Feature ? #192
Description
So, I see there are a few ports open on the local device. TCP port 554 for example, is RTSP open to a local connection, and it also appears that there control using is SIP over TLS which may be vulnerable to attack. Notably - if you have a closed system, and there's been a CA which has signed a public and private key - then simply extracting one of the keys (the private key, likely on the base station), then you should be able to decode the SIP TLS stream. Some light searching, and it also seems that SIP messages can be injected since only the connection when established is encrypted, not the SIP messages themselves. If this is true, then spoofing the source IP address from a 'local' client and sending commands should get the hardware doing your bidding without needing to drive it all from an internet-connected website.
nmap results:
Host is up (0.011s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
554/tcp open rtsp
5061/tcp open sip-tls
8100/tcp open xprint-server
Nmap done: 1 IP address (1 host up) scanned in 0.24 seconds
I believe that everything currently done with this set of scripts relies on authentication to the 'cloud' service over port 443 ? I suspect with these vulnerabilities, it may be possible to locally drive the devices. Has anyone spent any time skipping the cloud controls and going right at the gateway device ?