Who Controls the Controllers? Hacking Crestron IoT Automation Systems

Video thumbnail (Frame 0) Video thumbnail (Frame 1732) Video thumbnail (Frame 12106) Video thumbnail (Frame 18869) Video thumbnail (Frame 22103) Video thumbnail (Frame 25127) Video thumbnail (Frame 26086) Video thumbnail (Frame 28291) Video thumbnail (Frame 34991) Video thumbnail (Frame 36494) Video thumbnail (Frame 43478) Video thumbnail (Frame 46262) Video thumbnail (Frame 49304) Video thumbnail (Frame 51237) Video thumbnail (Frame 52761) Video thumbnail (Frame 53895) Video thumbnail (Frame 55815) Video thumbnail (Frame 59085) Video thumbnail (Frame 60261) Video thumbnail (Frame 61553) Video thumbnail (Frame 64095) Video thumbnail (Frame 65241) Video thumbnail (Frame 67291)
Video in TIB AV-Portal: Who Controls the Controllers? Hacking Crestron IoT Automation Systems

Formal Metadata

Title
Who Controls the Controllers? Hacking Crestron IoT Automation Systems
Title of Series
Author
License
CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
2018
Language
English

Content Metadata

Subject Area
Abstract
While you may not always be aware of them or even have heard of them, Crestron devices are everywhere. They can be found in universities, modern office buildings, sports arenas, and even high-end Las Vegas hotel rooms. If an environment has a lot of audio/video infrastructure, needs to interconnect or automate different IoT and building systems, or just wants the shades to close when the TV is turned on, chances are high that a Crestron device is controlling things from behind the scenes. And as these types of environments become the norm and grow ever more complex, the number of systems that Crestron devices are connected to grows as well. But it is in large part because of this complexity that installing and programming these devices is difficult enough without considering adding security. Instead of being a necessity, it's an extra headache that almost always gets entirely passed over. In this talk, I will take a look at different Crestron devices from a security perspective and discuss the many vulnerabilities and opportunities for fun to be found within. I will demonstrate both documented and undocumented features that can be used to achieve full system compromise and show the need to make securing these systems a priority, instead of an afterthought, in every deployment. In short, hijinx will ensue.
Game controller Demo (music) Multiplication sign GUI widget Demo (music) Projective plane Design by contract Twitter Explosion Different (Kate Ryan album) System programming Game theory Information security Information security Vulnerability (computing)
Topological vector space Game controller Service (economics) Serial port Distribution (mathematics) Set (mathematics) Open set Computer programming Zugriffskontrolle Programmer (hardware) Bit rate Personal digital assistant System programming Integrated development environment Office suite Communications protocol Information security Game controller Programming language Distribution (mathematics) Observational study Touchscreen PCI Express Line (geometry) Control flow Product (business) Exclusive or Type theory Category of being Touch typing Universe (mathematics) Office suite Software testing Musical ensemble Quicksort Information security Videoconferencing
Intel Building Model theory Multiplication sign Arm Computer programming Medical imaging Befehlsprozessor Interpreter (computing) Office suite UDP <Protokoll> Touchscreen Arm Computer file Unicastingverfahren Product (business) Tablet computer Latent heat God Process (computing) Linker (computing) Touch typing System programming Resultant Booting Firmware Point (geometry) Dependent and independent variables Computer-generated imagery Wave packet Number Revision control Broadcasting (networking) Internetworking Term (mathematics) Octave Video game console Integrated development environment Firmware Installable File System Noise (electronics) Dependent and independent variables Projective plane Model theory Android (robot) Computer program Word Integrated development environment Personal digital assistant String (computer science) Universe (mathematics) Revision control Computing platform Videoconferencing
Group action Computer file Programmable read-only memory Directory service Programmer (hardware) Mechanism design Goodness of fit Chaos theory Telnet File system Video game console Process (computing) Information security Multiplication Default (computer science) Operations research Default (computer science) Computer to plate Complex (psychology) System administrator Computer program Operator (mathematics) Computer programming Process (computing) Programmer (hardware) Interface (computing) System programming Different (Kate Ryan album) Energy level Video game console Game theory Information security
Standard deviation Service (economics) Computer file System administrator Computer programming Different (Kate Ryan album) Electronic visual display Video game console Configuration space Information Message passing Address space Modem Computer to plate Demo (music) Computer file Binary code Android (robot) Computer program Electronic mailing list Heat transfer Control flow File Transfer Protocol File Transfer Protocol Mathematics Data mining Message passing Word Software Personal digital assistant Function (mathematics) System programming Video game console Electronic visual display Videoconferencing Modem Session Initiation Protocol Firmware
Crash (computing) Computer to plate Public key certificate View (database) Function (mathematics) Process (computing) Lattice (order) Musical ensemble Statistics Public key certificate Task (computing)
Computer to plate Key (cryptography) Demo (music) Android (robot) Maxima and minima Set (mathematics) Menu (computing) Web browser Control flow Web browser Graphical user interface Word Telecommunication Function (mathematics) Directed set Row (database) Metropolitan area network Computing platform
Broadcasting (networking) Dependent and independent variables Greatest element Roundness (object) Touchscreen Binary code Set (mathematics) Firmware Metropolitan area network
Computer to plate Greedy algorithm Demo (music) Binary code Control flow Default (computer science)
Email Code Multiplication sign Set (mathematics) Food energy Fluid statics Computer configuration Encryption Cuboid Amenable group Position operator Vulnerability (computing) Algorithm Electric generator Touchscreen Product (business) Laser System programming Right angle Video game console Information security Resultant Electric current Reverse engineering Firmware Functional (mathematics) Link (knot theory) Algorithm Numerical digit Data recovery Compass (drafting) Password Product (business) String (computer science) Telnet Rootkit Video game console Router (computing) Firmware Address space Computer to plate Inheritance (object-oriented programming) Key (cryptography) Android (robot) Extreme programming Subject indexing Password Universe (mathematics) Gastropod shell Key (cryptography) HTTP cookie Musical ensemble Backdoor (computing) Address space
Authentication Goodness of fit Message passing Password Demo (music) Cuboid Dressing (medical) Reading (process) Address space Metropolitan area network Element (mathematics)
Musical ensemble
Functional (mathematics) Arithmetic mean Injektivität Computer to plate Demo (music) Android (robot) IRIS-T Computing platform Video game console Bit Musical ensemble
Injektivität Touchscreen Information Code Android (robot) Revision control Programmer (hardware) Gastropod shell Computing platform System programming Right angle Gastropod shell Computing platform Position operator Disassembler
Scripting language Boss Corporation Sensitivity analysis Scripting language Computer file Execution unit Android (robot) Roundness (object) Personal digital assistant Gastropod shell Computing platform Gastropod shell Booting Computing platform Spacetime
Scripting language Scripting language String (computer science) System programming Gastropod shell Gastropod shell 8 (number)
Asynchronous Transfer Mode Multiplication sign Demo (music) Home page Set (mathematics) Directory service Data storage device Writing Mathematics Sign (mathematics) Blog Hash function Logic Rootkit File system Factory (trading post) Video game console Configuration space MiniDisc Category of being Computer to plate Streaming media Hypermedia Well-formed formula System programming Configuration space Musical ensemble Videoconferencing Electronic visual display Table (information) Routing Firmware
Asynchronous Transfer Mode Execution unit Touchscreen Computer file Directory service Streaming media Thread (computing) Recurrence relation Mathematics Error message Hypermedia Commodore VIC-20 Network socket Revision control Interface (computing) Information Musical ensemble Videoconferencing Default (computer science)
Installation art Programmer (hardware) Default (computer science) Goodness of fit Mathematics Information security Normal (geometry) Information security Vector potential Default (computer science)
Authentication Slide rule Group action Building Authentication Android (robot) Computer network Vector potential Flow separation Product (business) Zugriffskontrolle Mechanism design Software System programming Computing platform Integrated development environment Address space God Address space
Surface Email Service (economics) Computer to plate Service (economics) Tesselation File Transfer Protocol Twitter Product (business) Hypermedia Internetworking Telnet Software suite Session Initiation Protocol Point cloud
okay so so yeah thanks for coming out can everybody hear me okay all right so yeah let's get right into it okay so
yeah FOC I work on the advanced security research team at Trend Micro it's a pretty awesome game because I get to do offensive research all day basically find ways to break things and then builds cool exploit demos around it and of course you know do the responsible thing and disclose all the vulnerabilities I find to the zero day initiative and we work with the vendors to to get all the issues fixed since I've been working there I've found over 40 vulnerabilities and different things mostly I also do like to speak at conferences this is actually my fourth time speaking at Def Con for some reason they keep letting me come back I'm not sure why but yeah spoken I have three contracts time to work on stuff like that okay so when I started this project
I didn't need to know what Crestron was a co-worker of mine actually had a couple of old Crestron devices and wanted me to take a look at and you know I do love to take requests so I said sure so I thought like since I had no idea they were there are probably some other people out there that don't know what they what they are what they can do either so I figured it would be good to
do like a little intro type of thing so basically restaurant advices are device controllers they're fully programmable and customizable their bread and butter it's kind of audio/video that is what they're known for it's like an audio-video distribution and control type setup but they're also doing like you know the fancy things were you like go into a room and there's like a ton of panel on the wall and like click a button and it'll open up the shades and stuff like that and they're also managed to get yours I've also seen a security settings you know a panel on the door you know intercom you and just somebody and I'm like cool they've got basically the device so you can do every serial PCIe or you can even do it like straight relay control maybe kind of girl it's kind of their own little hang so basically the way you do is write a program and what's called simple to their their little programming language basically designs rice accidents to perform on your guys's you guys sort of like that the main thing though is that I mean could get very complex and have a most people aware I mean I don't install in their offices the programmer and solder that's gonna be able to know later on so yeah the - or first off the way that you interact and as a programmer with it with the dice is through with all the and that's basically this talked about the CIE [Music] [Music] services basically everywhere I see them on the universities about system ironmans actually has this major were [Music] all AmeriCorps VISTA got got a funny little thing that later lots of the lots of pals or they're in the gas phase and the TVs something like that and then of course irretrievable spouses rating on so really like you know but they move the VA's both food and networking systems and they are [Music] like the that basically lists all properties on the strip when I use credit on including city palace re of our agenda brands there a partnership with engineer and so yeah there you go is that okay I thought it was wise I've got a mini freely right there and then touch screens with the Carl's very popular and they haven't got other TSW 7:16 ready their screens are being deployed in like one in every room type type of deployments see these in
like and every conference room and an office kind of thing but they don't just do that you like I know you're looking at your surroundings so my training guys which is moving with a see that I've seen missions with us and I haven't come across them they're out there and then the touch screens you are actually tablets and they also got their processes Linux so today is decide that's one way down and it's a small samples okay and it is so the increase everywhere whether they believe it with the ROM images should be able to have another in here I used the wrong tool to dump the finish because we had it this is five of the bearings although in the firmware they actually still have like the winning tool lets you connect slightly visual studio to you by Justice nndof interesting to see us to the winner and then for the case of you voices manages survive everything you need to manage the image was so I just got access to that way there's the pipes arm and I didn't most of my actual in the death remember seeing this awkward because I'm more familiar with add there and with with us be my this a simple cleaning air cleaner so I just most my time there and he's we're just going to go ahead a like you know their eyes and things and it finds something very like simple things like it in the commands okay so we know a car now that we needed to find them one of the things I always look for when I'm starting a new project is a discovery packet and I didn't have at this point they have this magic I think that might be the curveball I haven't gone into like what what the police isn't gonna I or anything because I definitely need to listen my purposes we look at in the future yeah you sit in this packet to the 94 broadcast you're gonna also really do NASA which is fine but the response to get back from our own devices to contain stereo the same model the firmer version of the building so the noises that are connected directly to the Internet usually there's around twenty to twenty four thousand of these directly connected the results models it was two most deployed buses that were connected directly to the Internet we're an even and directly to the Internet I'm gonna give a report okay so all I
said what is it for a strong well running the different programs the different five words in two different environments but I did find a couple of universal truths where we get into the good stuff so Universal term the number
one Ally involved
okay so earlier basically a console connected listening on port 41 that I'm 95 and it gives you a lot of the little pink commands that you can run all the different aspects of the game over it's got a file system so just limited access and you didn't like uploaded files within a half chaos off has some really good automation mechanisms in a group I in the depression but it's all off by default and nobody you know it's an all kind of like the visa so great they can rely on a security promise to this programmer to know that they need to enable automation and the end up like concentrating more on gaining all the moving pieces working together than they do like we're working together and also able to happen but it's not exactly and one stead of process either the innovation enabled so does everything is turned on so when you
do and if you run into a mine an administrator okay so much get in
basically the the standard things I mean they go a lot of a command in this demo but a lot of the commands of all the different services Ron Harris is a shaman FTP server to do that another common thing I have the word was interesting you can also access all of in the network and both like getting arrested in their address which is also anything you can also are within a sandbox using the okay if I put a file for me to be your FTP members and then they also have a modem and then program case if you guys if you make the program that takes in commands you can never lose the CT console I mean you can just send that's witty people like singing doctor for anything to on-screen display messages and you can play audio if they gonna go house and Google so that's fine but I knew they'd take me hello all and seeing a list of minions that probably wasn't all of the demands there are other thing are the binaries for those services and anything that I'm going to
go much inconvenience a document they also have access to you
know certificates which Khomeini of you for the district meetings
[Music] crashes this is really cool you
can actually directly talk to the on the word and absolutely I think I've tried that on my platform we give him like oh no no that the Chrome browser and their agents whatever weather might want you give them also settings key presses and I just to be wise this is essentially like you know oral remember everything in this man is you give it the name of Ohio and I'm having one one every ward and them alone audio from the microphone that you got out the device you can also control it like my pretty awesome
okay let's give our person to level so
learning to wake it up okay so this is my probe to the broadcast and then parses all of the all of the returned I using it and then every each I know Peter I said that that's penny no response I'll open up their economy possible and run everyone eyes and anyway okay you can see I got three three there's a firmware that is running the little base and you can see open straighter and then a nice to you know I wants to pay by one about to kiss w firmware and the City Council's open oh and if you look at the the binary that handles this you can see is doing like one wanna check for one value and if that Jack returns false then he also known just doesn't work on a nice barn I'm honestly not sure all that so let's try acting to the bottom of the screen should I try that again everybody so so basically all you can see they give a huge round of commands you can run like up a lot of AK of an ass and when I'm going to missions to this one so so yeah I eat a big you can address we're going even if you're not on the same set of man as an advice which is pretty cool so let's connect to the SW so the our super user and then this
binary su PWD generator following which
needed at Universal through the members to see you managed to get back to our house so they had to house
cor super user I found out like like this week these were all simultaneously by accident with a lot of vulnerability positions already ever happens to me and these were all like all those amenities within weeks of each other it was really super coincidental and so this these bank accounts are present in all their products and commands I believe limited but I think the way they work is they got a unique passwords for every dice which is like the 16 character alphanumeric randomly generated password but you can get so ok this is probably the only time you'll ever hear me saying they should have a bar code to the passwords and in the firmware hard-coded password and just burned it into the firmware it was you inker guys fine or if they couldn't get remotely also fine but instead they based on something I have access to the CTP console and included the generator algorithm in the firmware so the reverse engineer the generation algorithm so the city boy living here is complicated I just be populated with an address and a static string Radek screen first user first er emps degreaser you're trying to easily not used to the right static string comma divest and you use that as the key for an RC Porter cipher with an i-beam and use that our CD course I prepared a second set of extreme and a resulting encrypted string you go through each character of that and Melissa with a city to which is just a link with a bear their character set and they use the results and index to pick a character out of their character set and then you end up with a 16 character alphanumeric password for the user but with half the device and restore function okay so what can you do with energy recovery house so the CRA mg super user enables have been more hidden commands so the whiskey [Music] commands and then it'll all look at the can anyone Sabrina didn't have also on the window-seat when they do that assistive device and they get a little launch command which actually likes to do any excuse me below on the bottom outside of assisting a box and then on the Riverside they they have this timeline I forged cookie and then or off and then I let's turn that on or off but we need to do that as the CRC superuser they make it with other option which is telling that debug so when you do some that we're we're debug and actually open up Rochelle you can connected to outside of this analyst and I haven't found that yet okay so
