed on boxes. But me I'mmore of a hardware guy, as
(12:04):
you'll hear in the future prodpodcast. So this device, you
hook it up to an Ethernet cable,and it has a web interface on
it. And this web interface waskind of rudimentary, I could log
into it. And I could turn therelays on and off in this had a
bank of maybe 10 relays. And youreally couldn't do more than
(12:29):
that. You could do somemonitoring of it. But it was
pretty much just a web connecteddevice that would turn relays on
and off. So I started lookingthrough the source code on the
webpage. And if you all wantedto do the same thing, you can go
to any web page and hit ViewSource. And what I started
(12:50):
looking for whenever I'm doingthat, is to see if the software
that's serving up the web page,maybe there's a vulnerability in
it. So I looked at all of theweb pages
I could get to I set a usernameand password. And it was, you
(13:11):
know, kind of kind of boring.
Now the case that this came in,it was very much industrial. So
this wasn't like a little cheappiece of plastic when they said
on the box that this is, youknow, for high secure areas,
which I thought was comical. Imean, it kind of passed the
weight test. I mean, it feltnice and industrious. So then my
next procedure was, well, Idon't see anything that I can
(13:34):
exploit that pops out, you know,really quick. So let me take the
case apart. So any of mybrothers and sisters that are
hardware hackers, that's usuallythe first thing we do. And then
a couple hours, we want to seethe guts inside of this. So I
open up the case, and I see somechips in there and I write down
the numbers of the chips, themake and model. And some of them
(13:58):
I just have from memory, I knowthat that's a chip that stores
memory. And this is a chip thatkind of serves as the little
logic engine. But with this one,it was kind of a pain in the
butt. Because a lot of timeswhen these systems are put
together, they'll have littlepads on them. And these little
pads allow you to take yoursoldering iron out, and you can
(14:21):
put down a couple wires on itand then hook it to your
computer and see if you can getsome output and a lot of times
that output will give you viewinto what the operating system
is. But this one here,everything was soldered down.
Nothing was socketed andsocketed means is that the chips
(14:44):
if you've ever seen inside of acircuit board where you can put
a clamp on it and pull it off.
None of them were socketed. Soit was going to take a while to
start doing some probing of theinternal chips. But the idea was
is that if I could probe thechips, I could then maybe read
(15:07):
the operating system off ofthere and start looking at the
source code, or the compiledcode, I'm sorry, not source code
compiled code. And from thecompiled code, I could run it
through various software likeeither gi draw or IDA Pro. And
that will let you start seeingif there's any variables that
(15:27):
are in there that I could thencreate an exploit into. But in
this case, I didn't want to takethat time quite yet, because I
wanted to see if there was maybeanother way I could get into it.
And when I hooked it back up, Istarted running some scripts.
(15:48):
Now scripts with hackers,security researchers, you kind
of start off by using otherpeople's scripts. And then you
start writing your own scriptsjust to help you aid in
research. And so I had looked ina lot of these various devices.
And so I started to run a scriptthat would go to the web portal,
(16:13):
right, the web portal of thedevice. And if you're not
familiar with a web portal, orlogin screen, this is like your
camera systems again, right? Youtype in the IP address of the
camera. And then you'represented with username and
password. So that particularpart, I started running a script
against it, that would look fordirectories. And so it would
(16:38):
try, let's say the IP addressforward slash admin forward
slash test, forward slash, name,your forward slash, right, and I
have a collection of about100,000, or more forward
slashes. And then what wouldhappen is, is that if it was
successful, then my script wouldstop and say, I received data
(17:03):
with this directory, and thenyou can look at it. And so the
scripts that some people use,it's called directory buster. So
this was kind of a modifieddirectory buster. And this is
kind of a kind of like a pointand click and or deploy and
pray. And you just let it runfor hours. I mean, it could take
(17:25):
a long time, depending on thespeed and stuff.
But that did not yield me anyresults. So the next thing I
went to was called fuzzing. Now,fuzzing is a term that security
researchers use. And this iswhere you try to send lots of
(17:46):
random information, some of itnot random. But for all intents
purposes, random information. Sosay, the login screen where you
type in admin, instead of typingin admin, maybe it would put
like, a 400 character usernamein there, and maybe for the
password, you would put in, youknow, you know, a couple 100
(18:07):
characters in there, and allthis stuff starts running
automated and fast. And so withmy custom scripts, I had things
that had worked on IoT devicesin the past. Now IoT is Internet
of Things. I call it Internet oftoys. This really wasn't an IoT
device. But anyways, I wasrunning the fuzzer against it.
(18:30):
And all of this happened overthe course of about, you know, a
week because I do have otherthings to do. Well, at one
point, I was running the fuzzer.
And I was looking at the outputof the fuzzer. And it's
happening so fast, you reallycan't see but sometimes you can
see patterns, right? And justobserve as the fuzzing is
happening. Well, I heard a beep.
(18:55):
It was just an audible andthought, wow, okay, what the
heck was that beep. So I stoppedthe fuzzer. And I tried to
access the device, and thedevice was really, really
sluggish. So I unplugged thedevice and plug it back in. And
I hear a beep. And I'll noticethis like, okay, yeah, I guess I
(19:16):
just, this is the first time Ireally heard it. But every time
you plug in the device, it bootsup, it does an audible beep. And
that was really cool to me. Iwas like, Okay, well, if
anything, this fuzzing somethinghas caused this device to
reboot. So then I start lookingthrough the code and looking
(19:37):
through and trying to figure outhey, what did what did this
thing sin because you got toremember when the fuzzer is
running is sending 1000s ofrequests per second to the
little device. And so I foundthat and I don't want to go into
the details of it. But Ibasically found that I could
send enough information And insuch a time that it would cause
(20:04):
it to reboot the little device.
Now what was happening is, isthat the device had a software
system in there that wouldrecover itself if it locked up.
Because you can think that, youknow, if this device locks up
and say it's, it's hooked to aconveyor belt or something, it
needs to hurry up and reboot.
(20:25):
Because what if someone needs toshut down that conveyor belt?
And so that's why it had whatwas a watchdog timer. And that's
pretty common with thesedevices. It basically says, hey,
if I'm blocked up reboot, so Iwas scratching my head, I was
like, well, if anything, I canisolate this, and cause some
(20:46):
havoc inside of my simulation bysaying that you can send some
packets to it to cause thedevice to reboot. Now, mind you,
when the device rebooted, it didnot change the state of the
relays. So if the relays werenormally open during device
operation, they would stay open.
If the relays were normallyclosed, they would stay close.
(21:07):
So this is really just kind of alamer.
I mean, this is like anannoyance, right? Well, we're
going to tie all this backtogether and actually make an
exploit out of it. Now, mindyou, I say it again, this
device, according to itspackaging was for high secure
areas. And a lot of my brothersand sisters that are involved in
(21:31):
security, research andexploitation, and even some
folks on record with thegovernment and an industry
basically, if you have physicalaccess to a device, it's really
kind of game over, right? Imean, it's, in this case, if
someone wanted to cause havoc,they could just and they had
physical access to it, then whywouldn't they just go, you know,
(21:53):
take the device and smash it andmake it inoperable. But you got
to think when we're hacking intosomething, you know, the remote
capability, the fact that youcould do this remotely makes it
a lot more dangerous. And what Iremembered was was reading
through the instruction booklet,and noticed that if you forgot
(22:17):
the admin, password to thedevice, you could type in a
special username and password.
And what would happen is, isthat the device would freeze all
the relays where they were, andyou would have to power cycle
it, within 10 seconds, it waslike 10 to 30 seconds, whichever
(22:40):
one it was. And so when theymade a mistake in their logic,
when they manufacture thisdevice, and that was, well, if
someone has physical access,then they could cause harm if
they wanted to. So this would bea way to ensure that if you
reset the username and password,you had physical access to it.
(23:02):
And but that's where theirproblem in the logic lied, is
that, yes, I could send it andwithin 10 seconds is a very
short amount of time, you justunplugged the power to the the
little computer that controlledall this and plugged it back in
and boom, it would set itself tothe default password, only, it
(23:25):
would not reset the IP address.
And it would not change thestate of any of the relays it
was just a way so someone couldput it in, unplug it, plug it
back in real quick, you had 10seconds to do it. And the
manufacturer, I'm gonna say itone more time. In their mind,
(23:46):
they said, Well, if you gotphysical access to it, you must
be trusted. So what's the harmin this? Alright, so here we go.
Now, these devices, I would notrecommend putting anything on
the open Internet unless there'sactually a reason for it. And
what I discovered was, is that alot of these devices, because I
(24:11):
have a system that scans theinternet, and reports back and
we can look at the banners. So Isaid man, I wonder how many of
these things are actuallyconnected to the internet. And
at the time of my research, Iwould say it was north of 1000s
of them connected to theinternet, I was able to scan the
public internet and get what wecall open source Intel, which
(24:34):
there's tons of services that dothis for you. And I said wow,
this is a lot of these things onthe internet. Now this time, all
I could do is send some packetsthat would cause it to reboot,
but it wouldn't affect therelays or anything. It's like
okay, good there beeping so if Iwanted to deploy this on the
internet, I'd have a bunch ofboxes beeping now let's tie it
(24:57):
all together. So I have a bunchof These are out on the
internet, I have a way to rebootthem. And I have a procedure,
which I would call a logic flawin the manufacturers
assumptions, that if I type inthe password that's published
inside the owner's manual, andthen within 10 seconds of that
(25:20):
device rebooted, it would revertto a generic password that was
also in the manual. Now, in myfuzzer, when it would run, it
would take about a minute or soand I would hear the beep, not
fast enough. So once I isolatedthe packets that was causing
this, I was able to create a newscript and point it at the
(25:43):
device's IP address that wouldsend enough of these fuzzed
packets, these very special fuzzpackets, and I can get this
thing to reboot in about fiveseconds. Now, once I did that,
then my script would detect thereboot, then it would go and
change it to the password. Doyou see what we done here,
(26:06):
we exploited a flaw in the logicof the manufacturer. Now I can
take these that were out on theinternet, these 1000s of them.
And I had a method that I couldexploit them and get access to
them remotely. Now I know thatsome of the terms may sound
(26:27):
complicated. But here is theother mistake that was made not
just from the manufacturer, butfor the people that installed
these. And so what we find is,is that a lot of times people
just want things to work, theydon't care. They don't want to
(26:48):
set up a VPN to get into thesedevices. And so what they would
do in these manufacturingfacilities or anywhere, these
were deployed, that a lot ofthem, the ones I was able to
find on the internet, theysimply went to their firewall,
or their router, and put in arule that said forward the
(27:09):
traffic to the device. And thisis the same thing that happens
when you have your camera systemand you want to view them
remotely you put a rule in. Andthat's not the best thing to do.
Because inadvertently, anybodythat develops an exploit into
the product that you have that'spublicly addressable on the
(27:30):
internet could cause some havoc.
Now, if you listen to episodenumber 10, the podcast, I talked
about weaponization. And this isa perfect example of stopping
your research and notweaponizing it now the whole
scanning of the internet orusing databases that scan the
Internet, I could have verysimply weaponized this and had
(27:54):
it download all of the publiclyaddressable IP addresses that
have these devices connected toit. And I could have fuzzed it,
and then change the adminpassword, and voila, I would
have access to all of thesedevices. But you got to be a
good citizen. In this case, Iwas being funded by a very large
(28:18):
company that knew what I wasdoing. And I did write up
everything and submit it tothem. So I could do the smart
thing and the responsible thing.
And that is responsibledisclosure. And, you know, once
I sent it to our legaldepartment, it was up to them to
(28:40):
work with a manufacturer andtell them what we found. Now,
what we did for this simulation,because this is something that
was pretty easy, we actually hadto harden the device. Yeah,
that's right, we actually fixthe device before we put it in
the simulation to make it harderto compromise. The last thing
(29:01):
I'll talk about here is is thatthis device, this exploit into
this is what I would call asuper set, exploit. Now this
device that I had, it wasmarketed under a certain name,
which I don't want to reveal.
But whenever I started lookingat other devices, they all had
(29:21):
the same flaw in them. And whatI gathered was and this happens
a lot, especially with the IoTInternet of Things, that's why I
call it the internet of toys.
You'll have one manufacturer andtheir only job is to create the
components, the computer system,everything for these embedded
(29:44):
devices, but then they don'tactually sell them themselves.
They sell to manufacturers thatput these devices into various
components. And so while thisname brand I had exploit into, I
actually had the exploit, and toeverything that or all the
(30:06):
devices that the supermanufacturer would put out
there. And doing some opensource research of the
manufacturer, I found that a lotof their customers were
embedding these inside of powerstrips that are used inside of
data centers to basically turnpower on and off, the other big
(30:32):
group of it was used, and themanufacturer and an exploration
of natural gas, oil, and othermanufacturers of those products.
And so you can see that veryquickly. If this was to become
weaponized, then we don't knowwhat harm would cause by us
(30:56):
turning relay valves on and off,or cycling power on various
devices. Now in our simulation,what we did to actually show all
of this is, is that we had ithooked up to an oil well, and so
we had a company create us amock up of an oil well, and it
(31:18):
had oil tanks, and it had a oiloffload into a tanker ship. And
what we did to train the hackerswhere they had to log in and
exploit this device, mind you,we had to harden it up. So they
didn't exploit it too easily.
