5 You Don’t Know What You Don’t Know – Smarthome Security
In the above chapters we have looked in detail at some of the communication protocols in private local area networks. We have outlined the risks associated with traversing the boarder from private networks to the public Internet. In particular I recommended to avoid the usage of dynamic DNS services in combination with port forwarding and (or) the usage of UPnP, which automatically configures port forwarding and dynamic DNS without user intervention. To make sure you truly understand the potential threat such configurations pose, in this chapter I want to provide a brief description of how such attacks work.
5.1 Attacking the HAN
In the first step a potential intruder identifies potential domain names, which could point to IoT or smart home devices, and which are visible from outside the private network. This is done using a bulk DNS guessing tool like subbrute (https://github.com/TheRook/subbrute), which is a so called subdomain bruteforcer. It works as follows: When you set up a dynamic DNS service, you are typically given a domain name from your dynamic DNS service provider, which you can amend with a subdomain of your choice. For example, when signing up for a dynamic DNS account with DNSdynamic, you are provided with the domain
which you for example can amend to
Feeding subbrute with the domain of the dynamic DNS provider and a dedicated word list, which contains vendor names and descriptions for IoT devices (a starting point for such lists can be found at https://github.com/danielmiessler/SecLists), you can quickly identify a large number of potential domains, which point to IoT devices. In the next step you feed this list to a port scanner, which screens the hosts of these domains for open ports. To accelerate the search, the port scan is typically restricted to the ports, which are known to be used by vendors of IP cameras or smart home devices such as 49153 for Belkin WeMo devices or 85 for Swann security cameras. When the port scanner finds an open port, the devices, to which these ports point, will often respond with information about vendor, software version or a login screen. This response is called the fingerprint or the banner of the application. The final step of the attack then is to guess the password (which more often than none is the default password) or to exploit a known vulnerability of the discovered devices’ software version, in order to take over control of the device and subsequently potentially the network.
5.2 IoT Search Engines – Shodan and friends
Tools, which automatically identify open ports of Internet connected routers, have been around for many years. A relatively new approach is Shodan, which combines automatic port scanning with a search engine database. The service was introduced in 2009 by John Matherly, and has been optimized to identify devices, which are connected to or which are accessible from the public Internet. Shodan scans ports, which are typically related to routers or IoT devices such as web cams, thermostats, etc.: HTTP/HTTPS 80, 8080, 443, 8443, FTP 21, SSH 22, Telnet 23, SNMP 161, SIP 5060, or RTPS (Real Time Streaming Protocol) 554. If an application or device answers to a request with its fingerprint, Shodan stores this information, and adds it to it’s database. Other tools for automated application fingerprinting have been around for years, either for the purpose of web application penetration testing or for use by hackers. Well known tools are httprint, Xprobe2 or P0f3. There are also online fingerprinting services such as the one from netcraft (http://toolbar.netcraft.com/site_report?url=undefined#last_reboot), which can be used to analyze vulnerabilities from online. Shodan itself can also be used to test the visibility of your private network and it’s components by pointing it to the external IP address of your network router. This allows a first assessment about how visible your home area network and it’s components are from the outside. Figure 5.1 shows the feed of a private webcam, which has been identified to be accessible from the Internet by Shodan.
Figure 5.1 Private webcam feed accessible from the Internet as identified by IoT search engine Shodan