Blast Radius: Mapping, Controlling, and Exploiting Dynamic Self-Registration Services

Vendors such as Datto, Geo Vision, Synology and others leverage and depend on self-registered services for their products. These devices frequently leak critical data or have insecure design, unintentional or even intentional design decisions and application flaws. Through insecure network design and installation practices, they can be easily mapped, discovered and attacked by cyber criminals via insecure vendor, software and integrator practices. For our new blog series Blast Radius, security professionals, researchers and experts deep dive into different attacks and vulnerabilities, explore how they can impact the entire internet ecosystem, and examine what they mean for organizations of all sizes, across all industries. To talk about the emerging properties of self-registration services bundled with devices provided by major manufacturers and the implications of their insecure design, we are joined by Ken Pyle. Ken Pyle is a partner of CYBIR, specializing in exploit development, penetration testing, reverse engineering, and enterprise risk management. As a highly rated and popular lecturer he's presented groundbreaking research at major industry events such as Defcon, ShmooCon, Secureworld, HTCIA International, and others. He's also discovered and published numerous critical software vulnerabilities in products from a wide range of companies that includes Cisco, Dell, Netgear, Sonicwall, HP, Datto, Kaseya, and ManageEngine, earning him multiple Hall of Fame acknowledgements for his work. Ken has been publishing DNS work and vulnerability research privately for a number of years. He began showing some of his work in the web application, DNS and IPv4 space at different cybersecurity conferences, with a focus on fixing sets of problems that had already been deemed unfixable. For our latest installment of Blast Radius, Ken will share a continuation of his work, and will disclose how the entire PKI, non-repudiation and encryption design of entire vendor ecosystems is flawed, and how you can use popular IoT devices and services to de-anonymize anonymity networks and map internal networks via poorly managed cloud security features. Additionally, he'll reveal how he gained arbitrary control of firewall rules across millions of devices and multiple vendors. The emergent properties of dynamic DNS scraping At Defcon 29, I presented a number of new attacks, reconnaissance types, exploits, and emergent properties of Self-Registration Services that come with devices provided by major manufacturers such as Datto. In the lead up to Defcon, I have been publishing quietly on the subject and attempting to pre-empt and alert companies to the exposures. I have been a really big fan of Securitytrails all the way back to DNS Trails. I find the engine and dataset to be simple to carve, highly accurate, and many emergent properties can be easily identified using the site and tools. In this write-up, we're going to discuss the emergent properties of passive, historical dynamic DNS registrations and how these can be easily exploited. Mass mapping/arbitrary control of firewall rules One of the many awesome features of Securitytrails is the ability to quickly and easily search data in weird ways no one has thought of. For example, a search for RFC 1918 addresses via ST will turn up some pretty interesting results: Searching for RFC 1918 addresses, specifically those which MSPs, IT folks, or even your home routers distribute, will allow you to very quickly start identifying internal networks and their firewall rules. You'll notice I've highlighted a few interesting zones, remotewd.com, wd2go.com, duckdns.org, dattolical.net. We'll get back to those. In order for many of these devices to register or maintain a record on the manufacturer's dynamic DNS regime, they must consistently beacon or "check-in" every few minutes. This allows the manufacturer (and you) to find the device easily, track it over network changes, and allow it to update and license i...