 Okay, so yeah, thanks for coming out. Can everybody hear me? Okay. All right. So yeah Let's get right into it Okay, so yeah, I'm at the Zeke. I work on the advanced security research team at Trend Micro It's a pretty awesome game because I get to do offensive research all day basically Find ways to break things and then build school exploit demos around it And of course, you know Do the responsible thing and disclose all the vulnerabilities I find to the zero-day initiative and and we work with the vendors to to get all the issues fixed Since I've been working there. I've found over 40 vulnerabilities and different things mostly IOT stuff But yeah, I also do like to speak at conferences This is actually my fourth time speaking at DEF CON for some reason they keep letting me come back. I'm not sure why But yeah, spoken at recon rocks gone to work on stuff like that Okay, so When I started this project, I didn't even know what Crestron was a co-worker of mine actually had a couple of old Crestron devices I wanted me to take a look at them And you know, I do love to take requests So I said sure So I thought like since I had no idea who they were There are probably some other people out there that don't know what they what they are what they can do either So I figured it would be good to do like a little intro type thing so basically Devices are device controllers. They're fully programmable and customizable Their bread and butter is kind of audio video That's what they're known for is like an audio video distribution and control Tights up, but they're also doing like, you know, the fancy things where you like go into a room And there's like a touch panel on the wall and you like click a button and it'll open up the shades and stuff like that And they're also getting into like building management systems They've got the capability to tie back net and do your Crestron controllers I've also seen them used in an access control and security settings You know like a Touch panel on the door you click the button and I'll intercom you into somebody who can let you in kind of thing Anyways like a little customizable They've got basically any way you could possibly want to interact with the device So you can you can do a red cereal TCI you of course You can even do like straight relay control maybe control Crestnet is kind of their own little thing So basically what you do is write a program In what's called symbol, which is their their little programming language And you basically use that to write actions to perform on your devices, but you can also write UIs Stuff like that The main thing though is that programming can be very complex and most people when they're having Crestron installed in their offices We'll kind of find that out to a third-party programmer installer That's gonna be important to know later on So yeah the two Or first off the interacts as a programmer with it with the Dices through what's called the CTP console the press on terminal protocol and that's basically the bulk of what this talk is about And then there's also the CIP Service that's kind of how restaurant devices talk to each other and it's like a binary protocol So as far as where you can find Crestron devices basically everywhere I see them a lot in universities, but also like fancy office environments Secure Airports Little thing to say about that later Lots of lots of hotels are putting these in there in the guest rooms To do fancy things like I was saying with the shades and controlling the TV and stuff like that And then of course rich people's houses So this is a screenshot Where they list some of their their major enterprise Customers you can see it's it's all over the place like it's on mobile Amazon Twitter coca-cola Rating on so really like you know, but they've got both of the systems both food and networking systems and They are partnerships with Microsoft. They actually like to point out quite often so basically Crestron is Microsoft's exclusive partner to manage all the meeting and resources worldwide So basically I read that as they are in every Microsoft campus across the world And you know, they're also partnering more and more and just like last week or the week before I want the 20 microsoft global IOT partner of the year award So they you know, they like to talk about that But they also have some other like case studies and stuff on their website. So I grabbed a couple of my favorites over there So here's the Massachusetts Bay Transit Authority They use press around devices when they're controlling and communicating with the train lines and stuff Chicago Police Department I don't know if you can see in the picture But there's like a little touch screen on every desk That's a question on the dice And then this is probably my favorite the Virginia State Senate So so like all all of those are Crestron touch screens and they say like yay. Hey, like that's how you vote I like this especially because in the case study they were like trying to do like the secure voting Angle like you want to make sure you're about to secure a lot of the press on And so since we're in Vegas This is a screenshot from a hospitality showcase brochure that Crestron has That basically lists all of the properties On the strip where they use Crestron including Caesar's palace Ariya Dara all the EMT brands they actually have a partnership with the EMT brand So, yeah, there you go. There's that Okay, so that was that was the point As far as products go Kind of their two their two main flagship lines are the three series controllers Which I got one got an MC3 right there And then they've got touch screens which are also very popular And