Talk By: Schroeder, Nick. Kretsinger, Cody
Location: GrrCon 2022, Grand Rapids Michigan
Abstract:
The dazzling special effects and light shows you see on prestigious buildings, bridges, theaters, and landmarks are controlled by a unique class of devices and communication protocols. But how do these systems turn complex lighting designs into reality? How easy it is to alter the carefully choreographed show to something more nefarious? What if you manipulate it from thousands of miles away, watching carefully from the comfort of your couch?
Industrial 
Lighting Controllers are commonly installed in large scale illumination projects for complex lighting effects; imagine historic bridges, national monuments, and massive award-winning convention centers. It turns out these devices, if not configured properly, lack the most basic security controls. It gets more fun when they are connected to the internet. And we have proof.
Nick Schroeder and Cody Kretsinger present their findings surrounding their research of Industrial Lighting Controls and their weaknesses (CVE(s) pending). This talk guides you from Nick and Cody’s initial curiosity in these systems to uncovering vulnerabilities in internet-exposed industrial lighting controllers across the world. The discussion includes covering a few popular Industrial Lighting Control products, their design, locations they’ve been installed in, what they control, and ultimately: sensitive information disclosure.
So, gather ’round, crack open a cold one, and join us for 25 minutes of compromise, laughs, and visual effects.
While doing some research on IoT/ICS controllers specifically related to industrial lighting, we've found that a certain product, Mosaic MTPC & Mosiac MSC are lacking basic authentication as well as exposing sensitive information via a non-protected ‘dashboard’.
This information includes but is not limited to: log files, controller configuration, sensitive locale information, project details, & network information. The exposure of this information could lead to further nefarious actions, denial of service, or sensitive information disclosure.
Mosiac MTPC & Mosiac MSC devices allow remote attackers to obtain potentially sensitive information via a direct request for the default/index.lsp, default/log.lsp, and others. This action requires no authentication and is accessible through normal web browsing means. The exposure of this information could lead to further nefarious actions, denial of service, or sensitive information disclosure. While reporting this information to the vendors, CISA and VINCE, it was determined that because the documentation included a method to require authentication, though it was not explicitly implied it should be done.
By default Mosiac and Pharos controllers display the controller type, software version, firmware version, and other identifying information without the requirement to login. Both Mosiac and Pharos controllers share what seems to be the same firmware and subsequently, the same ability for unauthenticated users to change, destroy, or otherwise alter configuration settings on the devices.
We made several attempts at search queries to find more devices without any need to login to change the configuration. With varied results, we attempted the favion hash via shodan, looking for the default controller pages, and fingerprinting the SSL Cert, but surprisingly we found the best success in searching for a unique string on the controllers index page. 
At the time of writing, the google dork provides similar results, though, it seems to have started being flagged for potentially malicious activity. Here is a summary of the search operators, engine, and results:
Shodan searches:
http.favicon.hash:"990106254"
ssl.cert.fingerprint:b517a7fac46335b3fbbd4e10fba6c809f471f6e8
http.html:"Next 3rd Quarter Moon"
Google Dorks:
"index.lsp"
intext:"Next 3rd Quarter Moon"
From Convention Centers, to National Monuments, we analyzed what we were able to uncover. We had limited intel on the devices, usually relying on GEO IP results, or something in the controller to point us in the correct location and identity of what the controller was being used for. Unsurprisingly, the United States lead with nearly 50% of the total devices found, with Belgium-- again, surprisingly-- coming in second.
As mentioned earlier, we attempted to contact both Mosiac and Pharos. After contacting CISA, our finding was deemed "Critical Infrastructure" and kicked over to CMU's CERT C
oordination Center, VINCE. VINCE was able to get in contact with the vendors and reached the conclusion that while authentication wasn't enabled out of the box, it was suggested [poorly], thus this isn't a vulnerability. One could argue otherwise, but we suppose this write-up is sufficient instead. We hope the vendors who supply these devices implement out-of-the-box authentication in order to correct the issues. Though, given the level of "Security" we found with professional lighting installers who clearly read the documentation, we'd be surprised if that ends up being the case. Here's for hoping.
- Made with love and 🍺.
Until next time, Nick & Cody
