Presentation is loading. Please wait.

Presentation is loading. Please wait.

Judgment Day: April 12 th 2015 The Internet of Things: Who is in Control? Johannes B. Ullrich, 1.

Published byJena Gain Modified over 9 years ago

Similar presentations

Presentation on theme: "Judgment Day: April 12 th 2015 The Internet of Things: Who is in Control? Johannes B. Ullrich, 1."— Presentation transcript:

1 Judgment Day: April 12 th 2015 The Internet of Things: Who is in Control? Johannes B. Ullrich, Ph.D. jullrich@sans.edu @johullrich 1

2 About Me Dean of Research, SANS Technology Institute SANS Internet Storm Center https://isc.sans.edu Created DShield.org Instructor for SANS Past: Physicist, Web Developer Living in Jacksonville, FL 2

3 3

4 Are We in Control? 4 Quantified Self Data Internet of Things Devices

5 Quantified Self: Dawn to Dusk 5 Photo: Withings.com

6 Quantified Self: Dawn to Dusk 6 Photo: thevesl.com

7 Quantified Self: Dawn to Dusk 7 Photo: Progressive

8 Quantified Self: Dawn to Dusk 8 Photo: Fitbit

9 Hello Barbie 9

10 Quantified Self: Dawn to Dusk 10

11 Home / Small Business 11

12 Enterprise Networks 12

13 Municipal/Gov Networks 13

14 The “Internet of Things” 14

15 New Protocols: IPv6 Easier to Scale then IPv4 Auto configuration Extensible Integrated with various Layer 2 options 15

16 New Protocols: 6LoWPAN / IEEE 802.15.4 IPv6 over Low power Wireless Personal Area Network Easier network management Low Power Low Hardware Requirements Security 16

17 Risks: New Wireless Protocols IEEE 802.15.4 / 6LoWPAN AES identified as encryption algorithm Key Management challenge: Auto configuration / on-boarding at scale IPSec (IKEv2) may not work due to power constraints 17

18 Example: LIFX Light Bulbs Light Bulbs communicate via 6LoWPAN with each other (mesh) One light bulb acts as router/controller to connect to Wi-Fi (802.11) Pre-shared AES key hardcoded. Same for all bulbs 6LoWPAN is used to exchange WiFi credentials (which are now at risk) Solution: Derive 6LoWPAN key from Wi- Fi Password. 18

19 Risks: New Attack Platforms Many devices use customized versions of commodity operating systems (Linux/Windows) Wide range of architectures, not just x86 Embedded systems can even be found inside conventional systems 19

20 SciFi 20 Photo: Warner Brothers Photo: Paramount Pictures Photo: tailgrab.org

21 ISC Mission Global Network Security Information Sharing Community We share fast, ask readers for insight Expanding diverse sensors for automatic data collection Built around DShield platform Raw data available for others to analyze 21

22 ISC: The big picture 22

23 ISC Handlers Currently about 30 volunteer handlers Located worldwide and working in different industries 23

24 How to use our data Threat Intelligence – Diaries – IP Address Feeds – Domain Feeds Data is free to use for your own network (Creative Commons License) Share back! 24

25 Case #1 – Compromised Routers E-Mail + phone call from ISP in Wyoming – Affects Linksys E1000/1200 – Scanning for Port 80/8080 – Latest firmware not affected – Reset of router clears malware 25

26 Case #1: Verification Check DShield Logs: No spike in port 80/8080, but they are always busy 26

27 Case #1: Honeypot Data Seeing “interesting” requests: GET /HNAP1/ HTTP/1.1 Host: a.b.c.d:8080 But nothing else… Something seems to be going on, publishing first “Diary” 27

28 Case #1: Experiment wget http://routerip/HNAP1/ Cisco40033 Linksys … E4200 … 28

29 Case #1: Honeypot Setting up a simple Honeypot to simulate router (reply with correct HNAP response) Scanning routers now send exploit: POST /tmUnblock.cgi HTTP/1.1 Host: [ip of honeypot]:8080 Authorization: Basic YWRtaW46JmkxKkBVJDZ4dmNH 29

30 Case #1: The Moon Worm 30

31 Case #1: Challenges MIPS Architecture No common virtual environments available Most reverse analysis tools are x86 centric Exploit requires specific firmware versions NO PATCH?!! 31

32 Case #2: Port 5000 Traffic 32

33 Case #2: Compromised DVRs Security Camera DVRs Exposed to Internet for remote monitoring 33

34 Case #2: Exploit Very simple exploit: default username/password (root/12345) used to telnet Various binaries copied to DVR – Bitcoin miner – Scanner for Synology Vulnerability – wget / helper tools 34

35 Case #2: Why Vulnerable? Simple Password Dialog Not possible to turn off telnet 35

36 Case #2: Who Did it? 36

37 Case #2: Who did it? 37

38 Case #2: Why Vulnerable? 38

39 Echo File Transfer echo -ne '\x00\x00\x00\x2f\x00\x00\x00\x1a\x00\x00 \x00\x00\x00\x00\x00\x05\x00\x00\x00\x00 \x00\x00\x00\x04\x00\x00\x00\x00\x00\x00 \x00\x31\x00\x00\x00\x00\x00 \x00\x00\x2a\x00\x00\x00\x1b\x00\x00\x00 \x14\x00\x00\x00' >> /var/run/rand0-btcminer-arm && echo -e '\x64\x6f\x6e\x65 ' 39

40 Case #3: Synology Disk Stations Vulnerable web based admin interface Exposed on port 5000 Allows remote code execution Exploited before patch became available Difficult to patch devices 40

41 Case #3: Synology Vulnerability History CVE-2014-2264: Hardcoded VPN Password CVE-2013-6955: webman vulnerability allows appending to arbitrary files CVE-2013-6987: read/write/delete files via directory traversal 41

42 Case #3: Iowa State Breach Iowa State stored student data including SSNs on Synology devices Devices got breached by Bitcoin miner campaign 5 devices breached 29,780 SSNs exposed 42

43 Case #3: Continuation … Synolocker 43 https://www.facebook.com/events/birthday s?extra_data%5Bstart _date%5D=2015%2F0 4%2F11

44 Case #4: Handheld Inventory Scanners 44

45 Case #4: Targeted Attack 12 of 40 scanners delivered to a robotics/logistic company came with malware pre-installed Malware attacked network “from the inside” Targeting accounting systems Exfiltrating data Firmware downloaded from manufacturer site was infected as well 45

46 Case #4: Malware Details Scanner runs Windows XP Embedded Malware only detected due to network monitoring Not possible to install standard AV or Whitelist tools on scanner 46

47 Defensive Strategies 47

48 We need solutions that scale! 48

49 Network Segmentation Target: Air Conditioner network not sufficiently segmented, allowed for breach of “business” network. How many segments can we manage? Do all devices fit into the same segment? How do they talk to the rest of the network? 49

50 Onboarding Devices Accounting for devices / inventory Configuring security parameters (passwords, keys) Establishing baseline configuration Develop/Procure tools to provision devices at scale securely 50

51 Patching How are patches distributed / validated? Can automatic patching be used? Centralized patch management solutions? Inventory/Onboarding first. Needs to integrate with Patching 51

52 Logging / Monitoring What logs to collect and how? Flooded by meaningless logs? Setup “satellite collectors” that aggregate and pre-filter before sending to central log management system 52

53 Solution 1: Don’t buy crap Ask the right questions before purchasing devices: – Onboarding tools? – Logging standards? – Support contracts? 53

54 Solution 2: Scalable & Repeatable Processes Take what you learned from your desktop/server environment Automation! 54

55 Conclusion Are we still in control? Probably not… but not clear who is in control… the machines? The cloud? The miscreant pw0ning your machines? 55

56 Thanks! Questions? jullrich@sans.edu http://isc.sans.edu Daily Updates * Daily Podcast * Data Feeds Twitter: @johullrich / @sans_isc LinkedIn 56

Download ppt "Judgment Day: April 12 th 2015 The Internet of Things: Who is in Control? Johannes B. Ullrich, 1."

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.

WEB AND WIRELESS AUTOMATION connecting people and processes InduSoft Web Solution Welcome.
Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.

Packet Analyzers, a Threat to Network Security. Agenda Introduction The background of packet analyzers LAN technologies & network protocols Communication.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Wi-Fi Structures.

Wi-Fi Structures.
IOS 8 for MDM/EMM Greg Elliott Shiv Chandra Kumar.

IOS 8 for MDM/EMM Greg Elliott Shiv Chandra Kumar.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 11 Managing and Monitoring a Windows Server 2008 Network.
Introduction to Broadband HamNet

Introduction to Broadband HamNet
Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060

Building a Campus Dshield Randy Marchany IT Security Lab VA Tech Blacksburg, VA 24060
Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.

Network Topology. Cisco 2921 Integrated Services Router Security Embedded hardware-accelerated VPN encryption Secure collaborative communications with.
CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,

CISCO CONFIDENTIAL – DO NOT DUPLICATE OR COPY Protecting the Business Network and Resources with CiscoWorks VMS Security Management Software Girish Patel,
1 Panda Malware Radar Discovering hidden threats Technical Product Presentation Name Date.

1 Panda Malware Radar Discovering hidden threats Technical Product Presentation Name Date.
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
April WebEx Intel ® Active Management Technology (AMT) LANDesk Provisioning LANDesk Server Manager.

April WebEx Intel ® Active Management Technology (AMT) LANDesk Provisioning LANDesk Server Manager.
Basic Network Training. Cable/DSL Modem The modem is the first link in the chain It is usually provided by the ISP and often has a coax cable connector.

Basic Network Training. Cable/DSL Modem The modem is the first link in the chain It is usually provided by the ISP and often has a coax cable connector.
Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.

Microsoft Windows 2003 Server. Client/Server Environment Many client computers connect to a server.
Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.

Real Security for Server Virtualization Rajiv Motwani 2 nd October 2010.
Module 4 - Networking MIS5122: Enterprise Architecture for the IT Auditor.

Module 4 - Networking MIS5122: Enterprise Architecture for the IT Auditor.

Similar presentations

Ads by Google