And their job was to simulate anenvironmental disaster. So what
(31:40):
they did was is that on onerelay, they turned off the
power. So the backup generatorturned on, and so everything was
good to go. Then the next relay,they open the valve, that was
the overflow valve, even thoughnothing was overflowing. So they
(32:00):
opened up that valve. And thenthe third thing they did was
keep filling the tank with thevalve open. And it would put
this simulated oil inside thesimulated ocean. Now, all of
this was just to show that theATTREX around that these devices
we don't know where all theredeployed at. But this is a
(32:24):
scenario that could happen ifour exploit would have gotten
out in the wild. But, you know,the end result was we learned a
lot. And while it sounds prettysimple, you know, when you put
it all together, the exploit waspretty straightforward. But this
is the kind of stuff thatsecurity researchers and hackers
(32:45):
go through and is that onelittle nugget of knowledge that
can lead to the whole castlethat can lead to the whole house
of cards collapsing. Well, thereyou have so we're at the bottom
of the half hour and I reallyappreciate everybody for riding
along. And I hope everybody hada great Memorial Day with their
(33:08):
family and friends and pause andreflect those that gave the
ultimate sacrifice to ensurethey have our barbecues and even
these podcasts. I would like tothank everybody that subscribes
to the Globalbob show. Facebookpage showing now the bombshell.
Facebook Share Globalbob ShowHello everybody.
All right. All right, here we go. It is time for the
global show. Globalbob show weare the crossroads, technology,
and politics. This is episodenumber 11. The timer the release
is Memorial Day. And so as westart this Monday, and think
(00:44):
about the ultimate sacrificethat our military folks have
given to ensure the freedom ofthis country, I want to talk a
little bit about here in theintro of some other people that
gave the ultimate sacrifice tosecure our nation. And to in
(01:06):
particular, are our brothers andsisters at the Central
Intelligence Agency, and ourbrothers and sisters, at the
National Security Agency. Yousee, when you go through the
turnstiles at those agencies,you're greeted with a very
(01:28):
somber reminder of just howdeadly this hacking and
exploitation can be. Now, I knowthat on the CIA side, not all
the stars on the CIA MemorialWall represent those that were
in a capacity for hacking. Butthe CIA does have what they call
(01:52):
tops officers, or technicaloperations officers. And I'm
pretty confident that some ofthose stars on that wall could
be from some of the CIA hackersor the tops officers. But
nonetheless, some of these folksare civilian. And to me, I think
(02:12):
we need to include them atMemorial Day as well. Now, the
NSA, which is part of theDepartment of Defense, they also
have a wall. And they callthere's the wall of honor. And
NSA Wall of Honor hasapproximately 178 stars on
there. Now we know NSA ischartered with making and
(02:36):
breaking codes. And so I wouldrest assured that most of those
stars on that wall are actuallyfolks that gave the ultimate
sacrifice while trying toexploit the enemy's
communication systems. And so Iwant to stop for a brief moment
and have just a moment toreflect of those guys than girls
(03:02):
that gave their life to securethis nation. Okay, moving right
along. So this week's topic, Iwanted to talk about how hackers
hack. Last week, we talked aboutwhy people get into hacking. And
(03:23):
as I mentioned, the CIA and NSAare always hiring hackers. So if
you have the skills, and youfeel like you want to apply that
you can go to their websites andupload your resume. And if you
have something that they'reinterested in, then they will
recruit you. And you couldbecome a government hacker, if
(03:46):
that's what you're into. But Iwant to talk about how hackers
hack and I'm going to talk aboutalso a exploit that I found, and
so we can kind of talk about theanatomy of that. So if you have
listened to previous episodes,you've heard me talk a little
bit about the internet. And alsowe've had some light
(04:08):
conversation about firewalls andNat, right. And I need to
introduce you to this just alittle bit. So you understand
that at your house. Most of youguys, I would probably say all
of my listeners have at least aNAT and a NAT and a firewall and
(04:29):
this term can kind of besynonymous.
With the NAT or firewall let'sjust call it a firewall from
here on out. The firewall isassigned an IP address that's
public on the internet, in mostcases, so anywhere on the
internet, there is an addressfor your house and it's always
(04:54):
changing. And that's where yourrouter sits. So router NAT
firewall what you Some allinterchangeably. And basically
what that does is allow yourdevices at your house, your
Smart TV, your phone, yourtablet, your computer, all of
that to be connected throughthat single IP address. And then
(05:19):
a derivative of that is is thatthe device is at your home or
not directly accessible on theinternet. So that's why it's
kind of called a firewall insome instances. So what's
important about that is, is thatif someone knows your internet
address for your router, yourpublic IP address, then they can
(05:43):
send packets and communicationsback and forth. But if your
devices are behind thisfirewall, then they cannot, for
all intents and purposes get tothat device that's behind the
firewall. So how do packets getin and out of that firewall?
(06:04):
Well, the simplest terms, yourphone at your house or tablet,
when you go to say Facebook,then it goes through your
firewall. And your firewallkeeps track of that
communications go into Facebook.
