Disclaimer: Solely for educational purposes only. Attempting to hack a private network or device without permission is against the Republic Act №. 10173 or the Data Privacy Act of 2012. Hack ethically.

Internet of Things (IoT) has become a huge part of our modern life. From smart watches, voice-controlled light switches, to smart homes integrated with a bunch of features that includes a voice-integrated security camera, a smart rice cooker (if you have one, I envy you), and a smart electric fan (yes, Xiaomi’s selling one). But what if we can use it to track down certain parts of the world and unveil things we never thought are happening?

Introduction: What is IoT?

Internet of Things, or simply IoT, is a network of devices that are connected to a local network or to the biggest network to ever exist, the internet. Aside from your typical personal computers, laptops, and smart phones, certain ordinary devices can now be interrelated and be connected to the internet, and we call this network as IoT for short. From household devices to industrial ones, IoT devices has made our lives more efficient and better, thanks to its transferable data that are collected from the device’s sensors, antennas, and/or microcontrollers.

Just like anything that’s been connected to a network, in this case, to the internet, IoT devices have assigned IP (Internet Protocol) addresses. Without it, IoT devices would not be able to communicate to each other. Even more so, when an IoT device is connected to the internet, your network’s DHCP (Dynamic Host Configuration Protocol) server will assign a unique IP address to that device to communicate to other devices within the network and also to the internet. Cool, right?

On the other hand, one of the most essential IoT devices used today is the use of security cameras. This has made our lives more convenient in tracking down activities, most especially criminals. Hence, security cameras have created this Orwellian 1987-ish world of ours today, but for a hefty, good reason.

The Unfortunate Case of Unsecured “Security” Cameras

There are several types of security cameras, and they can be used for tons of purposes.

Now, what is its potential vulnerability? Well, it turns out, you can basically search the location (using its IP address) of that camera online and access the footage in your own device. Not only that, both public and private CCTVs, particularly private security cameras that are not “secure” enough, are broadcasted live. Your own CCTVs are at risk, as well. An example is a screenshot of a live footage below.

What happened, BMJ?

Recently, there’s a YouTube vlogger who somehow exposed a BPO company in Cebu City for doing some nefarious business and, shockingly, they turned out to be an outsourced scam group. They have been scamming people into giving them money and putting it into their pseudo-investment schemes. Let’s dig first about this issue and see what we can find.

We can start with the YouTube video posted by the vlogger.

If you can’t find the video now, most likely the outsourcing company had reported it already to YouTube. But we find ways.

Upon doing some basic OSINT (Open-Source Intelligence) reconnaissance techniques, I have deduced the website that these infamous fellow Cebuanos are using to scam people in other parts of the world.

It turns out that the scam company found in Cebu City is an outsourcing company of one of the bigger organized scam groups called Solismarkets.

They also claimed to be an affiliate of another company called Eklavya. Let’s see what they are up to.

Interestingly, the so-called company’s whereabouts seem to be missing.

Also, this company has served virtualwealthexchange.co, another scam cryptocurrency broker who claimed to be registered in Canada (as of this writing, their website has been taken down already and changed their name as BTCBotique for a while which didn’t last long either).

Methodology

The first thing that you might ask is, how did that Youtuber manage to access the scammer’s security cameras? Like we said earlier. IP Addresses. You can actually try to experiment this in your own home if you have a CCTV using a packet sniffer like Wireshark to get the IP address of your camera/s. Just simply indicate the capture filter as “ip.proto” or “ip.proto == rtp” (some cameras use rtsp, as well) to get all of the devices that are connected to your network.

Additionally, you can also use dorks (advanced search filters used for hidden exploitable data on search engines, we’ll talk about this next time) to gather public IP cameras. Here are some examples.

By also clicking shodan (another useful OSINT tool), you can access IP cameras and where they are located.

Another example.

Note: Some of the search results while dorking might yield to some unsecured “private” IP cameras, cameras that an ordinary household are using. If you did find one, follow ethical protocols and inform the owner about it.

Limitations

You might probably ask me, “Can I hack our school/workplace’s CCTVs now using these?” Not quite. You can actually do that, but I advise you to not do that. For one, some security cameras are more secure now than what we’ve seen in the examples above. Some might even require you for a password, while others are simply just difficult to find even for a sniffing tool. Again, tread with caution.

Conclusion

In today’s era of IoT devices embedding our ecosystem of gadgets, the best we could do now is, how far can these devices go? Devices like security cameras are useful enough in hunting down threat actors like the one we discussed, but what about us? Are we safe from this? Could these devices turn their backs on us and be used for bad intentions, instead? Only time will tell.

Exploiting Unsecured IoTs: Outsourced Scamming and How a YouTuber hijacked an organized crime in… was originally published in OWASP Cebu on Medium, where people are continuing the conversation by highlighting and responding to this story.

In the fundamentals of understanding cybersecurity, more particularly in Threat Intelligence, one skill to develop is analyzing threats and spotting the differences of things e.g., comparing one stuff to another, and in the world wide web, there’s a lot of things to compare in order to figure out which ones are real and which ones aren’t. There are various ways to falsify identity on the internet for various reasons, but one of the common ways to do that is what we call “spoofing”. Spoofing has a lot of types, too, albeit more complex and complicated to figure out, but the most typical one is website spoofing, and a type that uses this thing is called “punycode”. What even is punycode and how to tell if a website uses one? Let’s find out.

The Basics: How is Punycode used by Threat Actors

Punycode is a set of characters with equivalent ASCII character subset used for internationalized domain names or IDN. In short, it is used to transcode domain names into Unicode characters because most of which are mostly written for a non-English alphabet country. For example, a set of non-English alphabet characters must be transcoded into its equivalent punycode in order to have access to it (usually it starts with xn — ). However, punycode is typically used by threat actors to spoof websites and get access to anyone’s login credentials.

The problem with not being able to read punycodes is that anyone can mistake fake domain names into legitimate ones, increasing the risk of getting scammed or phished. Threat actors exploit the vulnerability of certain browsers that do not display the equivalent ASCII characters or ASCII prefixes (those with xn — in their domain names) of websites that use punycode, putting users into danger with getting their login credentials, bank account numbers, or other personal information, stolen.

The Trends: Usage of Punycode Attacks Today

What makes punycode attacks more dangerous to untrained eyes is that it can be more deceptive and harder to identify to smaller screens like mobile devices, and even the most trusted browsers on your smartphones cannot tell the difference.

The Myths: What does Punycode Initially Used for

On the other hand, the use of punycode is originally not for phishing purposes, though. It is initially used to solve a problem; the internet is running out of domain names to choose from. And so, ICANN (Internet Corporation for Assigned Names and Numbers) introduced Internationalized Domain Names (IDN) program to enable the use of non-English domain names, and one of which is the use of punycodes. Sadly, cybercriminals have found a way to make use of this innovation into cyberattacks and have exploited its functionality.

Conclusion: What’s Next?

The elephant in the room now would probably be, how do we become more cautious with this? Certain strategies are used to prevent us from being victims of punycode attacks. One rule of thumb (from me, obviously) would be this. If the letters in the address bar look somewhat odd and are not uniformly written, then it can be a punycode. If the site is also asking you to click something with a sense of urgency or is giving you too-good-to-be-true deals, then check the official site to see if it’s also there. Finally, looking for punycode attacks would take a little bit of practice and caution, and people like you must know how to detect one.

Detecting Punycode Attacks: The Basics, the Trends, and the Myths was originally published in OWASP Cebu on Medium, where people are continuing the conversation by highlighting and responding to this story.