Hello, welcome to the Tuesday, August 7th, 2018 edition of the San Bernard Storm Center's Stormcast.

My name is Johannes Ulrich, and the day I'm recording from San Antonio, Texas.

The year took a second look today at Numeric Obfuscation.

He already wrote about this, I believe it was Friday, but now he's looking at some more complex examples.

What this really refers to is that one way to obfuscate strings is to essentially just use the numeric

ASCII codes for each letter of the string. Now this in itself, of course, is pretty easy to undo,

but once you're dealing with numbers,

then, of course, you can use various arithmetic operations

to make it further difficult to actually figure out

which askic codes are being used and into what strings they translate. In the latest diary,

Dedi is looking at how some of his tools can be used to also decode some of these more

complex examples. Now, I'm not sure how familiar people are with the company Crestron.

I see the devices a lot in hotels and also in classrooms.

They do make various systems, usually touch screen-based,

that allow you to do things like control monitors,

control projectors, or control the lighting in the room.

Security company Security Compass now found a number of vulnerability in these systems that do evolve around an administrative interface that is listening on port 41,795.

This interface is typically used to control these screens from software that Crestron provides.

It's not well documented according to Security Compass what you can actually do with it,

but Security Compass found a number of vulnerabilities in this particular interface that do allow unauthenticated remote control of the device.

These devices run as an operating system Android, so you have Linux available once you are able to execute code on the device,

then of course you can use everything that you know about Linux and Android

...