And so when Facebook returnsthat web page, or picture, it
goes through the firewall, andthe firewall then sends it down
(06:25):
to your device. So just think ofit that almost everything can
get out. But not everything canget in. Now, with a firewall at
your house, if you guys havesecurity cameras, you probably
have done this before, you'vehad to forward a port. Now, when
you forward a port on yourfirewall, that takes your public
(06:51):
IP address, and it puts a map into the device behind the
firewall, which in this case, itwould be your camera. So what
you do is if you're away fromyour house, you can type in your
IP address into the camera appon your phone. And then you can
(07:12):
view your camera camerasremotely. So I know that's kind
of really technical, but I'msetting us up for what we're
going to talk about here in asecond. So just to bring it all
together, your firewallbasically controls what packets
get in and out of your homenetwork. And in most cases, it
(07:33):
is very restrictive. So yourdevices cannot be accessed
directly from the internetunless you forward a port. Now
for all my technical listenersout there, I know this is like
101 stuff. And as always, ifanybody wants to dive in deeper,
we totally can. Now, when Ideveloped this exploit that I'm
(07:59):
going to tell you about, it wasa device that is used to control
electrical switches, andelectrical relays. And I'm going
to walk you through how Idevelop the exploit. Now this
(08:19):
takes many, many days. But Iwant you to kind of understand
that how these things aredeveloped out. And in this, it
was a device that when Iarrived, it's packaging. It said
that this is optimized formilitary installations, casinos,
(08:40):
hospitals, and other high secureareas. It's like alright,
well hope I can find somethinginto this. Now why did I go out
and get this device. I've beeninvolved for many, many years,
developing out cyber ranges orcyber simulations. And what a
(09:04):
Cyber Range is, is where wewould find all kinds of devices.
I mean, I think probably thenumbers north of 200 devices
total that we found throughoutthe years. And we would set up a
scenario. And we would havefolks from various governments
around the world and also folksfrom industry. And we would set
(09:28):
up the cyber range so they couldpractice their hacking skills.
And so it was always an armsrace between my team and the
best hackers in the world. Onewe need to define zero day
exploits. And now there's a termwe should talk about. A zero day
exploit means that the no oneknows about it besides the
(09:54):
person that found it or the teamthat found it. And it's called a
zero day book. Has themanufacturer hasn't been
notified. And that this can beweaponized to exploit things.
And so every year as we'redeveloping out these cyber
ranges, there was a lot ofpressure on us to find zero day
(10:15):
exploits. So in this particularone, this was a zero day exploit
that I found. Now, I should alsomention that anytime I bought
any of these components, andwe'll talk about this on, on the
next podcast that are coming upand things like that, but just
know that every time I boughtany of these components, I
(10:36):
always bought them in true namewith my personal credit card.
And the reason why I did thatwas because I didn't want any
special treatment, treatmentbeing good or treatment being
bad. If you contact amanufacturer and tell them that
you're a security researchers,such as myself, and that you
(10:57):
would like to have one of theirdevices, so you can exploit it
well. Either they hang up thephone on you, or they'll send it
to you, and give you maybe somecode that's not in development
and, and other things like that.
And I didn't want, I wanted to,for me, I wanted to go out and
buy one of these if I was aregular person that was just
(11:20):
buying them. So I would buy themfrom on a credit card and get
them shipped here to my house.
And so I bought this particulardevice, and started to look into
it. And I went through my normalprocedures, you know, anybody
(11:40):
that's in this industry, theykind of you know, have their
strong suits with myself, I am ahardware hacker, I would say
that I'm more proficient atthat, which means getting into
devices, and compromising them.
And some folks are softwarehackers, that and researchers
that their forte is to actuallyexploit software that's
installed on boxes. But me I'mmore of a hardware guy, as
(12:04):
you'll hear in the future prodpodcast. So this device, you
hook it up to an Ethernet cable,and it has a web interface on
it. And this web interface waskind of rudimentary, I could log
into it. And I could turn therelays on and off in this had a
bank of maybe 10 relays. And youreally couldn't do more than
(12:29):
that. You could do somemonitoring of it. But it was
pretty much just a web connecteddevice that would turn relays on
and off. So I started lookingthrough the source code on the
webpage. And if you all wantedto do the same thing, you can go
to any web page and hit ViewSource. And what I started
(12:50):
looking for whenever I'm doingthat, is to see if the software
that's serving up the web page,maybe there's a vulnerability in
it. So I looked at all of theweb pages
I could get to I set a usernameand password. And it was, you
(13:11):
know, kind of kind of boring.
