A Polish security researcher has created an open-source intelligence (OSINT) gathering tool that indexes information about sensitive internet-connected devices and plots their approximate location on a map.
The researcher says he created the tool as a way to allow organizations to scan their networks and identify vulnerable equipment, but the tool also has its dark side, as it can be used by attackers to target organizations with less effort than ever before.
Named Kamerka ("camera" in Polish), the tool was released last year. The tool works on user-provided search queries. Kamerka takes these queries and uses search engines like Shodan and BinaryEdge to search for common brands of a particular device, and plot results on a Google Map.
While in its initial version Kamerka scanned only for security cameras -- hence the Kamerka name -- the tool has received several updates in the past year. Current versions can scan and identify:
- Internet-connected security cameras
- Internet-connected printers
- Internet-connected ICS/SCADA industrial equipment
- Systems and sensors that work on top of the MQTT protocol
- Devices that broadcast an RTSP-based live video stream
- Tweets, Instagram posts, and Flicker images that contain geolocation details
Kamerka gathers this information, collects it in an Elasticsearch database, and then plots it on a Google Map. For each device plotted on the map, users can click and see a tooltip with exposed ports and various other metadata.
Until this week, you could only run Kamerka searches via a shoddy Python command-line script that was hard to use.
But the tool's creator, a researcher going by the name of Wojciech, told ZDNet that the tool will receive a fully-functional web-based dashboard. The new web dashboard, scheduled for release later this week, will make installing and searching for devices with Kamerka a lot easier.
Focusing on industrial equipment
This new version will focus specifically on improving the detection of industrial control systems, an area where Wojciech has invested heavily over the past year.
Previous Kamerka versions could detect ICS/SCADA systems like Modbus, Siemens S7, Tridium, General Electric, BACnet, HART IP, Omron, Mitsubishi Electric, DNP3, EtherNet/IP, PCWorx, Red Lion, Codesys, IEC 60870-5-104, and ProConOS.
The new version will also be capable of detecting Pl@ntVisor, Iologik, Moxa devices, SpiderControl, IQ3, VTScada, Z-World, Nordex, and various fuel tanks.
"It will be a new intelligence platform to gather info on exposed devices in a particular territory based on your coordinates or a scan of a whole country," Wojciech told ZDNet.
If that sounds scary, it's because it is scary. Kamerka effectively lets a user see what a hacker sees when searching or studying a target.
It can be used by companies as a reconnaissance tool to self-diagnose their own networks, but it's also one of those dual-use tools that hackers will also love and will most likely abuse to plan future hacks.
Over the past months, Wojciech showcased Kamerka's scary capabilities in two blog posts in which he used to tool to identify internet-connected industrial equipment in Poland, Switzerland, and the US.
Starting from a simple search query (like for Niagara Fox devices located in the US), Wojciech showed how an attacker could use Kamerka to track down the equipment in an area they want to hack.
Some Kamerka locations may not be identical to their real-world locations, but the metadata provided by Kamerka can help attackers pinpoint a target's real location with a few Google searches.
For example, an attacker can click on device icons, get metadata info about a device, and then search for various terms like factory names or street names to locate a target's real-world location, complete with Google Maps driving instructions, and even Street View imagery.
The reason why Kamerka is so effective is because many system administrators often have to manage large fleets of devices. Instead of using numerical values to identify equipment, they often use building names or full addresses to provide descriptions as accurate as possible.
Such information was also previously available on Shodan or BinaryEdge, but you'd only find it when searching for a very specific IP address. With Kamerka, all of this info is available on a map.
In the past few years, factories, power plants, and other critical infrastructure entities have been exposing an ever-increasing attack surface online.
Attackers have compromised nuclear plants, power grids, dams, hospitals, government agencies, and military targets, only to name a few of their targets.
In many cases, attacks took days or weeks to plan. With a tool like Kamerka, planning an attack would only take a few minutes. With a few searches, an attacker could find a target in a specific area, identify unpatched equipment (Shodan lists exposed ports and unpatched vulnerabilities), and launch attacks to take over the vulnerable device.
Such tactics aren't theoretical anymore. Back in August, Microsoft warned that Russian state-sponsored hackers have been seen using smart devices such as printers and video surveillance recorders as entry points into organizations.
But nation-state hacking groups shouldn't be the only thing organizations fear. Wojciech warns that ransomware gangs may also start targeting smart devices exposed on the internet in a similar way -- using them as an entry points inside critical targets.
With Kamerka, their job has surely been made a hell lot easier.
"I realize it's not a simple task to take over whole power plant, but it can start from small misconfiguration like exposing devices to the Internet, using default credentials or running other vulnerable software," Wojciech says.
Kamerka is available on GitHub.