Document 399978

The Bot in the Machine.
How the Internet of Things Starts to Turn Against Us
Johannes B. Ullrich, Ph.D.
jullrich@sans.edu
@johullrich
1 About Me
•  Dean of Research, SANS Technology Ins7tute •  Living in Jacksonville FL (aka Southern GA) •  SANS Internet Storm Center hEps://isc.sans.edu •  Created DShield.org •  Instructor for SANS •  Past: Physicist, Web Developer 2 ISC Mission
•  Global Network Security Information
Sharing Community
•  We share fast, ask readers for insight
•  Expanding diverse sensors for
automatic data collection
•  Built around DShield platform
•  Raw data available for others to
analyze
3 ISC: The big picture
4 ISC Handlers
•  Currently about 30 volunteer
handlers
•  Located worldwide and working in
different industries
5 How to use our data
•  Threat Intelligence
–  Diaries
–  IP Address Feeds
–  Domain Feeds
•  Data is free to use for your own
network (Creative Commons License)
•  Share back!
6 Outline
•  What is “The Internet of Things” and
why is it different?
•  Risks Associated with the IoT
•  Current Attacks
•  Strategies to Secure the IoT
7 The “Internet of Things”
8 Home / Small Business
9 Enterprise Networks
10 Municipal/Gov Networks
11 New Protocols: IPv6
• 
• 
• 
• 
Easier to Scale then IPv4
Auto configuration
Extensible
Integrated with various Layer 2
options
12 New Protocols: 6LoWPAN / IEEE 802.15.4
•  IPv6 over Low power Wireless
Personal Area Network
•  Easier network management
•  Low Power
•  Low Hardware Requirements
•  Security
13 Risks: New Wireless Protocols
•  IEEE 802.15.4 / 6LoWPAN
•  AES identified as encryption
algorithm
•  Key Management challenge: Auto
configuration / on-boarding at scale
•  IPSec (IKEv2) may not work due to
power constraints
14 Example: LIFX Light Bulbs
•  Light Bulbs communicate via 6LoWPAN
with each other (mesh)
•  One light bulb acts as router/controller
to connect to Wi-Fi (802.11)
•  Pre-shared AES key hardcoded. Same
for all bulbs
•  6LoWPAN is used to exchange WiFi
credentials (which are now at risk)
•  Solution: Derive 6LoWPAN key from WiFi Password.
15 Risks: New Attack Platforms
•  Many devices use customized
versions of commodity operating
systems (Linux/Windows)
•  Wide range of architectures, not just
x86
•  Embedded systems can even be
found inside conventional systems
16 Case #1 – Compromised Routers
•  E-Mail + phone call from ISP in
Wyoming
–  Affects Linksys E1000/1200
–  Scanning for Port 80/8080
–  Latest firmware not affected
–  Reset of router clears malware
17 Case #1: Verification
•  Check DShield Logs: No spike in port
80/8080, but they are always busy
18 Case#1: Honeypot Data
Seeing “interesting” requests:
GET /HNAP1/ HTTP/1.1!
Host: a.b.c.d:8080!
!
But nothing else… Something seems to be going on, publishing first “Diary” 19 Case #1: Experiment
wget hEp://routerip/HNAP1/ <?xml version="1.0" encoding="utf-8"?>
<soap:Envelope xmlns:xsi="http://www.w3.org/…”>
<soap:Body>
<GetDeviceSettingsResponse ... >!
<DeviceName>Cisco40033</DeviceName>
<VendorName>Linksys</VendorName>
…<ModelName>E4200</ModelName>
…!
</GetDeviceSettingsResponse>
</soap:Body>
</soap:Envelope>!
20 Case#1: Honeypot
•  Setting up a simple Honeypot to
simulate router (reply with correct
HNAP response)
•  Scanning routers now send exploit:
POST /tmUnblock.cgi HTTP/1.1!
Host: [ip of honeypot]:8080!
Authorization: Basic
YWRtaW46JmkxKkBVJDZ4dmNH!
