Cybersecurity testers often have to play around with equipment a lot in order to confirm that there aren’t any obvious vulnerabilities.

What would you do if you wanted to take a road trip, but you also found a security vulnerability with a client’s equipment that was present along the route you wanted to take?

That is what happened to the security tester in this story, so he planned out the road trip and billed the miles to the client.

This is my job! I’m actually paid to do this!

I’m staring up into the wheel wells of a Chevy Silverado pickup truck.

What is he doing now?

I’m trying to explain to the driver that what I’m doing with my laptop and a bunch of antennas is perfectly normal and he should leave me be.

One week earlier:

Cybersecurity is very important.

I’m working at a cybersecurity consulting firm during the COVID-19 pandemic. A colleague has sold an engagement that requires three consultants to actually go on premises at a client site for two or three days.

They really, really want me onsite.

Some people prefer driving, no big deal.

I don’t like flying under normal conditions, so I tell my colleague that it’s perfectly sane to drive twelve hundred miles each way instead of fly.

I love road trips, and it’s perfect early Fall weather for a convertible.

As long as his manager is ok with it, no big deal.

I let my direct manager know that my response times will be a bit longer. I’m working on a few other client projects right now, so I plan to do research and writing in the evenings.

This is going to be fun, I think. I tell everyone else in my practice group to not let it get out that I’m doing this road trip.

Why would the execs care?

My boss might be cool with it, but the execs will hate that I’m not taking PTO for the trip.

Three days before I’m supposed to leave, I get an urgent email from a private equity client.

Another great opportunity.

They’ve hired us to do technical due diligence in the past. They’re usually fun, fast paced projects and we bill aggressively on them.

The PE client is considering investing in CopperBolt, a company that makes devices and software for schools, public libraries and other similar institutions.

Sounds interesting.

It’s a neat package- all a high school’s IT needs in a two unit rack mount device. It offers a web server, content filter, file storage,grading, learning management,support for surveillance cameras and more.

CopperBolt can remotely support users over an Internet connection, so there’s no need for local IT staff.

Makes sense, they need to test the system to make sure it is secure.

The PE firm wants us to see if there are any serious problems with the CopperBolt box and software. We get two of the devices overnighted to us.

One goes right to Oscar, a young penetration tester. The other ends up on the conference room I’ve taken over.

He seems to like the system.

We’re the only two people in the building this week. Just to get some familiarity with it, I set it up. It’s pretty slick.

For Windows users, there’s a setup wizard. For everything else, the CopperBolt box has an admin web page.

No issues so far.

I connect it to a simple wired network consisting of my laptop and a home router. It lets me create an admin user, so I create ‘admin/nimda’ and go from there. It seems to work fine and I’ve got too many other things to do today.

I’ll let Oscar take a more rigorous approach to it. The rest of my day is a bunch of meetings.

This guy really works with some cool clients.

One of my firm’s other clients is in the automotive space. I’m listening in on their call like an Alexa, waiting for my name. They’re building some kind of autonomous driving device that can be retrofitted to buses and trucks.

An interesting slide comes up, listing all the wireless interfaces this thing has.

Two of them are new to me.

Well, I wouldn’t say it is not possible.

The client doesn’t think this is a problem because trucks and buses, you know, move. It’s not possible to hack something that’s moving at speed.

None of their simpler devices have been attacked and there are thousands in the field.

Now I want to learn more.

A simple tool, but useful for certain things.

On a previous engagement, I built a wireless survey device. Essentially, it’s a three year old laptop connected to a bunch of wifi and bluetooth cards, held together with lots of monoprice cables, velcro and zip ties.

This junior high science fair project worked well enough to grab WPA handshakes and convince a client to offer a guest network and go WPA-Enterprise for everything else. It’s been stowed behind a filing cabinet since then.

He knows his stuff.

I dust it off and start connecting cheap software defined radios to see if I can get all the frequencies of those truck/bus devices. Perhaps I can sniff some traffic on my road trip and learn something.

While reconnecting and testing this science project, I notice something. There’s an open wireless network called “CopperBolt-2BB048” that I hadn’t noticed before.

Well, that’s fun.

I can associate with the network and go to the admin page. Its the same admin page as I saw on ‘my’ CopperBolt box. I’m guessing Oscar hasn’t configured his yet, so I create a new root/toor user as a joke.

I make my way over to Oscar’s cubicle. The months-out-of-date calendars and dead office plants are a nice nod to the zombie theme. All we need is the flickering light to complete the scene.

Yup, just let him work.

Oscar has headphones on and is clearly working on a deliverable. I’m not going to disrupt his flow.

‘His’ CopperBolt box is on his desk, powered down.

LOL – Oops!

Well, I’m not as clever as I think. I hacked my own device.

I spend a minute or two just staring into space, trying to remember how I set up the CopperBolt box. I don’t remember a checkbox that read “leave gaping hole in your security”. I think I’d have unchecked it.

Oscar has taken off his headphones to toss a foam vendor shwag thing at me.

He wants the other guy to take a look.

I ask Oscar to set his one up now. In exchange for this, I’ll finish his deliverable.

I’m finishing up the executive summary and starting to make sure that all the parts line up- every vulnerability has to have a corresponding recommendation.

Doing things properly is very important.

I just don’t want to have a stupid recommendation like fixing an unpatched, end-of-life system with “use single sign-on”.

Oscar yells to me. He’s done setting up his CopperBolt device. It’s connected to our network wirelessly, but doesn’t let me create new users without authorization.

This is exactly the type of thing these people are paid to find.

After an hour of factory resets, we finally figure it out. Oscar’s been using the Windows wizard. I’m using the web admin instead. We’ve found a border condition.

At first boot, the device offers an open network and an IP address. The wizard turns WiFi off if it’s not configured, and disables the setup script.

Well, that’s not good.

The web admin page leaves WiFi on if it’s not configured, and leaves the setup script and page when you connect wirelessly.

Oscar:”I’m looking at the setup script. I can fix this in twenty lines of code”

He knows the business he is in.

me: “No. The specifics aren’t relevant to this. The cost to fix this and the brand damage from a breach are a price offset for the buyers. We aren’t paid to fix the problem. we’re paid to identify problems to fix and maybe get paid to fix them.

me:”And thanks. I’ll let the client know that there’s an issue”

They aren’t going to like this problem.

I try to write this up into two lines, since that’s all a VC wants to see during the last few days of an acquisition. I realize that the largest risk is the already deployed devices, since CopperBolt patching requires the admin to manually download and install the patch.

I spend around twenty minutes trying to write two sentences that convey the risk and impact.

Sounds like a good approach.

I then realize it’s not definite enough to be useful, since it’s theoretical. I need to show that in-field devices are vulnerable.

Now I just need to find some.

I also need to pack for my trip and do some last minute maintenance on the car. I don’t want to break down somewhere in-between here and Kansas.

He figured it out.

I’m packing a varied wardrobe so I can at least blend in a bit. And it hits me.

There’s probably some unique term in the admin page. There are probably some locations that just gave this box a public IP. Google indexed it, I’m sure.

He is going to make his company a lot of money.

I try some searches and between some odd ads, I find a handful of locations. I soon have a cross country map with a handful of CopperBolt T 1020s and the institutions they live in.

I’m going on a road trip. I think I can bill the mileage.

Now that is what I call thinking outside the box! His company is going to love him.

Take a look at what the people in the comments have to say about it.

This commenter is a fan.

Well, ok I guess.

Apparently this guy has written many great stories.

This guy really knew his job.

If you liked that post, check out this one about an employee that got revenge on HR when they refused to reimburse his travel.