Sunday, May 22, 2011

Snidley Whiplash Visits the Home Security Store... by "Bob"

I know some pretty interesting people. Very talented. Very sharp. Very imaginative. I received the following from one of them this week. We'll call him "Bob". Bob's thought process is part Carnegie Mellon University's Computer Emergency Response Team (CERT) and part Snidely Whiplash. Enjoy... (emphasis below is mine)

"For about a year now I’ve been building this new office/shop/garage at my place. Being the engineer I am at heart I prewired it for video surveillance and alarm.

I found an online reseller with good prices and I purchased all the alarm components from them. I installed each switch or sensor as a separate zone so later I can use this system as a whole house monitoring platform.

I decided it is time to add the video. They had good prices and I bought close to $2000 worth of quality cameras and a 16 Channel DVR.

Last weekend I started to bench test it and get familiar before I commit the installation. I noticed the box was repackaged.

Then I noticed it is still full of video. It was installed at a restaurant and then returned. Not sure if the restaurant did it themselves or they had a security professional help. In any case they gave me their weeks’ worth of video. Moreover didn’t verify the contents and in turn sold it to me.

I was hoping to find some incriminating footage or something to brag about. Fortunately for them it was pretty benign stuff.

Then I started to think of the possibilities of what could have happened and decided to write to them regarding their security practices.

See attached. I was surprised they just sent me a misspelled apology and are sending me a new unit. Totally dismissing my attempt to point out to them the underlying problem here.

I’m going to do a threat assessment of the linux kernel in this unit when I get a chance. These cheap DVR boxes with Dynamic DNS and internet reachability are a whole new potential platform for a hacker. A modern day Trojan horse even.

Take the following scenario for a moment:
1. I buy one of these units (or 100 each from a different internet vendor)

2. Change the linux kernel to add a few tools and backdoor username/passwords and maybe even a phone home daemon. Phone home would need to be a secure tunnel and internet proxy aware. So spoof the proxy on port 80 with ssl traffic embedded. Also use tools like Wireshark/tshark, or one of my all-time favorites

3. Return it to the vendor for a full refund.

4. In turn they sell the units to John Q Public or better yet a customer with other units already on premise just waiting to be exploited.

5. It gets installed and finds a routed path to the internet and updates its DNS record location dynamically.

6. Meanwhile back at the black hats cave: We see the DNS entries for these devices show up and / or our phone home packets arrived at home. The latter is riskier because it gives a deterministic home location, for that we run our APP in the cloud to obfuscate our location.

7. Login and start monitoring, gather content and exploit the target. Granted step 7 here is dependent on something good happening. I would beg to guess every video surveillance installation at one point in time or another captures illicit/illegal activity or some sort of blackmail material content.

8. The black hat could now also secure shell into the DVR over the phone home tunnel and use it as a spring board to then perform vulnerability scans internal to the video network thus finding other DVRs, IP cameras, and other trusted behind the firewall type devices. Once accessed install similar tool sets, rinse and repeat for all reachable devices.

9. Lastly a coordinated attack. You locate physical assets to steal. At a coordinated time perform a denial of service internal to their network and take out the security infrastructure. Use tools like NetCat or simple packet capture replays with tshark to confuse the lan devices and potentially crash them if not just deafen their abilities to report. ARP storms are great for this. Actually once an inventory of devise is determined fingerprint scan each and look for known vulnerabilities for those devie’s kernels. Move in and out all the while the systems are incapacitated. Ideally you want to have the devices perform self remediation on their own, avoid forcing a hang condition and do not require reboots for remediation to hide the existence that anything happened adding to the confusion of what happened and how.

Not far fetched to believe. And all from a simple buy and return to the store type activity.

"Bob, you got me thinking. All these items are made in China, right? Isn't it possible likely that secret code has already been planted in them for future use?"

On another subject:
Do you recall a police movie (maybe Beverly hill cop) where the cop submits into evidence a large permanent magnet and it takes out the surv. video evidence. Well take that same concept to data tape backups.

I recently toured an Iron Mountain Magnet tape vault and observed them picking and putting tapes in and out for customers. Much to my dismay not all customers co-locate their tapes next to their own. Many of the tapes are slotted into the next available slot intermingling them with other customer’s tapes.

They don’t even screen the boxes coming in and out for high levels of magnetic flux. So a passive magnet weighing similar to the tape that gets checked in and out over a long period of time could potentially be creating small magnet grenades to the data nearby. To be a bit more sexy make that an active magnetic device with a motion trigger. Wait for no movement with a 3d accelerometer also sense that it is not lying flat in the original box but upright as if it is in the library. I mocked up this accelerometer algorithm in a two chip device using a basic stamp.

Allow it to ‘Wake up’ and generate as large of an oscillating magnetic flux as possible and expend the batteries. If movement is sensed have it go dormant again. Cycle these rogue tapes in and out rapidly over time. To target an attack request your own tape vault location and try to steer it near your competitors location or just carpet bomb the library with multiple devices over time. Not as affective but very destructive in nature. Evil isn’t it.

Not that I would never ever do such a thing or advocate or assist anyone in this behavior. But, I can think of it and other ways to thwart simple best practices.

Just like when I was in college and I came up with the idea to use an IR laser to take out a security camera by shifting its AGC and blacking out the picture. Later in life I saw this applied in a movie. I was like HEY I thought of that a long time ago. The cameras I bought for my place have the Sony chip in them that knows how to black out bright objects selectively within the ccd field of view. Thus obsoleting this vulnerability a bit.

Well thank for your time. My mind wandered with possibilities when I realized I have that other customers video content handed to me.

Have a great day."

As you can see, "Bob" is smarter and more clever than I am. That's why I love hanging out with the "Bob's" of the world. Now I know what "Bob" knows... and now, so do you. ~Kevin

Are you thinking, "Gee, I wish I knew who this "Bob" guy was. I have a security consulting project for him. Does he do freelance work?" 

I don't know. You'll have to ask him. His name is Bob Blair and he is an engineer in Massachusetts.