Now the case that this came in,it was very much industrial. So
this wasn't like a little cheappiece of plastic when they said
on the box that this is, youknow, for high secure areas,
which I thought was comical. Imean, it kind of passed the
weight test. I mean, it feltnice and industrious. So then my
next procedure was, well, Idon't see anything that I can
(13:34):
exploit that pops out, you know,really quick. So let me take the
case apart. So any of mybrothers and sisters that are
hardware hackers, that's usuallythe first thing we do. And then
a couple hours, we want to seethe guts inside of this. So I
open up the case, and I see somechips in there and I write down
the numbers of the chips, themake and model. And some of them
(13:58):
I just have from memory, I knowthat that's a chip that stores
memory. And this is a chip thatkind of serves as the little
logic engine. But with this one,it was kind of a pain in the
butt. Because a lot of timeswhen these systems are put
together, they'll have littlepads on them. And these little
pads allow you to take yoursoldering iron out, and you can
(14:21):
put down a couple wires on itand then hook it to your
computer and see if you can getsome output and a lot of times
that output will give you viewinto what the operating system
is. But this one here,everything was soldered down.
Nothing was socketed andsocketed means is that the chips
(14:44):
if you've ever seen inside of acircuit board where you can put
a clamp on it and pull it off.
None of them were socketed. Soit was going to take a while to
start doing some probing of theinternal chips. But the idea was
is that if I could probe thechips, I could then maybe read
(15:07):
the operating system off ofthere and start looking at the
source code, or the compiledcode, I'm sorry, not source code
compiled code. And from thecompiled code, I could run it
through various software likeeither gi draw or IDA Pro. And
that will let you start seeingif there's any variables that
(15:27):
are in there that I could thencreate an exploit into. But in
this case, I didn't want to takethat time quite yet, because I
wanted to see if there was maybeanother way I could get into it.
And when I hooked it back up, Istarted running some scripts.
(15:48):
Now scripts with hackers,security researchers, you kind
of start off by using otherpeople's scripts. And then you
start writing your own scriptsjust to help you aid in
research. And so I had looked ina lot of these various devices.
And so I started to run a scriptthat would go to the web portal,
(16:13):
right, the web portal of thedevice. And if you're not
familiar with a web portal, orlogin screen, this is like your
camera systems again, right? Youtype in the IP address of the
camera. And then you'represented with username and
password. So that particularpart, I started running a script
against it, that would look fordirectories. And so it would
(16:38):
try, let's say the IP addressforward slash admin forward
slash test, forward slash, name,your forward slash, right, and I
have a collection of about100,000, or more forward
slashes. And then what wouldhappen is, is that if it was
successful, then my script wouldstop and say, I received data
(17:03):
with this directory, and thenyou can look at it. And so the
scripts that some people use,it's called directory buster. So
this was kind of a modifieddirectory buster. And this is
kind of a kind of like a pointand click and or deploy and
pray. And you just let it runfor hours. I mean, it could take
(17:25):
a long time, depending on thespeed and stuff.
But that did not yield me anyresults. So the next thing I
went to was called fuzzing. Now,fuzzing is a term that security
researchers use. And this iswhere you try to send lots of
(17:46):
random information, some of itnot random. But for all intents
purposes, random information. Sosay, the login screen where you
type in admin, instead of typingin admin, maybe it would put
like, a 400 character usernamein there, and maybe for the
password, you would put in, youknow, you know, a couple 100
(18:07):
characters in there, and allthis stuff starts running
automated and fast. And so withmy custom scripts, I had things
that had worked on IoT devicesin the past. Now IoT is Internet
of Things. I call it Internet oftoys. This really wasn't an IoT
device. But anyways, I wasrunning the fuzzer against it.
(18:30):
And all of this happened overthe course of about, you know, a
week because I do have otherthings to do. Well, at one
point, I was running the fuzzer.
And I was looking at the outputof the fuzzer. And it's
happening so fast, you reallycan't see but sometimes you can
see patterns, right? And justobserve as the fuzzing is
happening. Well, I heard a beep.
(18:55):
It was just an audible andthought, wow, okay, what the
heck was that beep. So I stoppedthe fuzzer. And I tried to
access the device, and thedevice was really, really
sluggish. So I unplugged thedevice and plug it back in. And
I hear a beep. And I'll noticethis like, okay, yeah, I guess I
(19:16):
just, this is the first time Ireally heard it. But every time
you plug in the device, it bootsup, it does an audible beep. And
that was really cool to me. Iwas like, Okay, well, if
anything, this fuzzing somethinghas caused this device to
reboot. So then I start lookingthrough the code and looking
(19:37):
through and trying to figure outhey, what did what did this
thing sin because you got toremember when the fuzzer is
running is sending 1000s ofrequests per second to the
little device. And so I foundthat and I don't want to go into
the details of it. But Ibasically found that I could
send enough information And insuch a time that it would cause
(20:04):
it to reboot the little device.
Now what was happening is, isthat the device had a software
system in there that wouldrecover itself if it locked up.