again, I got a TSW 716 right there Those touch screens are being deployed in like a one in every room type type deployments So you can see these in like every conference room in an office kind of thing But they don't just do that they do like a lot of different things I like I could spend an entire career looking at just Crestron things So Platform-wise two main platforms. They've got their Windows platform, which is mostly with a C But I've seen mentions of other versions of Windows and I haven't come across them Apparently they're out there and then the touch screens You are actually Android tablets And they've also got their video processors and digital media streamers that use Linux So, so basically if something I talk about today is specific to the Windows side or the Android side I will try my best to point it out. I have kind of a small sample set So some of them are like Okay, just a little note about the firmware images on them So the MC3 firmware Was basically a smart drive with the wrong images Should be able to emulate it, but I haven't gotten that working yet I used the Dump ROM tool to dump the The file system out of your image There's the file types of the binary's in there Also interesting to note that in the firmware they actually still have like the Windows C debugging tools They let you connect like visual studio to a Windows C device to debug it and stuff It's just kind of interesting to see those still in there And then for the TSW Again, it was the ZIP archive of Android system images So we've had everything you would need to run a full Android system inside the firmware image The system image was an EXT4 file system So I just mounted it and got access to the file system out way There's the file types 32-bit ARM And I did most of my actual in-depth Reversing on this platform because I'm more familiar with that than I am with Windows C By the way, I could give them to do this as a simple cleaner cleaner So I just spent most of my time there I'm gonna use the Windows platform to kind of like, you know, verify some things and then find some other like simple things like hidden commands and stuff Okay, so we know what they are Now we need to be able to find them One of the first things I always look for when I'm starting a new IOT project is a discovery packet And Kreston did not disappoint They have this magic packet I think that might be the CIP protocol I haven't gone into like what the bytes didn't apply or anything because I didn't really need to It wasn't important for my purposes But it would be something that they'll look at in the future So yeah, you send this packet to 41794 broadcast You're gonna also do a unicast which will be important for my next slide But the response you get back from all the Kreston devices contains their hostname model of the firmware version and the build date So We can add it to show you So now you can look for Kreston devices that are connected directly to the internet Usually there's around 20 to 23,000 of these directly connected The results of the models show that it was like the two most deployed devices that were connected directly to the internet Were an even split between a CP3 and an MC3 And for those eagle-eye observers in the audience, that's actually the Las Vegas airport They have a Kreston device connected directly to the internet running at the airport Okay, so All I said What is Kreston? Well, there are a lot of different things running different programs on different platforms in different environments But I did find a couple of universal truths And that's where we get into the good stuff So universal truth number one Unauthenticated admin access to the CTT console by default So the CTT console I mentioned earlier, but it's basically a telnet console Connected or listening on port 41795 And it gives you a lot of Built-in commands that you can run to control different aspects of the controller It's got a sandbox file system So just limited access and you can like upload and download files within that sandbox Off they actually have some really good authentication mechanisms You know, they've got different access levels and active directory tie-ins and encryption But it's all off by default And nobody you know So like I mentioned earlier you kind of like the complexity of these systems is so great that you kind of have to rely on a security conscious programmer To know that they need to enable authentication And they end up like Concentrating more on getting all of the moving pieces working together Then they do like working together and also having to enable security and stuff like that It's just another headache that it just doesn't happen And on top of that it's not exactly One step process either To get authentication enabled So it just never gets turned on So when you connect to the CTT console You get like a little header that tells you what device you're connected to And if you want to know who am I, I'm going to see you as an administrator Okay, so once you get in Basically the standard things, I mean, they give you a lot of commands I'll show you in this demo, but a lot of commands available by default But some of the basic things you can do is change when you bring up different services Like they've got a web server on there SSH.Net, FTP The Android tablets actually have a SIF server running on them To do that, that intercom thing at the door that I was mentioning You can also get access to all of the network info Like the IP address and the MAC address Which is also going to be important in a minute And then you can also do arbitrary file upload within that sandbox Using the FGF file, the FPUB file for HGTTP or