Exploiting Cellular IoT Gateways



hey everybody John wagging on here with deaf Central and we are bringing you another light board lesson video and today we're gonna talk about some research that our f5 labs team did and it's and it centers around this this idea of cellular IOT gateways and the essence of this is is this I'll draw like a little picture of what's going on here you have various vehicles or maybe trucks or boats or any number of things that require constant connectivity to the Internet so in this specific example let me draw a little car here I'll try that I'll try to draw a good car I am NOT an artist by the way so bear with me on my car drawing although that wasn't too bad really all right so let's say you have a card in this case it's not just a car this one is a police car so you're gonna have the lights up here and they're going and all that stuff but in this in this police car for example you need to have constant connectivity to the internet because you know nowadays you you may have a police officer that has maybe a body camera that records directly to some you know cloud-based you know storage device or whatever but it needs some sort of connectivity there or they sit down and they they you know type out a police report on the spot and then send it or any number of things that that a police vehicle may need constant connectivity for or let's say you have a delivery truck driver that has like a like a tablet device so when they bring you a package then you sign for it and then you know they update it and boom it's it's on you know the website's updated everything's good to go so they need some kind of connectivity from the delivery truck or maybe you have a boat like a coast guard vessel or whatever or any number of kind of you know shipping vessel maybe not even Coast Guard shipping vessel that needs connectivity across the ocean or you know whatever it is you've got all these different vehicles or you know means of transportation that need constant connectivity all right well our f5 labs team has done some research surrounding these types of vehicles and their constant connectivity and we'll go back and just use the example of a police car but you can understand that this is not true just for a police car but for many types of vehicles all right so police cars doing it saying it's you know policeman's you know doing it doing his rounds and and patrolling and all that kind of stuff but along the way I'm gonna draw like maybe like a cell tower up here and that's like a cellular tower but then out here in outer space you've got a you know GPS satellite that that provides you know connectivity here to this thing and then there's connection here with a cell tower so as as the car is driving around it needs connectivity maybe for GPS location or whatever weather satellite maybe it needs cell tower connectivity to be able to make calls or do its various things that I talked about before but there has to be something on this vehicle that is the Gateway as it were to provide the the connections to allow this police officer to do this thing all right so I'm going to draw a little device this is a very rough device right here and this thing I'm gonna call a cell gateway on this vehicle alrighty and this thing is going to have you know connection to a GPS satellite they're going to have 4G LTE cell connectivity it's going to have you know Ethernet you know plug-in capability in the back of it so if you've got like a rack mount or a mounted laptop let's say inside of a police car you can just put a you know you can plug the ethernet cable straight into this thing that type of thing so it's so this is the the Gateway as it were to provide you know connection out to you know to the to the Internet all right the one of the issues that our team found is that the providers or the manufacturers of these what we'll call cell gateways they don't they don't inherently require strong authentication to login to these things and a lot of these things are publicly facing to the internet so let's say you have another you know a guy over here sitting in his basement and he's on his laptop you know doing his thing right here and he wants to connect to this thing well if it's publicly facing then he can connect into this cell gateway right here via the the public IP space and if there's not good authentication into this thing then he can you know he can log in as admin and then 1 2 3 4 5 or whatever it is and then and then this guy takes over control of this gateway and that is that is precisely what has gone on here and the research that our f5 Labs team has done they did a scan of these various cell gateways that are publicly accessible out there on the internet today and they found that I'm gonna write a couple numbers up here over 100,000 of these things won't put a plus R out there that are publicly facing and that are made by manufacturer who does not require either any authentication at all to get into these things or their authentication credentials are horribly weak literally one of them the admin username is admin and the password was literally 1 2 3 4 5 alright so you can get right into these things and of course default credentials are published on these manufacturers websites so it's not that hard to get into them of those hundred thousand-plus that are out there 86% were were located in the United States so as our team did this research and they said ok hundred thousand-plus of these things are out there 86% of the United States let's start to overlay some of the most populated cities in America to see where these things are being used and might like what kind of vehicles these are being used in or what you know what where the you know how these are being used kind of thing so so they did that and they found that there were actual police cars that are outfitted with these things the company by the way one of the primary manufacture these is called Sierra Wireless and and and those the CR Wireless is you know uses or fleets of cars use the Sierra wireless devices pretty extensively across the United States and frankly across the world anyway so they they did this research and they were able to law it not only log into these what we'll call the cell gateway here on the vehicle themselves but then because GPS coordinates are displayed there and many other things are displayed there they were actually able to track the physical location in in real time of these different vehicles and so so what kind of zoom out here and I'll show you an actual screenshot of the the GPS location of these vehicles so so if you look in the screen here you can start to see the lines you know moving around and these are actual police cars that are traveling around the road and while this shows the you know the history of where they have been you could imagine you could you could use you know kind of whatever you want to track the real-time location and just imagine if you could track the entire fleet of these vehicles all at once so that's that's a pretty powerful thing to be able to do so let's say that you have a set of attackers that have logged into every single cell gateway in your entire fleet let's say you're a police department then they could track every single one of your vehicles beyond that the these things can be used for botnet attacks and in fact Sierra Wireless has already said that the Mirai botnet that's used you know to launch multiple DDoS attacks their cell gateway devices have been used by the Mirai botnet so there are many things that could go wrong here if you if if this is allowed to happen the primary thing that we need to do in this specific case is we need to lock down these cell gateways so the primary thing is change the default username and password there's other things like don't use telnet you can use SSH instead you can use ackles to control who has access into these gateways we can link to the actual report that our labs team did but the bottom line is if you are a user of one of these cell gateways then you need to be aware that that unless you change the default credentials on these things you are inherently exposing yourself to some significant problems out there so I mean you can you can be used in the in the case of a DDoS attack your entire fleet could be tracked by someone else at all times you could someone could could log in and change all the credentials here and just completely take these all offline all at one time you know the possibilities are pretty devastating when you think about them also part of what we wanted to do today is get the word out there that this whole problem exists and and share the information so so if this applies to you at all hopefully you'll you'll be able to get in there make some changes to to your default username and password and and not expose yourself to some significant problems so so hey thanks for hanging in there and watching this light board lesson video with us today if you liked this you can click right up here on our DC ball and subscribe to our YouTube channel and we'll see you guys out there in the community you

3 Comments

  1. Spectrum said:

    Why dont ur videos get more views lmao their really good

    June 30, 2019
    Reply
  2. Wilson Mar said:

    https://www.zdnet.com/article/mirai-ddos-botnet-powers-up-infects-sierra-wireless-gateways/

    June 30, 2019
    Reply
  3. Abhay Pratap said:

    Sir please make a video on Tls strong and weak cipher suites.

    June 30, 2019
    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *