Alden's Blog Home

Shodan Stories Day 6: Air Conditioning and Air Traffic Control in Yokohoma

Posted on Jan 9, 2019

Today I decided to look for more industrial control systems, specifically Mitsubishi Q-Series logic controllers.

Yokohama Air Traffic Control Tower on 133.34.157.13

Reading about them on Shodan it looks like the Q-Series logic controllers tend to run off ports 5006 or 5007. So I did a search for those open ports. Judging from the results it looks like the majority of these Mitsubishi controllers are in Japan, not surprising I suppose since Mitsubishi is a Japanese company. So I picked one of the first results. I’ve been finding that nmap is a pretty good first go-to tool since, host, whois, and nslookup depend on DNS records, and quite a few things aren’t on DNS.

👻🌵✨$ nmap -p- 133.34.157.13
Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-09 20:32 EST
Nmap scan report for 133.34.157.13
Host is up (0.23s latency).
Not shown: 65529 filtered ports
PORT      STATE  SERVICE
21/tcp    open   ftp
23/tcp    closed telnet
80/tcp    open   http
502/tcp   open   mbap
5007/tcp  open   wsm-server-ssl
30301/tcp open   unknown

Nmap done: 1 IP address (1 host up) scanned in 1431.86 seconds

One interestingly bit, port 502 is running mbap which is the Modbus protocol for serial communication.

Very interestingly though port 80 is open even though I couldn’t find anything about this IP on nslookup, meaning it’s running something via http for a browser to interpret but doesn’t have a URL. So taking a look via a browser… I was pretty dumbfounded by what I was looking at. Yokohama Air Control Tower… as in Air Traffic Control? After looking around quite a bit, near as I can tell this is indeed a data logger for the facility management system for an air traffic control tower in Yokohama. I couldn’t really find much about an airport in Yokohama, it seems that there isn’t a major airport but there is a small airfield for private or government flights. It has an airport code, YOK, but you can’t book a flight there, and travel guides all recommend flying into Tokyo’s Haneda airport. There’s also heliports… English language sources are scarce and I’m not sure what to search for in Japanese to find out more. But I can find out about the amount of power demand from this building’s lighting and air conditioning. I’m guessing that the other measurements have to do with water. It seems like I could actually make changes to things here but I resisted the urge to hit too many buttons. But I did find that they had conveniently left the telnet login on this web app. Whoops! Possibly that’s why port 23 is closed.

Looking at the other obvious info on this web app, MSYSTEM is a manufacturer of a variety of data loggers and logic controllers, and the DL8 is their series of web-based data loggers. So this wasn’t what I had originally gone searching for, a Mitsubishi Q-Series. They must be using 5007 for something else. Sure looks familiar so this is definitely what is behind this IP.

But why collect water quality levels in a seemingly nonexistent air traffic control tower? Who’s really running this operation. See you tomorrow.