I suppose you can call it “arriving late to the game” – I’ve only been on the full disclosure mailing list for something on the order of 6-8 months. In that timeframe I saw some interesting (but not ‘interesting enough to make the real news/blogs/etc) vulns and posts come through.
During that time I’d also spent a lot of time playing with shodan. In my downtime I’d spent hours upon hours, up until 4am some days doing searches on shodan for unprotected or easily accessible security cameras (korea has a TON of them all monitoring construction sites, for some reason). Finding traffic cameras in LA, then making a game out of trying to identify the intersection using google streetview.
That horrible movie ‘eagle eye’ starts coming to mind about now, as I’m honing my skills of being able to find all sorts of stuff and tie datapoints together.
One day on the full disclosure list I see this. The first thing I did was go STRAIGHT to shodan and start searching for dd-wrt routers accessible to the internet. I think I did this in something like Dec ’10 or Jan ’11 – I found 8000 or 9000 devices.
I wrote a quick perl script to step through the output of the search and try to see if it was worth it to do something interesting with the data, and out of the resultset I had, I got about %30. Not bad, something like 2000 dd-wrt routers, publicly available, vulnerable to a very simple information disclosure bug.
I immediately thought of Samy Kamkar. His ‘how I met your girlfriend’ talk at blackhat ’10 was hilarious and spectacular (and in getting the link to write this post I found this – cool! didn’t know that android phones were sending that data home. Thats cool and creepy at the same time) - I wondered how that would apply to my findings – so I tried a few of them. I got limited results – something like 700 or 800. Thats not too bad! The workflow kind of looked like this:
Vuln -> full disclosure -> shodan -> vuln assessment script -> google location script -> results.txt
Once I had a bunch of results in a textfile, I wasn’t really sure what to do. I knew I could try and make a google maps hack, but having never done that before I started asking around for help, so I turned to John. I told him that I’d used shodan for the datamining portion of this little quest, and he offered to help! I had no idea he’d build a little search utility around it – that was awesome. You should check it out, he did a really awesome job!
And heres some more background beyond what I’ve already written that details the more technical aspects of these findings: