CONFidence
Krakow 2K8
Adrian „pagvac‟ Pastor
Senior White-hat Hacker at GNUCITIZEN
Cutting-edge Think Tank
About GNUCITIZEN
Think tank
Involved in research
Public/independent
Private/commercial
Ethical hacker outfit
Responsible disclosure
We have nothing to hide
The only active tiger team in the UK
Proud to have some of the best pros in our team
About GNUCITIZEN
We like to contribute!
www.gnucitizen.net
www.gnucitizen.org
www.securls.com
www.hakiri.org
www.houseofhackers.org
www.spinhunters.org
We also need to pay the bills (duh!)
www.gnucitizen.com
Cracking into embedded
devices and beyond!
Practical overview of offensive techniques against embedded devices
The drive behind this research
Many embedded devices are much easier to
compromise than modern desktop/server
systems
Yet not much public research as compared to other
sec research fields
Focused on HTTP, UPnP, SNMP and Wi-Fi
Attacking the web console is one of the easiest
ways to own the target device
Check out the router hacking challenge if you don‟t
believe us! [link]
Scope of type of environments
Home/SOHO
Corporate
In other words, this research affects:
Devices used by users or small offices
Devices used in corporate environments
Focus on remotely exploitable bugs
Yes, local network attacks are cool, but this
wasn‟t the focus of my research
Two types of remote attacks:
Classic server-side attack: no interaction required
from victim user. Probe daemon on device directly
New generation victim-user-to-server attack: target
daemon available on LAN interface only (NOT
WAN). Exploit relies internal user as a proxy to
attack device from inside the network
Demo time: owning cameras
Hollywood style!
axis-defacer.sh
demo tool
Why “and beyond”?
OK, so you compromise an appliance. So
what? i.e.: who cares about my printer being
owned?
We need to think in more than one dimension:
How far can you go after you own a device?
Why “and beyond”?: stepping stone
attacks
If Internet-visible device not properly
segmented w