During a routine pen-test of an alarm receiving centre, a repository of manufacturer firmware was found. This is often quite hard to get hold of, and I welcomed the opportunity to reverse some of these.
The Visonic Powerlink 2 firmware stood out due to it’s large size – this was almost certainly an embedded Linux system.
On unpacking the firmware, it was found that the units had an enabled account with root privileges called root2 with the password visonic. I discovered this by cracking the password file. However, once I had done this, someone pointed out that this was widely documented as early as 2011.
The system runs telnet on port 7523, and a web interface on port 80. Shodan has ~85 of these visible at the moment.
Once you have root access, you can arm and disarm the connected alarm, and capture images from any connected cameras.
In addition to this, for the firmware and single unit I was permitted access to, it was found it was transmitting status messages (armed/disarmed status, serial number) over a plaintext connection to http://myhome.visonic.com/ (212.179.58.186). We could not find anywhere in the firmware to turn this off.
They would be an ideal pivot or persistance node in a longer term pen-test.
Gary
November 8, 2015 at 9:24pmJust tried this with my powerlink… Both FTP and Telnet connections are refused.
The web interface claims SW VERSION #:6.1.11
Have they disabled this backdoor in the newer software versions or am I missing something?
cybergibbons
November 8, 2015 at 11:08pmSorry, I seem to be targeting things you own.
This was found on version #:3.1.11, which was then found to be by far the most common in the wild.
I wrote this post several months back, and on re-inspection, several devices running #:3.1.11 now have closed port 7523.
When did you last upgrade your firmware?