You’re probably familiar with the term “war dialing” – but just in case – it refers to the practice of scanning a large block of phone numbers, attempting to connect to a modem or other device – usually for the purpose of hacking into systems. This can be done at random, in the sense that a hacker is just looking for anything they can find, or it can be used as a targeted attack by scanning numbers likely to be associated with a particular target. In the days when almost all connections were handled with dial-up modems, war dialing was a popular sport – but you might assume that in the modern world, there wouldn’t be much left to find… unfortunately, you would be wrong.
In a recent interview broadcast by the online show Hak5, two modern variations were described in detail. The first is the one most are familiar with: scanning the Internet for vulnerable targets. One of the search sites referenced (by link to Matt Krebs’ article) in my recent post about industrial controller vulnerabilities, called Shodan, was discussed as a popular way for hackers to jump-start their work, since a user can search and sort results to look for specific types of systems. The ability to use scripting to interface with Shodan’s database was also given as an example of how a hacker can automate the process of connecting to large numbers of systems. In a creative example of how this is used, the hacker detailed how he set up a script to take a screen shot of each system’s login/connection screen. This allowed, prior to any type of actual hacking, for thousands of sites to be reviewed and sorted. Larger screen shot file sizes, for example, might be found on more interesting targets because they are serving up logos, splash screens and other graphics.
It wasn’t only the enterprise systems that piqued the hacker’s interest, however, since searching through the Shodan data also yielded a number of smaller, unsecured systems – whose operators probably never considered they would be found online. These included red-light cameras, SCADA devices, and in one case, a power plant monitoring system.
The second interview described a method of conducting modem-based war driving scans, using VOIP connections to contact landlines. Of particular concern was the report that enterprise-class routers are often found connected to telephone lines, without adequate security, to allow remote access when IP networks go down. Speculation was that the administrators simply didn’t think about securing these connections, focusing instead on the far more “obvious” network-based attacks.
Aside from the mention of security cameras being a common search on Shodan, there was little attention given to the large number of security devices connected to both networks and telephone lines. Alarm control panels, in particular, have escaped widespread hacking only because most use non-standard connection methods over PSTN and/or require special sequences to initiate a connection. As these systems move onto the Internet, they are certain to become more popular targets.
Definitely more to come…