The Bot in the Machine. How the Internet of Things Starts to Turn Against Us Johannes B. Ullrich, Ph.D. jullrich@sans.edu @johullrich 1 About Me • Dean of Research, SANS Technology Ins7tute • Living in Jacksonville FL (aka Southern GA) • SANS Internet Storm Center hEps://isc.sans.edu • Created DShield.org • Instructor for SANS • Past: Physicist, Web Developer 2 ISC Mission • Global Network Security Information Sharing Community • We share fast, ask readers for insight • Expanding diverse sensors for automatic data collection • Built around DShield platform • Raw data available for others to analyze 3 ISC: The big picture 4 ISC Handlers • Currently about 30 volunteer handlers • Located worldwide and working in different industries 5 How to use our data • Threat Intelligence – Diaries – IP Address Feeds – Domain Feeds • Data is free to use for your own network (Creative Commons License) • Share back! 6 Outline • What is “The Internet of Things” and why is it different? • Risks Associated with the IoT • Current Attacks • Strategies to Secure the IoT 7 The “Internet of Things” 8 Home / Small Business 9 Enterprise Networks 10 Municipal/Gov Networks 11 New Protocols: IPv6 • • • • Easier to Scale then IPv4 Auto configuration Extensible Integrated with various Layer 2 options 12 New Protocols: 6LoWPAN / IEEE 802.15.4 • IPv6 over Low power Wireless Personal Area Network • Easier network management • Low Power • Low Hardware Requirements • Security 13 Risks: New Wireless Protocols • IEEE 802.15.4 / 6LoWPAN • AES identified as encryption algorithm • Key Management challenge: Auto configuration / on-boarding at scale • IPSec (IKEv2) may not work due to power constraints 14 Example: LIFX Light Bulbs • Light Bulbs communicate via 6LoWPAN with each other (mesh) • One light bulb acts as router/controller to connect to Wi-Fi (802.11) • Pre-shared AES key hardcoded. Same for all bulbs • 6LoWPAN is used to exchange WiFi credentials (which are now at risk) • Solution: Derive 6LoWPAN key from WiFi Password. 15 Risks: New Attack Platforms • Many devices use customized versions of commodity operating systems (Linux/Windows) • Wide range of architectures, not just x86 • Embedded systems can even be found inside conventional systems 16 Case #1 – Compromised Routers • E-Mail + phone call from ISP in Wyoming – Affects Linksys E1000/1200 – Scanning for Port 80/8080 – Latest firmware not affected – Reset of router clears malware 17 Case #1: Verification • Check DShield Logs: No spike in port 80/8080, but they are always busy 18 Case#1: Honeypot Data Seeing “interesting” requests: GET /HNAP1/ HTTP/1.1! Host: a.b.c.d:8080! ! But nothing else… Something seems to be going on, publishing first “Diary” 19 Case #1: Experiment wget hEp://routerip/HNAP1/ <?xml version="1.0" encoding="utf-8"?> <soap:Envelope xmlns:xsi="http://www.w3.org/…”> <soap:Body> <GetDeviceSettingsResponse ... >! <DeviceName>Cisco40033</DeviceName> <VendorName>Linksys</VendorName> …<ModelName>E4200</ModelName> …! </GetDeviceSettingsResponse> </soap:Body> </soap:Envelope>! 20 Case#1: Honeypot • Setting up a simple Honeypot to simulate router (reply with correct HNAP response) • Scanning routers now send exploit: POST /tmUnblock.cgi HTTP/1.1! Host: [ip of honeypot]:8080! Authorization: Basic YWRtaW46JmkxKkBVJDZ4dmNH! 21 Case 1: The Moon Worm 22 Case#1: Challenges • MIPS Architecture • No common virtual environments available • Most reverse analysis tools are x86 centric • Exploit requires specific firmware versions • NO PATCH?!! 23 Case #2: Compromised DVRs • Security Camera DVRs • Exposed to Internet for remote monitoring 24 Case #2: Exploit • Very simple exploit: default username/password (root/12345) used to telnet • Various binaries copied to DVR – Bitcoin miner – Scanner for Synology Vulnerability – wget / helper tools 25 Case #2: Why Vulnerable? • Simple Password Dialog • Not possible to turn off telnet 26 Case #2: Who Did it? 27 Case #2: Who did it? 28 Case #2: Why Vulnerable? 29 Echo File Transfer echo -ne '\x00\x00\x00\x2f \x00\x00\x00\x1a\x00\x00 \x00\x00\x00\x00\x00\x05\x00\x00\x00\ x00 \x00\x00\x00\x04\x00\x00\x00\x00\x00\ x00 \x00\x31\x00\x00\x00\x00\x00 \x00\x00\x2a\x00\x00\x00\x1b \x00\x00\x00 \x14\x00\x00\x00' >> / var/run/rand0-btcminer-arm && echo -e '\x64\x6f\x6e\x65'! 30 Case #3: Synology Disk Stations Vulnerable web based admin interface Exposed on port 5000 Allows remote code execution Exploited before patch became available • Difficult to patch devices • • • • 31 Case #3: Synology Vulnerability History • CVE-2014-2264: Hardcoded VPN Password • CVE-2013-6955: webman vulnerability allows appending to arbitrary files • CVE-2013-6987: read/write/delete files via directory traversal 32 Case #3: Iowa State Breach • Iowa State stored student data including SSNs on Synology devices • Devices got breached by Bitcoin miner campaign • 5 devices breached • 29,780 SSNs exposed 33 Case #3: Continuation … Synolocker 34 Case #4: Handheld Inventory Scanners 35 Case #4: Targeted Attack • 12 of 40 scanners delivered to a robotics/logistic company came with malware pre-installed • Malware attacked network “from the inside” • Targeting accounting systems • Exfiltrating data • Firmware downloaded from manufacturer site was infected as well 36 Case #4: Malware Details • Scanner runs Windows XP Embedded • Malware only detected due to network monitoring • Not possible to install standard AV or Whitelist tools on scanner 37 Defensive Strategies 38 We need solutions that scale! 39 Network Segmentation • Target: Air Conditioner network not sufficiently segmented, allowed for breach of “business” network. • How many segments can we manage? • Do all devices fit into the same segment? • How do they talk to the rest of the network? 40 Onboarding Devices • Accounting for devices / inventory • Configuring security parameters (passwords, keys) • Establishing baseline configuration • Develop/Procure tools to provision devices at scale securely 41 Patching • How are patches distributed / validated? • Can automatic patching be used? • Centralized patch management solutions? • Inventory/Onboarding first. Needs to integrate with Patching 42 Logging / Monitoring • What logs to collect and how? • Flooded by meaningless logs? • Setup “satellite collectors” that aggregate and pre-filter before sending to central log management system 43 Solution 1: Don’t buy crap • Ask the right questions before purchasing devices: – Onboarding tools? – Logging standards? – Support contracts? 44 Solution 2: Scalable & Repeatable Processes • Take what you learned from your desktop/server environment • Automation! 45 Conclusion • The Internet of Things: It is coming, and makes a lot of sense • And yes, it is already being attacked • Your defenses need to scale. Automate! 46 Thanks! Questions? jullrich@sans.edu http://isc.sans.edu Daily Updates * Daily Podcast * Data Feeds 47
© Copyright 2025