Heatmiser WiFi thermostat vulnerabilities

Scanning for Heatmiser thermostats on port 8068 really just requires a quick check for port 8068 being open – we can be fairly confident that anything with this port open is one of their devices.  We can then make detailed check on port 80.
nmap -p 8068 -Pn -T 5 --open 78.12.1-254.1-254
nmap can easily do this scan. If you want to scan large blocks of addresses though, masscan is much faster.

via » Heatmiser WiFi thermostat vulnerabilities.

You need to forward ports at your local router so if you try and access this thermostat from the Internet and you come in on (per above example) port 8068 that the router knows to forward all that traffic to whatever IP it has associated with that port.  This allows users to access things inside their local network from anywhere on the Internet.  It also allows anyone on the Internet to access that internal device.

Here is my opinion on this matter.  As the world moves towards self driving cars and self driving planes, extremely complicated devices that you would think need human intervention, the world is also moving to take very simple devices, like household appliances and making them so they need human intervention.  A thermostat should be set and forget.  It should have simple intelligence to figure out what temperature to set a room.  If a human must get involved in messing with a thermostat then perhaps something went wrong but it’s not an emergency like this:

Should Airplanes Be Flying Themselves? | Vanity Fair.

A thermostat can certainly wait until you get home to physically figure out the problem and put it back on auto.  The Internet of Things can certainly be useful for read only, like buzzing your phone when the dishes or laundry finishes.  You can’t load laundry or dishes into these devices via the Internet so how do benefits from controlling them remotely, especially from remote Internet locations, outweigh the risks from allowing bad guys get into your local network.

Finally, here’s a link to a site that does port scanning on the Internet for you.  Seems like a useful resource to know.

Plugging this into Shodan we get over 7000 results. That’s quite a lot. (note, you might need to register to use filters like this).

ZMap · The Internet Scanner

ZMap is an open-source network scanner that enables researchers to easily perform Internet-wide network studies. With a single machine and a well provisioned network uplink, ZMap is capable of performing a complete scan of the IPv4 address space in under 45 minutes, approaching the theoretical limit of gigabit Ethernet.

ZMap can be used to study protocol adoption over time, monitor service availability, and help us better understand large systems distributed across the Internet.

via ZMap · The Internet Scanner.

Passive OS Fingerprinting

Active measures, like those employed by Nmap, are unfortunately not available when doing passive analysis of live traffic or when analyzing previously captured network traffic. Passive analysis requires much more subtle variations in the network traffic to be observed, in order to identify a computer’s OS. A simple but effective passive method is to inspect the initial Time To Live (TTL) in the IP header and the TCP window size (the size of the receive window) of the first packet in a TCP session, i.e. the SYN or SYN+ACK packet.

via Passive OS Fingerprinting – NETRESEC Blog.

Internet Census 2012

Abstract While playing around with the Nmap Scripting Engine (NSE) we discovered an amazing number of open embedded devices on the Internet. Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. We used these devices to build a distributed port scanner to scan all IPv4 addresses. These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans. We analyzed some of the data to get an estimation of the IP address usage.

All data gathered during our research is released into the public domain for further study.

via Internet Census 2012.

Top 30 Nmap Command Examples For Sys/Network Admins

The purpose of this post is to introduce a user to the nmap command line tool to scan a host and/or network, so to find out the possible vulnerable points in the hosts. You will also learn how to use Nmap for offensive and defensive purposes.

via Top 30 Nmap Command Examples For Sys/Network Admins.

Nmap can be very useful which is why I have a link to it in the Tools section on this page.