Welcome back, Mr. Robot fans!
In the first episode of season 2 of Mr. Robot (eps2.0_unm4sk-pt1.tc), the hackers of f/society took control of the SmartHome of the General Counsel (the in-house, lead attorney) of Evil Corp. This woman's elegant home, in the tony Greenwich Village section of New York City, had everything automated including the TV, the lights, the sound system, the garage, the heating and cooling, the security system, the hot water heater, etc. f/society was able to gain control of this digital system and eventually drove the woman from her home. Soon thereafter, f/society moved in.
This hack highlights the embryonic issues of the security of the Internet of Things (IoT). As everything from home security systems, to entertainment systems, and the like, become digitized, the risks of being hacked and losing control of your own home, increase.
In recent years, there have been a number of vulnerabilities found in these smarthome systems including access to home security systems, home baby monitoring systems, home HVAC systems and others. For instance, researchers at the University of Michigan were able to hack the popular Samsung SmartThings system and get the PIN to the front door security system.
Let's take a look at how f/society may have hacked her home, but instead of a smart home system, let's hack a smart building system.
Schneider Electric Building Automation Servers
Schneider Electric is a Paris-based company, well-known in the Industrial control industry. In fact, they are a pioneer in this field, having developed the most widely used protocol used in industrial controls, modbus.
Schneider Electric makes products that use digital controls in industrial applications. This digital controllers are Programmable Logic Controllers or PLC's. They use these PLC's in many different industrial applications including building automation products and sell them throughout the world.
One of their products, Schneider-Electric Automation Server, is used in commercial buildings to control and automate their many systems including heating and cooling, security, etc. Sort of a commercial equivalent of a smart home, but with much higher stakes.
Using Shodan to Find the Automation Servers
We can find these Automation server in Shodan by searching for "Schneider-Electric" automation.
"Schneider Electric" automation
If we scroll down a bit through this list, we can see a major hotel on Kansas City using these automation servers, among many others.
A few months back, an independent security researcher, Karn Ganeshen, found a major vulnerability in these automation servers that allows nearly anyone to take control of them. Let's try that. I'll be using Kali Linux, but since this hack is so simple, just about any Linux will do.
The Vulnerability
This vulnerability enables the attacker to connect to the Automation Server with SSH using default credentials and then escalate their privileges to "root". Once the attacker has root privileges, they own not only the box, but the entire building!
Connecting to the Building Automation Server
First, let's find a Schneider Electric Automation Server and connect to it with SSH. The command is simple.
kali > ssh <IP> -l admin
After we have connected, the server will prompt us for a password. Use the default password "admin".
You will then be greeted by the Automation Server's admin account .
We can type "help" to see what commands we can use from this account
For instance, let's type "release". As you can see below, the system responds with the version information of the server. Also, note that one of the commands is "reboot", which may be useful in a DoS attack against this system.
We can also see the time since the last reboot, by typing "uptime".
admin > uptime
One of the weaknesses of this system is that we can pipe system commands after these SSH commands. So, for instance, we can see the passwd file on the underlying server by typing;
admin> uptime | cat /etc/passwd
As you can see, we now have listed all the accounts on this server. Of course, this file only contains the accounts and not the passwords. Passwords are in the /etc/shadow file and only root has access to that file.
Getting Root
Of course, to own this server we will want root privileges. We can escalate our privileges by simply typing;
admin > sudo -i
The default configuration of this building automation server has no password for the "root" account, so simply hit Enter when prompted for a password.
As you can see, the prompt turns green and indicates that we are root !
Now, let's type "help" here to see what commands are available to us.
Since we now have root privileges on this box, we should be able to do just about anything! Let's see whether we can pull up the password hashes at /etc/shadow.
AS > cat /etc/shadow
As you can see, we were able to get all the accounts and their password hashes! If needed, we could run these hashed through a brute force cracker like hashcat to retrieve the plaintext passwords.
It's likely that the configuration file for the Automation Server is in the /etc directory. Let's go there and list all the files and directories.
AS> cd /etc
AS > ls -l
If we scroll down this list a bit, we will see a files called "whitelist.rules". This is a file to determine who can connect to this server. Let's open it.
As you can see, the system admin had never setup the whitelist.rules on this server and as a result, anyone can connect.
Finally, since we have root privileges, we can add new users. Before I leave, I can add myself to the users, give myself root privileges, add myself to the whitelist.rules, so that even if the admin remediates this vulnerability, I will still have an account and be able to access this server.
I hope it goes without saying that now that I have access to the system with root privileges, I can change and manipulate this system anyway I want!
Although f/society probably used a different server than this commercial smart building vulnerability, I hope it highlights how vulnerable these systems are and what a rich field of the hacking the IoT is!