Leaks in Crestron home automation controllers allow attacker to take over device

Spread the love

At the Def Con conference, a researcher from the Japanese security company Trend Micro presented several vulnerabilities in Crestron home automation controllers that allow an attacker to take over the devices and stream video, for example.

The researcher, Ricky Lawshae, introduced Crestron as a system that is used in many places, such as offices, universities, hotels and airports. Crestron would also refer more often in his communication to a close collaboration with Microsoft. For his research, he focused on two Crestron devices, the MC3 and the TSW760. In addition, the first device is a control system based on Windows CE 6 and the second is an Android tablet that acts as a controller and runs Lollypop. Through a Shodan search, he managed to find an average of 20,000 to 23,000 Crestron devices that were directly connected to the internet.

That created a problem when he learned that unauthorized access was possible to the so-called ctp console, where ctp stands for Crestron Terminal Protocol, something mainly used by programmers. Although authentication methods were available, in most cases these were disabled. Lawshae suggested that this may have to do with the complexity of the systems. A second observation was that after logging in to the devices, he immediately had an administrator role, which allowed him to execute a large number of commands. In addition, there were undocumented commands running outside the sandbox he landed in after logging in. For example, he could start a browser or record audio on the Android tablet.

Lawshae also discovered two backdoor accounts for engineers. Its passwords were based on the MAC address, which he accessed through the CTP console. In addition, the password creation algorithm was included in the firmware. The researcher illustrated that with the accounts present on the Windows system, he could, for example, modify the registry and run any executable outside the sandbox. In a demo, he showed how to create a telnet shell that gave him full access to the system.

Lawshae concluded with the discovery of 22 command injection vulnerabilities in the ctp console on the Android system, which allowed remote code execution. With limited time, he did not look for further leaks. In a final demo, he showed how to remotely turn on the Android controller’s camera and access the video stream. He also noted that this product is also used, for example, in hotel rooms. Crestron has since closed the leaks found, according to the researcher. He noted in his conclusion that the Android system seemed a lot more insecure than the Windows variant; he speculated that this may have to do with its relationship to Microsoft and that Crestron hasn’t been working with Android for long.

Admin access after connecting to the console

You might also like