that's good over or someone weird of us
okay so what I do with in a sec cream you can see the general reading based on my address so to the CT before beauty I've ever run east at which is a man assumed a man actor dress for the engineering user and then I actually uses a command to disable authentication for the element and then then I launch a thorough and I gave me a box devices and then if we look at generating password money be set to get my actor pass and I already do look Michelle for me alright so knows
I might have to do a Malay when I am on the bar okay let's try getting universe okay [Music] dear almost all right let's try that everyone before they don't have those [Applause] [Music] [Music]
[Music]
[Music] so typical this function was actually called quite a bit by other by various means
the disassembly and then these compiled
version of that disassembly on the right you can see it's pretty straightforward just like you know build up a screen based on the info you're doing and then send it straight to the system so super yeah super easy I notice that these commands seem to be you know programmatically handles I wanna see so so you know they weren't they weren't honorable to this and command injection is on the Android platform I don't know if that's because they were programmers are more familiar with when i see ee because they have a longer history whatever what don't yes but yeah everything was just kind of positive shell on android instead of handling in the code most we're super simple to exploit like is their back taste whatever commands you want to run that
kick up a little more difficult and if i'm piercing boots to get
exploits out of those slowly round and round delete they take whatever our unit they're giving and they up case it before using it and since this is a space platform commands are case sensitive and are running useful all over face commands that I know so my first solution was to create a shell script filled with the commands that I wanted to run and then call it all capital blah and then uploaded with an arbitrary file uploaded from earlier so I just get into the same boss but the
uploader script didn't have XT permissions and dollar shell and oh - we're not set so I found and then - wah and then it would actually were in my script is actually a UNIX command I mean you gotta have before I mean it works an end of my course whatever works okay okay so we've
ever done everything I'll give this another time over here but I want to do something different so so when I finally did I use the directional to modify one of the config files that controls all of the screening settings and then I use the we started to pick out those changes and then our JSP screaming start are you working so I'm gonna just let me finish - okay so you got here file system you do like I'm gonna love this example because it's so like a society works SDXC deep and in there so if you do like [Music] this route example I guess I'm the ghooost first okay sign them over tables and then we're gonna pop up
[Music] so a very important note is that there's no change on the touch screen to indicate that is now roughly screaming from another like ham did I mention that he's currently sitting like recurrence [Music]
things up so the potential for good security practice is there and then these devices but the problem is that it is to turn off by default the APRA my honor and installers programmers before you or if you know that this problem exists then you can do it yourself which is one of the reasons why the problem is actually there but is it serious and enable I got involved it's not getting able so it really is dependent on Christ or on making these changes which they have awesome so yeah like all the Microsoft's
forward groups and then let's say a little boy somewhere in the world whether they're gods that so they can actually use things like recording microphone as you know knowledge forward permeating common thing like network or several other sayings thing the other or what okay so slide has a release updates to
address all the issues discussed today actually I were earlier this this week that my advisories are all of this stuff I know you're going to be released yesterday anyone Asian noodles but you should definitely do that because if actually sending authentication mechanisms were enabled but none of the way that's tax and lots of work that I
still need to do gtp flatworm there's way more loans that I you know have been to the serviceable or anguish when I could avoid it the pot files suit of armour tiles and other services like the IP HTTP as an MP you know you name it and then other guys I got to handle a lot anyways I signed up just like like was this morning but it stands for is internet Alliance so it's a partnership between credits Robin Intel doesn't make any edible device that I can go and turn all the other things within the keep an eye out for more in the future and yeah
ways that you can handle emotions just yeah
[Applause]
Feedback