During a routine pen-test of an alarm receiving centre, a repository of manufacturer firmware was found. This is often quite hard to get hold of, and I welcomed the opportunity to reverse some of these.
The Visonic Powerlink 2 firmware stood out due to it’s large size – this was almost certainly an embedded Linux system.
On unpacking the firmware, it was found that the units had an enabled account with root privileges called root2 with the password visonic. I discovered this by cracking the password file. However, once I had done this, someone pointed out that this was widely documented as early as 2011.
The system runs telnet on port 7523, and a web interface on port 80. Shodan has ~85 of these visible at the moment.
Once you have root access, you can arm and disarm the connected alarm, and capture images from any connected cameras.
In addition to this, for the firmware and single unit I was permitted access to, it was found it was transmitting status messages (armed/disarmed status, serial number) over a plaintext connection to http://myhome.visonic.com/ (220.127.116.11). We could not find anywhere in the firmware to turn this off.
They would be an ideal pivot or persistance node in a longer term pen-test.