Su Seguridad es Nuestro Éxito

Marzo 2017 - Luis Enrique Benitez

IoT

Insecurity of Things?

3 © Internet Security Auditors

Luis Enrique BenitezQuality Manager - Ethical Hacking & Vulnerability Assessment

https://www.linkedin.com/in/luisbenitezj

lebenitez@isecauditors.com

4 © Internet Security Auditors

55 © Internet Security Auditors

6 © Internet Security Auditors

LG 43uf6407

TV LG LED de 43", Resolución 4K, Panel IPS, 900 HZ PMI, SmartTV (webOS 2.0)

SAMSUNG UE32F5500AW

TV SANSUMG de 32" Full HD Smart TV Wifi

7 © Internet Security Auditors

Barra Sonido OKI Sb Media Player 1gFull HD 1080p, Sintonizador TDT Alta Definición, Sistema de sonido Dolby, Base para IPod / IPhone. Conexión a Internet mediante cable o WIF

Panasonic TX-40CX680E

TV LED 40" - Panasonic TX-40 CX680E, 4K Ultra HD,

Firefox OS Quad Core

8 © Internet Security Auditors

9 © Internet Security Auditors

10 © Internet Security Auditors

11 © Internet Security Auditors

12 © Internet Security Auditors

13 © Internet Security Auditors

14 © Internet Security Auditors

Samsung UE32F5500AW

Puerto Servicio Versión

80 http Samsung Swift httpd 1.0

443 http Samsung Swift httpd 1.0

4443 Pharos

6000 X11

7676 upnp AllShare UPnP

52345 http Sansumg AllShare http

55000 unknown

55001 tcpwrapped

15 © Internet Security Auditors

LG 43uf6407

10107 (4) - HTTP Server Type and Version

Linux/i686 UPnP/1,0 DLNADOC/1.50 LGE WebOS TV/Version 0.9friendlyName:[LG] webOS TV UF6407manufacturer:LG Electronics.manufacturerURL:http://www.lge.commodelDescription:LG WebOSTV DMRplusmodelName:LG TVmodelNumber:1.0

16 © Internet Security Auditors

LG 43uf6407

Puerto Servicio Versión

1113 upnp

1672 upnp

2026 upnp

2043 upnp

3000 http LG Smart TV http service

3001 http LG Smart TV http service

7778 Interwise

9955 Unknown

9998 http LG television page list http

18181 Opsec-cvp

36866 Unknown

43035

43036

43037

43038

17 © Internet Security Auditors

LG 43uf6407 http://192.168.88.246:3000/

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Wed, 06 Jul 2016 10:18:13 GMT

Pragma: no-cache

Expires: Mon, 01 Jan 1990 00:00:00 GMT

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Server: Golfe2

Content-Length: 35

Cache-Control: no-cache, no-store, must-revalidate

Age: 282559

Respuesta:

18 © Internet Security Auditors

Panasonic TX-40CX680E

58662 - Samba 3.x < 3.6.4 / 3.5.14 / 3.4.16 RPC Multiple Buffer Overflows

90508 - Samba 3.x < 4.2.10 / 4.2.x < 4.2.10 / 4.3.x < 4.3.7 / 4.4.x < 4.4.1 Multiple Vulnerabilities

76314 - Samba Unsupported Version Detection

19 © Internet Security Auditors

OKI Sound 1G

20 © Internet Security Auditors

57825 (1) - PHP 5.3.9 'php_register_variable_ex()' Code Execution (banner check)

58987 (1) - PHP Unsupported Version Detection

60085 (1) - PHP 5.3.x < 5.3.15 Multiple Vulnerabilities

18037 (1) - XAMPP Default FTP Account

58183 (1) - Dropbear SSH Server Channel Concurrency Use-after-free Remote Code Execution

58988 (1) - PHP < 5.3.12 / 5.4.2 CGI Query String Code Execution

42263 (1) - Unencrypted Telnet Server

73289 (1) - PHP PHP_RSHUTDOWN_FUNCTION Security Bypass

34324 (1) - FTP Supports Cleartext Authentication

OKI Sound 1G

21 © Internet Security Auditors

OKI Sound 1G

Puerto Servicio Versión

21 FTP Pure-TPDd

22 SSH Dropbear ssh 0.52 (protocol 2.0)

23 Telnet

80 http Lighttpd

81 http BusyBox http

7171

8082 Blackice-Alerts

9010 SDR

9020 Tambora

22 © Internet Security Auditors

OKI Sound 1G

inout TV mediacenter 4g

23 © Internet Security Auditors

OKI Sound 1G

inout TV mediacenter 4g

24 © Internet Security Auditors

25 © Internet Security Auditors

Canal IP

Atreserie 52.28.85.115

BeMad 54.231.134.36

Discovery Max 46.31.56.161

La sexta HD 8.254.98.126

La sexta 8.254.98.126

Energy 54.231.134.100

Boing 54.231.134.100

La 1 72.247.210.17

La 2 72.247.210.17

24h 72.247.210.17

Clan 72.247.210.17

TV3 HD 8.254.36.126

Telecinco 54.231.136.13

Cuatro 54.231.136.13

Canal IP

Cuatro HD 54.231.140.77

TV20 Terrassa 85.25.218.231

tdp 72.247.210.10

tdp HD 72.247.210.10

TV3 8.254.50.126

Super 3/33 137.117.170.224

3/24 8.254.50.126

Esport3 8.254.50.126

Canal Terrassa Valles 92.54.15.210

Disney Chanel 46.31.56.161

Paramount Chanel 46.31.56.161

FDF 54.231.136.13

Diviniti 54.231.140.77

Telecinco HD 54.231.140.77

Canales que envían información cuando se accede a ellos

Canal

Antena3

Antena3 HD

Neox

Nova

Mega

13TV

8TV

Barça TV

RAC105

EL PUNT AVUI

MOLA TV

TV SANT CUGAT

DKISS

TEN

IB3 GLOBAL

Rel Madrid TV

Canales que No envían información cuando se accede a ellos

Canal C

Telecinco 1

Cuatro 2

FDF 3

Diviniti 4

Telecinco HD 5

Cuatro HD 6

http://beacon.hbbtv.mediaset.es/topics/test?c=1|B49E0ABB9570335EB4A

64895EFA14CCB|k|{%22keyset%22:{%22ALPHA%22:512,%22BLUE%22:8,%

22GREEN%22:2,%22INFO%22:128,%22NAVIGATION%22:16,%22NUMERIC

%22:256,%22SCROLL%22:64,%22VCR%22:32,%22RED%22:1,%22value%22:

0,%22YELLOW%22:4},%22currentChannel%22:{%22channelType%22:0,%22

ccid%22:%22ccid:23%22,%22dsd%22:%22Z\u000b\u0004)\u0010@\u001f

%C2%81;%C3%BF%C3%BF%C3%BF%C3%BF%22,%22name%22:%22Telecin

co%22,%22onid%22:8916,%22sid%22:186,%22tsid%22:16},%22channelList

%22:%22Channel%20list%20items:%201:%20atreseries%20HD,%202:%20B

eMad%20tv%20HD,%203:%20Realmadrid%20TV%20HD,%204:%20antena3

%20HD,%205:%20antena3,%206:%20laSexta%20HD,%207:%20laSexta,%20

8:%20neox,%209:%20nova,%2010:%20Energy,%2011:%20Boing,%2012:%2

0mega,%2013:%2013%20Tv%20Definitivo,%2014:%20La%201,%2015:%20L

a%202,%2016:%2024h,%2017:%20Clan,%2018:%20La%201%20HD.,%2019

:%208TV,%2020:%20Bar%C3%A7a%20TV,%20%22}

Petición

Host: beacon.hbbtv.mediaset.esOrigin: http://hbbtv.mediaset.esAccept-Language: en-us, en, fr, itUser-Agent: Mozilla/5.0 (Unknown; Linux armv7l) AppleWebKit/537.1+ HbbTV/1.2.1 (+DRM; LGE; WEBOS2.0; 03.11.00; HE_DTV_W15B;)Referer: http://hbbtv.mediaset.es/hbbtv.xhtml?c=1Accept: */*Accept-Encoding: gzip, deflateConnection: close

Grupo de canales que información constantemente (cada 4 segundos)

Entre los datos que envía está la lista de canales del TV y el orden en que el usuario los tiene

ordenados en su dispositivo

29 © Internet Security Auditors

Lo que nunca leemos pero todos aceptamos….

30 © Internet Security Auditors

Seguridad / Privacidad

31 © Internet Security Auditors

Seguridad / Privacidad

32 © Internet Security Auditors

33 © Internet Security Auditors

34 © Internet Security Auditors

35 © Internet Security Auditors