IOT, Shodan and public networks

Off-topic
#1

I’m trying to wrap my head around IOT and especially the visibility and accessibility of it and especially when it comes to public networks.

Here’s a simple thought-experiment:
Let’s say I have a raspberry pi, I spin up a simple python webserver on port 80 and allow access, no passwords. Let’s up the ante: the host name is ‘findmypi’ and it serves a webpage ‘findmypisecrets.html’. A page that shows you a giftcard for a free year of hack the box.

I walk into a random hotel or coffee shop, connect the device to their public WiFi and leave it there for you to find. Where it is, you don’t know, that’s for you to find out.

What is you attack surface?
For who or when would the device become discoverable?
All you know is that the device is sitting somewhere, on a public network with the above fingerprints to go by.
What conditions do you need to fulfill in order to own the box and get the giftcard?
How would you go about and finding the device?

…Anything is fair game.

#2

If I understand it right.
You can simply find devices inside of a network with nmap.

But simply Spinning up a Python Webserver will only start a HTTP Server in your lokal network.

#3

Does the Hotel or Coffee Shop public WiFi provide IPv6 addresses?

In case your Pi is behind a NAT and the NAT does no port forwarding, it won’t be found. If it is reachable from the internet, Shodan is probably going to find it. Would be interesting how many days it takes Shodan to catalog it.

#4

in your thought-experiment, does your Pi serve an index.html or a robots.txt?

#5

Type your comment> @gorg said:

Does the Hotel or Coffee Shop public WiFi provide IPv6 addresses?

Let’s say it does

in your thought-experiment, does your Pi serve an index.html or a robots.txt?
I personally didn’t think it would make much difference, but let’s say it does.

The only thing trying to keep it from being detected is the fact that’s it behind a public network.

I’m actually trying to figure out if information can leak past that in ways I don’t know.

#6

@gnothiseauton said:

I’m actually trying to figure out if information can leak past that in ways I don’t know.

A lot of my answer is “it depends” and when we are all allowed out again it would be worth trying, just to see.

In very general terms, there are two obvious attack surfaces:

  1. People on the wifi network with you
  2. the internet

The “threat” from group 2 largely depends on how the wifi is set up. If it is firewalled then there is a good chance an entirely internet-based attacker will never know your device exists. Simply hosting a webserver isn’t enough, you’d need to modify the firewall to route port 80 to your device.

Threat group 1, however, are different - but it still depends on how the WLAN is configured. It may be possible to do an nmap scan and find every device connected but that WiFi config is becoming rare.

It if is an entirely passive device it is harder to spot but WiFi is noisy. So if someone is simply sniffing wireless packets, they have a very good chance of inferring the device’s existence and then, with its IP address known, scanning becomes easier.

Still, it would be good to test the assumptions here.

#7

The “threat” from group 2 largely depends on how the wifi is set up. If it is firewalled then there is a good chance an entirely internet-based attacker will never know your device exists. Simply hosting a webserver isn’t enough, you’d need to modify the firewall to route port 80 to your device.

Yeah. That’s the basic assumption I took myself: no port forwarding, device not visible… but then I started questioning that. Hence this ‘experiment’ to see if I’m overlooking something.

Threat group 1, however, are different - but it still depends on how the WLAN is configured. It may be possible to do an nmap scan and find every device connected but that WiFi config is becoming rare.

Yeah, I was wondering about that. My networking s*xx donkeyballs to know enough about that.

Based on my own IP, how would I know what range to scan to see other devices connected to that public network?

You say there are mechanisms to prevent scanning devices on the same (public) network. Can you say something about that?

It if is an entirely passive device it is harder to spot but WiFi is noisy. So if someone is simply sniffing wireless packets, they have a very good chance of inferring the device’s existence and then, with its IP address known, scanning becomes easier.

That’s actually a very interesting remark you make… I never took the beakons into account.
What you are saying is that even if some can’t scan the devices on the public network, someone within range could find my ip by monitoring the beakoning traffic, right?

Would my IP then be of use, as in reachable, to anyone on that same public network?

…I guess I really need some networking course sometime soon. So much to learn, though…

#8

@gnothiseauton said:

The “threat” from group 2 largely depends on how the wifi is set up. If it is firewalled then there is a good chance an entirely internet-based attacker will never know your device exists. Simply hosting a webserver isn’t enough, you’d need to modify the firewall to route port 80 to your device.

Yeah. That’s the basic assumption I took myself: no port forwarding, device not visible… but then I started questioning that. Hence this ‘experiment’ to see if I’m overlooking something.

Nope. No forwarding (or public IPv6 assignment, but IPv6 is pretty rare for public WiFis), no exposure to/from the interwebs.

Threat group 1, however, are different - but it still depends on how the WLAN is configured. It may be possible to do an nmap scan and find every device connected but that WiFi config is becoming rare.

Yeah, I was wondering about that. My networking s*xx donkeyballs to know enough about that.

Based on my own IP, how would I know what range to scan to see other devices connected to that public network?

You get an IP and subnet mask assigned from the DHCP. Based on those 2, you can calculate the network range. As an example, getting IP 192.168.1.200 and subnet mask 255.255.0.0 means that possible IP addresses are in the range of 192.168.0.1 to 192.168.255.254 For more uncommon subnet masks (e.g. 255.255.240.0), I’d recommend using a subnet calculator, since things can get “difficult” quite easily

You say there are mechanisms to prevent scanning devices on the same (public) network. Can you say something about that?

This is often called “guest isolation”. Basically, the access point/router creates a small network for each guest with only 2 IP addresses in it’s range: the router and the client. Each client gets the same IP address and the router routes traffic based on MAC addresses. That way, no client can communicate with other clients, because all traffic destined to the “client IP” will always be consumed by your own system. (this is probably not 100% accurate, but should give a rough idea :wink: ).

It if is an entirely passive device it is harder to spot but WiFi is noisy. So if someone is simply sniffing wireless packets, they have a very good chance of inferring the device’s existence and then, with its IP address known, scanning becomes easier.

That’s actually a very interesting remark you make… I never took the beakons into account.
What you are saying is that even if some can’t scan the devices on the public network, someone within range could find my ip by monitoring the beakoning traffic, right?

Would my IP then be of use, as in reachable, to anyone on that same public network?

…I guess I really need some networking course sometime soon. So much to learn, though…

Well, it’s not just beaconing, but a “passive attacker” who just monitors WiFi traffic from the outside can see MAC addresses communicate with each other. When the WiFi is unencrypted, the attacker can also see/learn the associated IP addresses. In order to communicate with your device, the attacker would still need to join the same network, since the WiFi frames also contain necessary meta data that all communicating parties have to deal with.