FTP file transfers And then they also have X-Modem available if you're old school Then you can also do firmware updates and program updates If you made a program that takes in commands You can send that program commands through the CTT console You can just mess with people by sending different things To on-screen display, like messages And then you can play audio, video files, and whatever Have fun with people So that was fine But I knew that tightening help all and seeing the list of commands That probably wasn't all of the commands that were on the thing So I started pulling apart the binaries for the services And I ended up finding a bunch of hidden commands That are completely un-documented that you also have access to So you can see all of the running processes This is outside of the sandbox All of these binaries are running outside of the sandbox You can also view and modify all of the storage SSL certificates On all of the devices Which could come handy for certain things This one was just kind of funny Dr. Watson is on the Windows CE platform So it could help you with debugging crashes This one I thought was really cool You can actually directly talk to the chips on the board Using an iSquared C So you got your WEPOM, your video decoder and stuff I thought that was cool I've only seen that on Windows CE Actually, I think I've only tried that on my MC3 So I don't know if that's a widely used command or not The real fun stuff that you can do though Is on the Android platform So you've got this browser open and browser close Where you can open up the Chrome browser And direct it to whatever website you want You can also send key presses and touches To the UI of the Android device So essentially like full control remotely Of the Android tablet You can also record audio from the microphone remotely By just running this command You give it the name of a file and the length of time you want to record And it'll dump audio from the microphone to a file That you can download via the FTP on the device You can also control like mic volume and stuff like that So pretty awesome Let's get into our first demo So I think my MC3 is starting to die on me So I have to begin to wake it up Before I can use it There we go This is my scanner It basically sends out the magic probe to the broadcast And it imparts all of the return values that I get And then for each IP address that's sent me a response I'll attempt to open up a connection on their CTP console So I can write my user I am So running that So running that you can see I've got 192.168.1.3 It is the MC3 There's the firmware that is running, the build dates And you can see open CTP console And then on 192.168.1.2 That's the TSW firmware And the CTP console is open But you'll notice it says oh no And if you look at the binary that handles this You can see it's doing one check for one value And if that check returns false It defaults to unknown So I guess that just doesn't work on Android Linux By form I'm honestly not really sure about that So let's try connecting the MC3 On the bottom of the screen Should I try that again? Can everybody read that okay? So basically if you type help all You can see they give you a huge amount of commands You can run a lot of commands And when I'm going to run I don't know if I even mention to this one But so yeah I can configure You can get the MAC address remotely Even if you're not on the same setup net As a device which is pretty cool Who am I? So I'm an honest administrator So let's connect to the TSW So again huge amount of Of commands available You can see there's a lot of SIP stuff On this one you have access to Media stuff So kind of cool If I do like browser open And you'll see the Chrome browser pop up on there I think And I can do like browser close to close it So kind of cool If I do like DIR You can see this is not the whole file system But this is all you have access to So kind of cool But I'm a very greedy person So you have a significant amount of control Over these devices that they just give to you out of the box But I wanted more So I started looking for ways that I could escape Out of the CTT sandbox and get full control Over the OS So I was looking around at the different CTT commands And I found something interesting Into the SUE command Apparently I wasn't the only one who found this either Which I'll mention in a minute But yeah Something interesting in the SUE command You can see there's like a CR ENG Superuser CR Superuser And then this binary SUPWD generator Thing that they're calling Which leads me to Universal Truth Number 2 Secret Engineer Backdoor Accounts So they had the two accounts CR Superuser and CR ENG Superuser I found out like this week That these were also simultaneously submitted By Justin with a security compass Or Jackson with a security compass Like I seriously had a lot of Vulnerability advisory collisions on this Hardly ever happened to me and these were all Like all of us submitted these within weeks of each other It was really super coincidental and crazy But yeah, shout out So these Backdoor Accounts Are present in all their current products That implement the SUE command, I believe Again, my sample set is a little limited And I think the way they work Is they've got unique passwords for every device Which is like a 16 character Alphanumeric randomly generated password But it's actually algorithmically generated Based on the MAC address of the device Which I already showed you We can get through the CTD console So that would have been The only time you'll ever hear me say They should have hard coded the passwords In the firmware Because if they found some way to hard