Man-in-the-Conference-Room - Part V (Hunting OEMs)
Mar 28, 2019
A few weeks passed after my report submission and I don’t know why but I had this realization: the custom protocol fingerpint is so unique that I should be able to identify these devices in Shodan. Immediately followed by no way people are exposing those devices publicly, this makes no sense.
I then fingerprinted all these hosts by interacting with the association protocol I reversed earlier. I did so by writing a modified version of “awind-device-info” Nmap script that returns the hostname, manufacturer, model, and firmware version of the target. I had to modify it because all hosts were not acting in the same way (e.g. presence of null bytes in weird locations, manufacturer and model value were inversed).
The next step involved spending my free time Googling for manufacturers and model names to figure things out.
I found out that all those devices were actually manufactured by Awindinc (which was acquired by Barco in 2013) as white-branded devices. Those white-branded devices were then customized to the needs of other manufacturers such as Crestron, InFocus, Teqavit and the likes. The diagram below (click if you want a larger version) is a genealogy tree of these devices.
To really understand how white-branding works, I offer you this gif of all these web interfaces running the same code behind:
2. Firmware Analysis at Scale (a.k.a. grep)
Even if I knew all these manufacturers and models were running the same kind of software, I still had to confirm that they were vulnerable too.
Without access to these devices (I don’t have $10k lying around), I resorted to downloading a truckload of firmware files for offline analysis. I didn’t want to spend too much time so I wrote a bash script that would extract the archived rootfs from the firmware file with dd, extract the archive and grep for sequences that indicates vulnerable code similarities. The process is not entirely bullet-proof but it helped me provide a more accurate list of affected devices to Awindinc when I started the coordinated disclosure process.
You can find my script below:
And see it at work against the latest firmware versions of Trucast 1, 2, and 3:
3. Exposure Assessment
As always, I wanted to assess the overall exposure to vulnerabilities I discovered. Specifically, I wanted to visualize the following:
how many devices have SNMP enabled and how many of them use default communities ?
how many devices exposes Airplay service ?
how many devices expose their web GUI ? how many of them uses default credentials ?
generic visualization of manufacturer distribution, model distribution per manufacturer, and version distribution per model
I usually relied on matplotlib and a bit of Python to make such visualization (see the ones I made for RabbitMQ and Node-RED exposure) but this time was a bit more complex so I looked for easier ways to do it. I end up finding Offensive ELK which is an ELK stack running on Docker container that can ingest Nmap results.
A few script modification later I was able to ingest my script results and create wonderful dashboards such as the one below presenting vulnerable devices count and manufacturer distribution:
Or this one presenting the model distribution from Crestron manufacturer, with a version distribution graph per model:
Thanks to my reverse engineering effort and Shodan, I understood that a lot more devices were affected.
This led me to notify the right company and to provide them a detailed list of devices known to be affected by discovered vulnerabilities.
The next article will be a general conclusion with clear advisories and coordinated disclosure timeline. You can find it here