Mastodawn

th3blu3kn19ht 🛡️Apr 19

I did some reversing/exploring on a widely used IoT product for fun this week, and here’s what I found:

- embedded Linux on an SD card
- SD card not encrypted
- developed by a third party on behalf of the end customer who makes the actual device this thing is connected too
- runs the code in docker containers from a private container repo
- docker credentials for private repo stored locally
- can use docker credentials to access containers for all of third parties customers, not just the one who makes the device
- GitHub creds in bash history
- can access source code for all customer projects using said creds

So things are going well over there.

Steve Paluch Apr 19

@SecureOwl Sounds secure.

@SecureOwl Are the initials Echo?

Mike Sheward Apr 19

@Jeanniewarner nah, rather excitingly this was commercial/industrial IoT rather than consumer

@SecureOwl Not hugely better. (Remembering certain CCTV hacks...)

@SecureOwl yeah... iot devices are the gate in the middle of the road secure.

Funambolo Apr 19

@SecureOwl amateurish crap seems to be way too widespread...

Tutiluren Apr 19

You got the credentials. The source is now open. You should push a fix in good spirit.

🐦‍⬛Apr 19

@SecureOwl oooh, hacky!

@SecureOwl That sounded oddly familiar, so I looked up that other thread this reminded me of.

https://digipres.club/@foone/112817523308786223

Foone🏳️‍⚧️ (@foone@digipres.club)

good lord. I pulled a microSD card out of a Raspi inside an IoT product and it appears they had some developer use a raspi to develop/test some software, and then they just yanked the SD card out of that machine and duped it on to all of their deployed products. it's got .bash_history of the development process! there's git checkouts of private repos! WHY WOULD YOU DO THIS?

digipres.club

@scy @SecureOwl it reminded me of this too lol

D_70WN 🌈 🏳️‍⚧️Apr 19

@SecureOwl I also found something similar, access data and SSH keys in "no longer" usable OT network hardware. Firmware support eol.

Anyia, complicated 🏳️‍⚧️🏳️‍🌈Apr 19

@SecureOwl as someone who works professionally in this space, I wish I could say I'm surprised. We often get called in to fix other people's mess, and stars what a mess that tends to be 🙄

Ian Molton 🇺🇦🇵🇸🏳️‍🌈🏳️‍⚧️Apr 20

@SecureOwl PMSL.

I wonder if it's a certain ex employer.

If so, you've probably scored free WiFi at their office, and root access to (probably all) their servers too. And likely the CEOs laptop / car /Amazon account too.

Enjoy :)

recursive 🏳️‍🌈Apr 20

@SecureOwl The last two is where I just lost it

VessOnSecurity Apr 20

@SecureOwl Not specific enough. That describes pretty much any IoT device.

Bruno Nicoletti Apr 20

@SecureOwl And things like this is why most people writing software can’t be called engineers.

gunstick Apr 20

@SecureOwl they alway say to not store keys and credentials in github! Noone said they should also not be stored on SD cards! 🤣

@SecureOwl Open Source, the hard way 🤔

Angela Scholder Apr 20

@SecureOwl Ouch!
Seems a very secure IoT product.......
🤔

overflo 🦐Apr 20

Yes.
This is the now.

The microwave is part of a botnet, the dishwasher exfiltrates wireless traffic, the TV watches you watching it, the lightbulb mines crypto for some unknown 3rd party..

\o/

@SecureOwl This shows that in todays ever faster moving world, humans alone cannot keep up with the complexity anymore and they need AI to (magically) make everything good again. 🤭

🏳️‍🌈🎃🇧🇷Luana🇧🇷🎃🏳️‍🌈Apr 20

@SecureOwl I remember a story exactly like this some years ago, so it isn’t even the only product doing that

Bill, organizer of stuff Apr 20

@SecureOwl Tell me it's a medical device... 🤦

@SecureOwl the "S" in IoT is for security