“How do you find these things?”
To find devices out there such as these you need a couple things:
2. Elbow grease
What is Censys.io? Why use it?
Censys.io serves essentially the same purpose as Shodan.io but I like it a lot more due to the user interface and search functionality serving my purposes much better. It is also much freer (literally) than Shodan, in other words, I'm cheap. Censys seems to gather and parse out a lot more data than most other device search engines and places the output into an easily searchable format that is rather powerful.
Finding Interesting Devices on Censys
It's a term that I am coining as 'Censys Dorking' (super original, I know), you can probably imagine what it entails from the name, but I'll explain a little more. For me, I will typically start with an organization name (for example Hackerpom Airlines, this is not what I used to find this, but this will be the example for privacy reasons) or type of device in mind. There’re a few ways that you can do this...
1. A basic search using a common name that will be used in the title or body of the page or in the ARIN/certificate/DNS lookup information. This would be something as easy as "Hackerpom Airlines" in the search bar. There are tons of permutations that will often lead to vastly different devices in response to your query. “Hackerpom Airlines” in the title or body of the page will return where that is used in the HTML code of the page, whereas “Hackerpom Airlines” for the certificate Org. name will give all the sites utilizing a certificate with that name. However, Hackerpom as a generic query in Censys will net even more results, albeit probably nothing to write home about.
2. Pivoting and filtering on ports can help find some of the weird things out there. Port 80, 8080, 8888 etc. Most of the time if there is a web page responding over a port, there’s potential for it to be interesting. This is where things can really cut down on the number of results. Filtering based on the ISP can give some serious anomalies as well as many other data points.
3. Search a piece of technology that a given company may be using... Think 'Airbus'.
While searching you are going to get a lot of noise and things that are completely fine that no one cares about. This is where your coffee and elbow grease come into play, as well as Censys' powerful querying functionality. Start to take out the known good. AND NOT 443.cname = 'Hackerpom.com'. I don't care about Hackerpom.com, so on and so forth.
By searching for “Hackerpom Airlines” in Censys very generically, I sorted on port 8080 responses to begin to drill down a little. There were still ~3,000 devices that came back in response. Start going through the findings manually with some elbow grease and I came across the initial AirFASE device. Upon discovering something you find interesting you can dig into the device listing section on Censys labeled 'details'. Expanding the details and find an identifying parameter for the AirFASE systems, IE "AirFASEWeb" (see image below).
When you pivot on this logic and search for “AirFASEWeb” you are (were, less now) greeted with ~32-38 instances of the software that were internet facing. These devices turned out to be extremely vulnerable and were never intended to be internet facing. Things like SMBv1, user enumeration, almost guaranteed SQLi all seemed to be present on these devices.
In addition to the discovery portion please see RagSec’s breakdown analyzing the AirFASE devices after discovery: RagSec AirFASE Blog
“Well, that’s nice and all, but what exactly is AirFASE?”
From navblue.aero – “Monitor Safety related events, raising your Safety standards! AirFASE is a Flight Data Analysis software, and a key element of the Safety Management System. It is an advanced monitoring software tool for analyzing flight operations and detecting deviations and trends.”
Fair enough, down the responsible disclosure path we go. It turns out that most of these devices were being housed in a datacenter in the Netherlands by an organization “Teledyne Controls”. Reaching out to this company proved to be an absolute nightmare, as I’m sure some other researchers can attest to when attempting to speak to someone about security issues. We began to attribute some of these devices to the organizations that might care, but even the ones that we could attribute getting communication back was very rough.
Having worked in the Aviation industry in InfoSec before I recalled an organization that we worked with, the A-ISAC. Once we began to work with the A-ISAC we started to see most of these machines come down, in addition to this patches and infrastructure changes were taking place to ensure that these devices were no longer reachable via the internet. We would like to thank the A-ISAC on working towards attributing, communicating, and mitigating these issues with the affected organizations. They seemed very appreciative of our efforts to responsibly disclose these findings.
This is just one example of many of vulnerable internet facing devices that I can find basically any time I decide to look. All in all, this is a good exercise to perform at your organizations. Check your external exposure, because you aren’t the only ones with the capability.