A recent project to roll out a CCTV system at our offices highlighted the immense security challenges posed by "Internet of Things" devices. The need to provide convenience to customers should be carefully balanced against the long term needs for security from the outset. At the dawn of a new era we should ensure a solid foundation is laid and that we don;t end up with a fundamentally broken set of protocols and practises.

1. Security
and the
Internet of Things

2. About Me
● Solutions integrator at Jumping Bean
– Developer & Trainer
● Certified Ethical Hacker
● Java
● JBoss
● Alfresco
– Technologies
● Java
● HTML5/Javascript
● Linux

3. Why IoT and Security?

4. Several Factors came together:
1) Needed a plan for the next big thing,
2) Needed a CCTV solution for the office,
3) Needed it to be fun and interesting to talk
about

5. My 3 Step “StartUp” Plan

6. Step 1
Find something to do
with:
– Cloud,
– Internet of Things
– Security &
– Big Data
Step 3
Profit!

7. The CCTV Project Plan

8. 1) Research CCTV cameras,
2) Buy some cameras,
3) Install cameras,
4) Use ZoneMinder,
5) Profit!

9. ● Pros
– “Hassle Free”
– No compatibility issues
– Cheap
● Cons
– No ZoneMinder!
– Lock in, No source
– Not easily hackable
● Lots of cheap CCTV camera solutions out there,
● 4 – 8 Channels with DVR,
● Everything comes in one kit,

10. Analogue vs IP Cameras
Analogue Cameras
● Pros
– Cheap,
● Cons
– Low resolution,
– Wall wart power supply,
– Need video capture card
IP Cameras
● Pros
– Use POE,
– High Resolution 1080p,
– No capture card
● Cons
– Expensive,
– Requires POE switch
–

11. Test Cameras

12. Securi Pro Analogue Planet Dome IP

13. ImpactVCB – Video Capture Card

14. Installation

15. ● Didn't die figuring out the
live and neutral wire!
● Internet said the black wire
is always live. What does
the internet know!
● Chose the red wire
● I was right!

16. Use ZoneMinder

17. ● Trouble free install on Ubuntu,
● Analogue camera just worked,
● IP Camera – needed to figure out the
undocumented stream URL

18. Profit!

19. Open Source Wins
(again)
– ZoneMinder
expandable,
– Configurable,
– Hackable,
– Source available
– ZoneMinder is
awesome
Analogue Cameras:
– Good for external
cameras. Who wants
an ethernet cable
dangling outside the
office?
IP Cameras
– Bit of a nightmare
– Undocumented,
– Insecure

20. ● Planet Hardware
● Atrocious, I.E no, documentation and really
bad firmware (wasn't surprised.)
● Browser app required ActiveX!
● Yay for Windows XP vm – used for tax and
other unsavoury purposes.
● No documentation for stream URL!
● Nada in web ui :(
● Nada on the interwebs :`(

21. What to do?

22. ●Duck-duck-go!
●Run nmap and see what's open!

23. ● Duck-Duck-Go
● There is a standards body that develops a
remote camera control API (ONVIF) Yay!
● Its a SOAP based service :(
● Planet claimed compliance Yay!
● Nmap - scary results
23/tcp open telnet
80/tcp open http
554/tcp open rtsp
8080/tcp open Http-alt
16000/tcp open fmsas
68/udp open|filtered DHCP
3702/udp open|filtered WS-Discovery
5060/udp open|filtered SIP

24. ● 23 – Telnet – Can't access, shows login prompt,
● 8080 – HTTP-Alt – Query to port 8080 with
SOAP browser plugin responds with wsdl!
● 5060 – SIP – ?
● Banner Grabbing – running ancient Boa http
server As of January 2006, Boa has the following limitations:
● No access control features (HTTP Basic access
authentication, etc.)
● No chroot option (planned)
● No Server Side Includes (deemed incompatible with server
performance goals)
● No SSL support although there are some patches against
0.94.13 that introduce SSL support

25. ONVIF

26. ● Different profiles for functionality
● Got security designed in up-front
● Planet implementation
● No SSL,
● No password to query web service
● Handy web method GetUsers→
● Returns users and plain text passwords,
● Got rtsp URL with GetStreamURI YAY!
● RTSP stream not encrypted!
● No account lockout

27. How to Fix?

28. ● Put DVR on own non-routable network or VLAN,
● Don't use externally,

29. WOW – Scary Stuff!

33. Is it just Planet?

34. ● Vivotek Dome IP Camera
● Has Wifi,
● Supports ONVIF,
● Supports POE,
● HikVision Dome IP Camera
● Supports ONVIF,
● Support POE,
● Support Wifi
22/tcp open ssh
80/tcp open http
554/tcp open rtsp
8000/tcp open unknown (uPnP)?
8200/tcp open Unknown (uPnP)?
3702/udp open|filtered ws-discovery
5353/udp open Multicast DNS

35. ● Hikvision
– The Good
● Web interface support
SSL,
● ONVIF web service
protected by basic
auth,
● Can upload SSL
certificate,
● Can disable uPnP,
–
– The Bad
● Support a cloud
service
● Supports PPOE,
● Supports Wifi,
● Support FTP – built in
SD card slot for
recording,
● Upnp on by default,
● No SSL by default
● Stream not encrypted!
● No account lock out

36. The Ugly
● Huge attack
surface for a
device directly
exposed to the
internet
– Mobile app

37. Owasp Top 10 IoT Project

39. ● WWW: www.JumpingBean.co.za
● Twitter: @JumpingBeanSA
● Trainings:
● Certified Ethical Hacker Training
● JBoss Training