code the password And just burn it into the firmware If it was unique or nice, that would have been fine Or if they generated it based on something I couldn't get remotely, also fine But instead, they based on something They were only through the CTD console And they included the generator algorithm In the firmware So I was able to reverse engineer the generation algorithm So stick with me here It's complicated So basically you start out with a Shawan digest You populate it with MAC address And a static string For a CR Superuser And for a CR ENG Superuser Depending on which one you're trying to use You have to use the right static string So you take that Shawan digest And you use that as the key For an RC4 cipher with no ID And then you use that RC4 cipher To encrypt the second static string And then the resulting encrypted string And you go through each character of that And modulate it with 62 Which is the length of their character set And then use the result as an index To pick a character out of their character set And then you end up with a 16 character Of a numeric password for your Superuser For that device And if you're super lazy I also implemented it as a Ruby script Or a Ruby function There you go, you can enjoy that Whenever my slides get released Okay, so what can you do With the engineer backdoor accounts So the CR ENG Superuser Enables even more hidden commands So on the Windows CE side You can actually do console debug commands And it'll list out all of the commands Even the undocumented ones So that's pretty handy to have Also on the Windows CE platform They give you access to regedit So you can add a registry of the device And they give you a launch command Which actually lets you execute Any executable on the device Even outside of the sandbox Then on the Android side They've got this tunnelnet port command It gives you options on or off And then it lets you turn tunnelnet on or off But when you do that as the CR ENG Superuser They give you the option Which is tunnelnet debug So when you do tunnelnet port debug It actually opens up a root shell On the device that you can connect to Outside of the sandbox And as far as CR Superuser Actually haven't found a lease For that yet Okay, so Let's go for some more demos Everyone's still with me Okay So what I do with the ANC 3 You can see here's the generating the password Based on the MAC address All that stuff So I connect to the CTD port On the ANC 3 I run eSat which is a command That also gives you a MAC address I parse that out and generate the password For the engineering user And then I basically use the rejected command To disable authentication For tunnelnet And then I launch Tunnelnet 0 And that gave me a tunnelnet shell Outside of the sandbox On the ANC 3 devices And then if we look at The TSW side It was much more straightforward So again Generating the password Running the eSat to get the MAC address And then all I do is run tunnelnet debug And then it opens up a Debugged shell for me Alright, so let's run those Let's try the ANC 1 Let's try the TSW 1 Hopefully both of my demos don't fail This one's cooler anyway Because it's an actual And so now if you can see You're actually Outside of the CTD File system And have full access To all the Good stuff I got out It's actually running lollipop And I gave it a 511 make So kind of I don't know if that will change In the future for our work positions Or not But yeah, so Debugged shells And the back doors, awesome Okay, so that was awesome That was a fun thing to find But also, since it's DevCon We should talk about some RCE walls So I've found 22 command ejection walls On the Android platform I actually had to come myself off Because I kept finding more walls While I was re-causing other walls And it's like I got to get these advisories So yeah, the peening command Wanted to command ejection This is another one of those solutions That I've had out about after the fact But I got Kale and Jordan From map to 7 Also found that one And then Der Was also found by Jackson But then there's also like Advisor, CD, CD Basically anything that takes like a string From the user So kind of a Typical This sub function was actually called quite a bit By various commands So you can see the disassembly And then the decompiled version of that Disassembly on the right You can see it's pretty straightforward Just like You know, build up that string Based on the input you're given And then send it straight to system So super, yeah Super easy I noticed that these commands seem to be You know, programmatically handled on Windows CE So, you know They weren't vulnerable to the same command ejection As on the Android platform I don't know if that's because their programmers Are more familiar with Windows CE Because they've had a longer history with it Or what, don't really ask But yeah, everything was just kind of Punted to shell on Android Instead of handling it in code Most were super simple to exploit Like is there a back takes Whatever commands you want to run back take There were a couple of them that were more difficult I had to jump through some boots to get Exploits out of those So like route add and route delete They take whatever are you at they're giving And they up case it before using it And since this is a Linux based platform Commands their case sensitive And there aren't any useful All uppercase commands That I know of So my first solution was to create a shell script Filled with the commands that I wanted to run And then call it all capital blah And then upload it with that arbitrary file Upload from earlier So I can just get into the sandbox But the upload script didn't have Execute