The connected devices you think about the least are sometimes the most insecure. That’s the takeaway from new research to be presented at the DefCon hacking conference Friday by Ricky Lawshae, an offensive security researcher at Trend Micro. Lawshae discovered over two dozen vulnerabilities in Crestron devices used by corporations, airports, sports stadiums, and local governments across the country.
While Crestron has released a patch to fix the issues, some of the weaknesses allowed for hackers to theoretically turn the Crestron Android touch panels used in offices and hotel rooms into spy devices. And the research offers an important reminder that your everyday devices aren’t the only potential hacker targets in your life.
Never heard of Crestron before? That’s the point. The electronics company makes equipment designed for places like enterprise clients, conference rooms, hotels, and concert halls. They make the touch panels that your company may use to coordinate a meeting, or that you use in a hotel room to control the blinds and lights. Crestron devices are nondescript, and can be programmed to address any organization’s needs.
‘The users are by and large not even aware that this service is out there and should be password-protected.’
Ricky Lawshae, Trend Micro
The company’s equipment is used by the likes of ExxonMobil, Boeing, Target, Twitter, Booz Allen Hamilton, and Microsoft, according to a document on the company’s website. Virginia’s state senators even use Crestron panels to cast votes on bills, says a case study the company released.
“I had never heard of Crestron before I started looking at these devices,” says Lawshae. “I had no idea who they were until I started looking at them, and now I see them everywhere I go.” He found over 20,000 other Crestron devices around the world connected to the open internet, by using IoT search engine Shodan. That includes at the Las Vegas International Airport, near where DefCon is held.
Lawshae’s presentation focuses specifically on Crestron’s MC3 control system, which runs on Windows, and the company’s TSW-X60 touchscreen panel, which runs on Android.
Lawshae quickly noticed that these devices have security authentication protections disabled by default. For the most part, the Crestron devices Lawshae analyzed are designed to be installed and configured by third-party technicians, meaning an IT engineer needs to voluntarily turn on security protections. The people who actually use Crestron’s devices after they’re installed might not even know such protections exist, let alone how crucial they are.
“There’s authentication available, [Crestron has] pretty decent authentication mechanisms, but they’re all disabled by default,” says Lawshae. “The users are by and large not even aware that this service is out there and should be password-protected.”
Crestron devices do have special engineering backdoor accounts which are password-protected. But the company ships its devices with the algorithm that is used to generate the passwords in the first place. That information can be used by non-privileged users to reverse engineer the password itself, a vulnerability simultaneously identified by both Lawshae and Jackson Thuraisamy, a vulnerability researcher at Security Compass.
Lawshae discovered over two other dozen vulnerabilities in the devices, which could be exploited to do things like transform them into listening apparatuses. Using a hidden functionality he discovered, Lawshae could remotely record audio via the microphone to a downloadable file. Executives going about their meeting in a conference room would receive no indication they were being recorded. He could also remotely stream video from the webcam, as well as other fun tricks, like open a browser and display a webpage to an unsuspecting room full of meeting attendees.
The same weaknesses could also be exploited by an insider or someone who has gained physical access to a building. For example, if a hotel were using Crestron’s touch panels in every hotel room, an adversarial guest could theoretically turn them all into streaming webcams.
Crestron has issued a fix for the vulnerabilities, and firmware updates are now available. The updates are mandatory, according to Nick Milani, Crestron’s executive director of commercial product marketing. “We know of no adverse affects as a result of [the vulnerabilities],” says Milani. “We responded very quickly.”
The National Cybersecurity and Communications Integration Center, which is part of the US Department of Homeland Security, also issued an advisory about the vulnerabilities Thursday.
While you’ve probably never heard of Crestron, their devices are likely installed in places you visit every day. Lawshae’s research is a reminder that cybersecurity extends beyond laptops and cellphones. Sophisticated adversaries can target vulnerabilities all sorts of things—from touchscreen panels to credit card readers to even pacemakers. As the world becomes more crowded with internet-connected things, these sorts of weaknesses are only going to become more common.
UPDATED: 8/10/2018, 3:15 PM EST: This story has been updated with comment from Crestron.