Because you can think that, youknow, if this device locks up
and say it's, it's hooked to aconveyor belt or something, it
needs to hurry up and reboot.
(20:25):
Because what if someone needs toshut down that conveyor belt?
And so that's why it had whatwas a watchdog timer. And that's
pretty common with thesedevices. It basically says, hey,
if I'm blocked up reboot, so Iwas scratching my head, I was
like, well, if anything, I canisolate this, and cause some
(20:46):
havoc inside of my simulation bysaying that you can send some
packets to it to cause thedevice to reboot. Now, mind you,
when the device rebooted, it didnot change the state of the
relays. So if the relays werenormally open during device
operation, they would stay open.
If the relays were normallyclosed, they would stay close.
(21:07):
So this is really just kind of alamer.
I mean, this is like anannoyance, right? Well, we're
going to tie all this backtogether and actually make an
exploit out of it. Now, mindyou, I say it again, this
device, according to itspackaging was for high secure
areas. And a lot of my brothersand sisters that are involved in
(21:31):
security, research andexploitation, and even some
folks on record with thegovernment and an industry
basically, if you have physicalaccess to a device, it's really
kind of game over, right? Imean, it's, in this case, if
someone wanted to cause havoc,they could just and they had
physical access to it, then whywouldn't they just go, you know,
(21:53):
take the device and smash it andmake it inoperable. But you got
to think when we're hacking intosomething, you know, the remote
capability, the fact that youcould do this remotely makes it
a lot more dangerous. And what Iremembered was was reading
through the instruction booklet,and noticed that if you forgot
(22:17):
the admin, password to thedevice, you could type in a
special username and password.
And what would happen is, isthat the device would freeze all
the relays where they were, andyou would have to power cycle
it, within 10 seconds, it waslike 10 to 30 seconds, whichever
(22:40):
one it was. And so when theymade a mistake in their logic,
when they manufacture thisdevice, and that was, well, if
someone has physical access,then they could cause harm if
they wanted to. So this would bea way to ensure that if you
reset the username and password,you had physical access to it.
(23:02):
And but that's where theirproblem in the logic lied, is
that, yes, I could send it andwithin 10 seconds is a very
short amount of time, you justunplugged the power to the the
little computer that controlledall this and plugged it back in
and boom, it would set itself tothe default password, only, it
(23:25):
would not reset the IP address.
And it would not change thestate of any of the relays it
was just a way so someone couldput it in, unplug it, plug it
back in real quick, you had 10seconds to do it. And the
manufacturer, I'm gonna say itone more time. In their mind,
(23:46):
they said, Well, if you gotphysical access to it, you must
be trusted. So what's the harmin this? Alright, so here we go.
Now, these devices, I would notrecommend putting anything on
the open Internet unless there'sactually a reason for it. And
what I discovered was, is that alot of these devices, because I
(24:11):
have a system that scans theinternet, and reports back and
we can look at the banners. So Isaid man, I wonder how many of
these things are actuallyconnected to the internet. And
at the time of my research, Iwould say it was north of 1000s
of them connected to theinternet, I was able to scan the
public internet and get what wecall open source Intel, which
(24:34):
there's tons of services that dothis for you. And I said wow,
this is a lot of these things onthe internet. Now this time, all
I could do is send some packetsthat would cause it to reboot,
but it wouldn't affect therelays or anything. It's like
okay, good there beeping so if Iwanted to deploy this on the
internet, I'd have a bunch ofboxes beeping now let's tie it
(24:57):
all together. So I have a bunchof These are out on the
internet, I have a way to rebootthem. And I have a procedure,
which I would call a logic flawin the manufacturers
assumptions, that if I type inthe password that's published
inside the owner's manual, andthen within 10 seconds of that
(25:20):
device rebooted, it would revertto a generic password that was
also in the manual. Now, in myfuzzer, when it would run, it
would take about a minute or soand I would hear the beep, not
fast enough. So once I isolatedthe packets that was causing
this, I was able to create a newscript and point it at the
(25:43):
device's IP address that wouldsend enough of these fuzzed
packets, these very special fuzzpackets, and I can get this
thing to reboot in about fiveseconds. Now, once I did that,
then my script would detect thereboot, then it would go and
change it to the password. Doyou see what we done here,
(26:06):
we exploited a flaw in the logicof the manufacturer. Now I can
take these that were out on theinternet, these 1000s of them.
And I had a method that I couldexploit them and get access to
them remotely. Now I know thatsome of the terms may sound
(26:27):
complicated. But here is theother mistake that was made not
just from the manufacturer, butfor the people that installed
these. And so what we find is,is that a lot of times people
just want things to work, theydon't care. They don't want to
(26:48):
set up a VPN to get into thesedevices. And so what they would
do in these manufacturingfacilities or anywhere, these
were deployed, that a lot ofthem, the ones I was able to
find on the internet, theysimply went to their firewall,
or their router, and put in arule that said forward the
(27:09):
traffic to the device. And thisis the same thing that happens
when you have your camera systemand you want to view them
remotely you put a rule in. Andthat's not the best thing to do.
Because inadvertently, anybodythat develops an exploit into
the product that you have that'spublicly addressable on the
(27:30):
internet could cause some havoc.
Now, if you listen to episodenumber 10, the podcast, I talked
about weaponization. And this isa perfect example of stopping
your research and notweaponizing it now the whole
scanning of the internet orusing databases that scan the
Internet, I could have verysimply weaponized this and had
(27:54):
it download all of the publiclyaddressable IP addresses that
have these devices connected toit. And I could have fuzzed it,
and then change the adminpassword, and voila, I would
have access to all of thesedevices. But you got to be a
good citizen. In this case, Iwas being funded by a very large
(28:18):
company that knew what I wasdoing. And I did write up
everything and submit it tothem. So I could do the smart
thing and the responsible thing.
And that is responsibledisclosure. And, you know, once
I sent it to our legaldepartment, it was up to them to
(28:40):
work with a manufacturer andtell them what we found. Now,
what we did for this simulation,because this is something that
was pretty easy, we actually hadto harden the device. Yeah,
that's right, we actually fixthe device before we put it in
the simulation to make it harderto compromise. The last thing
(29:01):
I'll talk about here is is thatthis device, this exploit into
this is what I would call asuper set, exploit. Now this
device that I had, it wasmarketed under a certain name,
which I don't want to reveal.
But whenever I started lookingat other devices, they all had
(29:21):
the same flaw in them. And whatI gathered was and this happens
a lot, especially with the IoTInternet of Things, that's why I
call it the internet of toys.
You'll have one manufacturer andtheir only job is to create the
components, the computer system,everything for these embedded
(29:44):
devices, but then they don'tactually sell them themselves.
They sell to manufacturers thatput these devices into various
components. And so while thisname brand I had exploit into, I
actually had the exploit, and toeverything that or all the
(30:06):
devices that the supermanufacturer would put out
there. And doing some opensource research of the
manufacturer, I found that a lotof their customers were
embedding these inside of powerstrips that are used inside of
data centers to basically turnpower on and off, the other big
(30:32):
group of it was used, and themanufacturer and an exploration
of natural gas, oil, and othermanufacturers of those products.
And so you can see that veryquickly. If this was to become
weaponized, then we don't knowwhat harm would cause by us
(30:56):
turning relay valves on and off,or cycling power on various
devices. Now in our simulation,what we did to actually show all
of this is, is that we had ithooked up to an oil well, and so
we had a company create us amock up of an oil well, and it
(31:18):
had oil tanks, and it had a oiloffload into a tanker ship. And
what we did to train the hackerswhere they had to log in and
exploit this device, mind you,we had to harden it up. So they
didn't exploit it too easily.
And their job was to simulate anenvironmental disaster. So what
(31:40):
they did was is that on onerelay, they turned off the
power. So the backup generatorturned on, and so everything was
good to go. Then the next relay,they open the valve, that was
the overflow valve, even thoughnothing was overflowing. So they
(32:00):
opened up that valve. And thenthe third thing they did was
keep filling the tank with thevalve open. And it would put
this simulated oil inside thesimulated ocean. Now, all of
this was just to show that theATTREX around that these devices
we don't know where all theredeployed at. But this is a
(32:24):
scenario that could happen ifour exploit would have gotten
out in the wild. But, you know,the end result was we learned a
lot. And while it sounds prettysimple, you know, when you put
it all together, the exploit waspretty straightforward. But this
is the kind of stuff thatsecurity researchers and hackers
(32:45):
go through and is that onelittle nugget of knowledge that
can lead to the whole castlethat can lead to the whole house
of cards collapsing. Well, thereyou have so we're at the bottom
of the half hour and I reallyappreciate everybody for riding
along. And I hope everybody hada great Memorial Day with their
(33:08):
family and friends and pause andreflect those that gave the
ultimate sacrifice to ensurethey have our barbecues and even
these podcasts. I would like tothank everybody that subscribes
to the Globalbob show. Facebookpage showing now the bombshell.
Facebook Share Globalbob ShowHello everybody.
Popular Podcasts
NFL Daily with Gregg Rosenthal
Gregg Rosenthal and a rotating crew of elite NFL Media co-hosts, including Patrick Claybon, Colleen Wolfe, Steve Wyche, Nick Shook and Jourdan Rodrigue of The Athletic get you caught up daily on all the NFL news and analysis you need to be smarter and funnier than your friends.
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com