permissions And dollar shell and dollar bash Were not set So I found out I actually learned this While I was doing this So normally when you use dollar zero It gives you a reference to the calling program But apparently when you're doing this From within a system call Dollar zero actually gives you A reference to the shell Which kind of makes sense Because a system like spawns a new process That will be an actual shell So using dollar zero I was able to get a reference to shell So then the final injected string Was dollar zero dollar IFS For an internal field separator Because it all had to be in one argument And then dot slash blah And then it would actually run my shell script I found out much much later That dot is actually a unit command I never knew that before It works kind of like source So I could have also used dot Instead of dollar zero But whatever Whatever works So final demo of my talk So we already got our shell I've got to explain that That could give us another type of root shell But not good enough I wanted to do something different So when I did I used that command injection model To modify one of the config files That controls all of the streaming settings And then I used the command injection again To restart the CSIO service To pick out those changes And then all of a sudden our TSP streaming Started working So I'll show you that in just a second First let me connect to Okay so you've got your file system If you do like I love this example because it's so Immediately obvious that it works All of a sudden there's a test dot TXD in there So if you do like You're injecting commands as root I just love that example Okay so let's run the good part So final mode enabled And in a second we're going to pop up VLC A very important thing to note Is that there's no change On the touch screen to indicate How we're remotely streaming from the webcam And did I mention that these Things are being used in my hotel rooms And so yeah Okay so there's my final demo I think we're doing it on time So let's wrap things up So the potential for good security practice Is there in these devices The problem is that it's just turned off by default So you have to rely on Installers and programmers to do it for you Or if you know that this problem exists Then you can do it yourself Which is kind of one of the reasons why I like giving talks like this It's informing that the problem is actually there But basically bottom line is If security isn't enabled by default Then they get enabled So it really is dependent on a restaurant Making the changes which they have I'll get to that in a second also So yeah this was an interesting situation Because of the types of environments Where these things are deployed It makes it so there's a high potential For use by insider threats So like you've got these things In all of Microsoft's board rooms And let's say Microsoft has a disgruntled employee Somewhere in the world What are the odds of that? So they can actually use things like this Like recording from the webcam On the microphone to do like corporate As you can option like snoop on the board Remediating some stuff And then of course the hotel The hotel room thing So usually you say Oh we're going to put these devices on Their own isolated network So all of the restaurant devices are separate From all the other things But then you have the situation with the hotel room Where just some hotel gas goes into a room With one of these devices Pulls it off, puts it in a laptop And now they can reach all of the other Ones in all of the other hotel gas rooms You know, something to keep in mind Like I mentioned earlier The Android platform seems way less secure Than the Windows CE platform Which caught me off guard at first Because you know, I'm immediately like Oh Windows CE, haha, so insecure But they actually did a much better job On the Windows CE platform Than they did on the Android platform So I don't know if they're just like Starting to spread themselves too thin With moving to different platforms or what But so very, very important slide Crestron has released updates To address all of the issues that I've discussed today I actually got word earlier this week That my advisories for all of this stuff Were finally going to be released yesterday But yeah, Crestron has released updates For all of this stuff And more importantly than that Enable authentication It's a few steps to get it enabled But you should definitely do that Because if the actual Decent authentication mechanisms are enabled Then none of my attacks I couldn't even get into the CTP console To pull off any of my attacks And as usual with these kinds of projects I've got lots of work that I still need to do So there's lots of stuff still on the CTP platform There's way more of ones that I You know, haven't scratched the surface of yet But there's also the simple programming language That might be good audit The POP files, which are the firmware files And then there's a crazy amount of other services Listening on these things also Like CIB, HTTP, SNMP You name it And then of course they've got A slew of other products Like XIO Cloud would be cool to look at Anyways, the last bullet point on this IO ABA Is kind of just like whispered rumors at this point But what that stands for is Internet of Audio Video Alliance So it's a partnership between Crestron, Microsoft, and Intel To make an embeddable device That can go and turn all ABA equipment Into Internet of Things Equipment basically So that's something to keep an eye out for in the future And there you go Those are ways that you can reach me If you have any questions Or just want to chat about stuff