21 Case 1: The Moon Worm
22 Case#1: Challenges
•  MIPS Architecture
•  No common virtual environments
available
•  Most reverse analysis tools are x86
centric
•  Exploit requires specific firmware
versions
•  NO PATCH?!!
23 Case #2: Compromised DVRs
•  Security Camera DVRs
•  Exposed to Internet for remote
monitoring
24 Case #2: Exploit
•  Very simple exploit: default
username/password (root/12345)
used to telnet
•  Various binaries copied to DVR
–  Bitcoin miner
–  Scanner for Synology Vulnerability
–  wget / helper tools
25 Case #2: Why Vulnerable?
•  Simple Password Dialog
•  Not possible to turn off telnet
26 Case #2: Who Did it?
27 Case #2: Who did it?
28 Case #2: Why Vulnerable?
29 Echo File Transfer
echo -ne '\x00\x00\x00\x2f
\x00\x00\x00\x1a\x00\x00
\x00\x00\x00\x00\x00\x05\x00\x00\x00\
x00
\x00\x00\x00\x04\x00\x00\x00\x00\x00\
x00 \x00\x31\x00\x00\x00\x00\x00
\x00\x00\x2a\x00\x00\x00\x1b
\x00\x00\x00 \x14\x00\x00\x00' >> /
var/run/rand0-btcminer-arm && echo -e
'\x64\x6f\x6e\x65'!
30 Case #3: Synology Disk Stations
Vulnerable web based admin interface
Exposed on port 5000
Allows remote code execution
Exploited before patch
became available
•  Difficult to patch devices
• 
• 
• 
• 
31 Case #3: Synology Vulnerability History
•  CVE-2014-2264: Hardcoded VPN
Password
•  CVE-2013-6955: webman
vulnerability allows appending to
arbitrary files
•  CVE-2013-6987: read/write/delete
files via directory traversal
32 Case #3: Iowa State Breach
•  Iowa State stored student data including
SSNs on Synology devices
•  Devices got breached by Bitcoin miner
campaign
•  5 devices breached
•  29,780 SSNs exposed
33 Case #3: Continuation … Synolocker
34 Case #4: Handheld Inventory Scanners
35 Case #4: Targeted Attack
•  12 of 40 scanners delivered to a
robotics/logistic company came with
malware pre-installed
•  Malware attacked network “from the
inside”
•  Targeting accounting systems
•  Exfiltrating data
•  Firmware downloaded from
manufacturer site was infected as well
36 Case #4: Malware Details
•  Scanner runs Windows XP Embedded
•  Malware only detected due to
network monitoring
•  Not possible to install standard AV or
Whitelist tools on scanner
37 Defensive Strategies
38 We need solutions that scale!
39 Network Segmentation
•  Target: Air Conditioner network not
sufficiently segmented, allowed for
breach of “business” network.
•  How many segments can we
manage?
•  Do all devices fit into the same
segment?
•  How do they talk to the rest of the
network?
40 Onboarding Devices
•  Accounting for devices / inventory
•  Configuring security parameters
(passwords, keys)
•  Establishing baseline configuration
•  Develop/Procure tools to provision
devices at scale securely
41 Patching
•  How are patches distributed /
validated?
•  Can automatic patching be used?
•  Centralized patch management
solutions?
•  Inventory/Onboarding first. Needs to
integrate with Patching
42 Logging / Monitoring
•  What logs to collect and how?
•  Flooded by meaningless logs?
•  Setup “satellite collectors” that
aggregate and pre-filter before
sending to central log management
system
43 Solution 1: Don’t buy crap
•  Ask the right questions before
purchasing devices:
–  Onboarding tools?
–  Logging standards?
–  Support contracts?
44 Solution 2: Scalable & Repeatable Processes
•  Take what you learned from your
desktop/server environment
•  Automation!
45 Conclusion
•  The Internet of Things: It is coming,
and makes a lot of sense
•  And yes, it is already being attacked
•  Your defenses need to scale.
Automate!
46 Thanks!
Questions?
jullrich@sans.edu
http://isc.sans.edu
Daily Updates * Daily Podcast * Data Feeds
47