GroupSense continuously monitors, collects and analyzes data from multiple open source and dark web locations on the internet. This is done to allow our team of analysts and researchers to understand the tactics, techniques and procedures used by threat actors. We review the data for possible signs of attacks, data leakage or other negative outcomes involving our customer base.
Our team recently found a discussion about a tool called Shodan Eye on a Russian carding forum. We were able to locate this tool on GitHub and found it built in Python. When Shodan Eye is provided a keyword, it will collect information on all hosts in its database that contain that keyword.
In other words, Shodan Eye is a type of search engine that allows its users to search for detailed information about Internet of Things (IoT) devices. This information consists of web server versions, database types, open ports, location data and much more. Shodan Eye allows users to search the Shodan database via simple command line interface, as long as the application has been configured with a Shodan API key.
The first keyword we tested was “av_receiver,” and we received more than 400 results from the Shodan Eye database. We found that many of these hosts were for the web interface of a home theater receiver. These interfaces were unprotected, allowing anyone to interact with the device. Users could turn the device off and on, adjust the volume, select an input source, adjust the radio station, change the IP address, and configure MAC address filtering, along with other functions.
Such a scenario could be used to cause havoc in a household where this configuration is in use – just imagine your home stereo suddenly blasting metal music at 2 a.m.
Here’s another interesting example of Shodan Eye’s capabilities. A search for “‘Android Debug Bridge’ ‘Device’ ‘port:5555’” in Shodan Eye, returned almost 1,000 results. The goal of this search inquiry is for Shodan Eye to provide a listing of all hosts: 1) with the Android Debug Bridge enabled and 2) that are listening on TCP port 5555. The Android Debug Bridge feature allows anyone with access to this port to connect to an Android device for the purposes of debugging, remote administration or troubleshooting.
By default, no credentials are needed when this feature is enabled. Android Debug Bridge is hidden and disabled by default, but is enabled and accessible on these devices. A review of the results shows that smart TVs, cellular phones, media players, VMware hosts and other Android devices are available for access.
In February 2018, a crypto mining malware called ADB.Miner was discovered, which infected Android devices that were configured with ADB enabled and that used TCP port 5555. This malware has the capability to spread on its own to other Android devices that are configured with ADB enabled and that listen on TCP port 5555. A Monero cryptocurrency miner is delivered to infected hosts within the ADB.Miner’s botnet.
Additionally, there is a Metasploit module in the Metasploit Framework with the capability to exploit this configuration. Metasploit is used by blackhats, whitehats and greyhats to help find and exploit network vulnerabilities. The module found in Metasploit could be used by malicious actors to obtain shell access on the vulnerable Android hosts.
IoT Security Best Practices
Makers and developers of IoT devices and tools must take a simply secure first approach to device design. What we mean by this is that IoT devices must have a measure of “security by default,” which uses the simplest method possible for users to implement. For instance, the home theater Web interface has a security feature allowing for MAC filtering. However, the average home user doesn’t know what a MAC address is. Developers should use a software firewall to automatically allow the subnet provided by DHCP and nothing more. This will allow customers to connect other devices on the network to the receiver with little to no configuration required on their end. Other host or networks that need to access the device could do so under an advanced configuration tab.
The same approach could be used with the Android Debug Bridge feature used by the Android Operating System. The feature must be manually enabled by the end user, it requests they determine what hosts and networks are allowed, and it gives an access password that would provide for a more secure configuration at the start. If this information is not provided, remote access over the network should be disabled by default. Additionally, a special background, manner or text could be used when this feature is enabled, much like when Windows is running in safe mode.
As far as consumer use, the FBI recently recommended keeping IoT devices on a separate network as a precaution. They also provided further tips when dealing with the security of IoT devices.
The amount of IoT devices in use in households is growing. While these devices may make daily activities simpler for users, they still aren’t as secure as they should be – and they can invite a lot of risk because of the lack of security features available. Until a simple, secure first approach to the design of IoT devices is taken, the average end user will be at risk of being scared awake at night by loud heavy metal music because of a “joker” behind a keyboard on the other side of the world …. or worse.
How GroupSense Can Help
The dark web is filled with tools such as Shodan Eye that threat actors can use for malicious activities. GroupSense researches these tools to learn how they can be used to attack clients and, in turn, provide protection and security recommendations and best practices. Reach out to us by filling out a contact form or messaging us on any of our social media platforms, to learn how we can help you stay updated on dark web tools that can impact your business.