Black Box Testing

Black box testing know whats inside your networks.

I recently went to a small event, which was run by my company where a few of the pen testers were giving talks. This blog entry pretty much comes from one of the talks about black box testing.

Black box testing is any device that has the capabilities to run small OS devices like Printers, CCTV, Fridges and coffee machines are a small example of black box devices. They also cause a big problem for business, as most companies do not see these types of devices as a threat.

Businesses all over the world spend hundreds if not thousands on security, from firewall to security assessments each year. The biggest problem they face are devices that are being plugged into their networks by third party companies and no one is taking responsibility for these devices.

The IT department looks after computers and laptops making sure they are up to date with the latest software virus, scans have been run on them etc but they don’t looked after the CCTV or any other third part installing that is done, this means these devices sit in your network without being updated or looked after for month or even for years, this means they are a great target for hackers.

In todays World we have pones that are more powerful than PCs from 4 years ago, so printer and other black boxes devices are smarter and more powerful making them an ideal target to attack, as once you gain access you can then use these devices to install or upload custom tools. Just think if an attacker gained access to your coffee machine and was able to upload nmap they could scan your network from within your network.

A good example of this would be a recent vulnerability, which was found in TRENDnet webcams that allowed anyone to bypass the authentication and gain access. You can read more about this http://cryptogasm.com/2012/02/list-of-vulnerable-trendnet-webcams/ and you can see all the webcams here http://cryptogasm.com/webcams/

It is also worth mentioning that there are search engines that allow hackers as well as anyone to find devices like this on the Internet. http://www.shodanhq.com/

Leave a Reply