Presentation is loading. Please wait.

Presentation is loading. Please wait.

Judgment Day: April 12 th 2015 The Internet of Things: Who is in Control? Johannes B. Ullrich, 1.

Similar presentations

Presentation on theme: "Judgment Day: April 12 th 2015 The Internet of Things: Who is in Control? Johannes B. Ullrich, 1."— Presentation transcript:

1 Judgment Day: April 12 th 2015 The Internet of Things: Who is in Control? Johannes B. Ullrich, Ph.D. @johullrich 1

2 About Me Dean of Research, SANS Technology Institute SANS Internet Storm Center Created Instructor for SANS Past: Physicist, Web Developer Living in Jacksonville, FL 2

3 3

4 Are We in Control? 4 Quantified Self Data Internet of Things Devices

5 Quantified Self: Dawn to Dusk 5 Photo:

6 Quantified Self: Dawn to Dusk 6 Photo:

7 Quantified Self: Dawn to Dusk 7 Photo: Progressive

8 Quantified Self: Dawn to Dusk 8 Photo: Fitbit

9 Hello Barbie 9

10 Quantified Self: Dawn to Dusk 10

11 Home / Small Business 11

12 Enterprise Networks 12

13 Municipal/Gov Networks 13

14 The “Internet of Things” 14

15 New Protocols: IPv6 Easier to Scale then IPv4 Auto configuration Extensible Integrated with various Layer 2 options 15

16 New Protocols: 6LoWPAN / IEEE 802.15.4 IPv6 over Low power Wireless Personal Area Network Easier network management Low Power Low Hardware Requirements Security 16

17 Risks: New Wireless Protocols IEEE 802.15.4 / 6LoWPAN AES identified as encryption algorithm Key Management challenge: Auto configuration / on-boarding at scale IPSec (IKEv2) may not work due to power constraints 17

18 Example: LIFX Light Bulbs Light Bulbs communicate via 6LoWPAN with each other (mesh) One light bulb acts as router/controller to connect to Wi-Fi (802.11) Pre-shared AES key hardcoded. Same for all bulbs 6LoWPAN is used to exchange WiFi credentials (which are now at risk) Solution: Derive 6LoWPAN key from Wi- Fi Password. 18

19 Risks: New Attack Platforms Many devices use customized versions of commodity operating systems (Linux/Windows) Wide range of architectures, not just x86 Embedded systems can even be found inside conventional systems 19

20 SciFi 20 Photo: Warner Brothers Photo: Paramount Pictures Photo:

21 ISC Mission Global Network Security Information Sharing Community We share fast, ask readers for insight Expanding diverse sensors for automatic data collection Built around DShield platform Raw data available for others to analyze 21

22 ISC: The big picture 22

23 ISC Handlers Currently about 30 volunteer handlers Located worldwide and working in different industries 23

24 How to use our data Threat Intelligence – Diaries – IP Address Feeds – Domain Feeds Data is free to use for your own network (Creative Commons License) Share back! 24

25 Case #1 – Compromised Routers E-Mail + phone call from ISP in Wyoming – Affects Linksys E1000/1200 – Scanning for Port 80/8080 – Latest firmware not affected – Reset of router clears malware 25

26 Case #1: Verification Check DShield Logs: No spike in port 80/8080, but they are always busy 26

27 Case #1: Honeypot Data Seeing “interesting” requests: GET /HNAP1/ HTTP/1.1 Host: a.b.c.d:8080 But nothing else… Something seems to be going on, publishing first “Diary” 27

28 Case #1: Experiment wget http://routerip/HNAP1/ Cisco40033 Linksys … E4200 … 28

29 Case #1: Honeypot Setting up a simple Honeypot to simulate router (reply with correct HNAP response) Scanning routers now send exploit: POST /tmUnblock.cgi HTTP/1.1 Host: [ip of honeypot]:8080 Authorization: Basic YWRtaW46JmkxKkBVJDZ4dmNH 29

30 Case #1: The Moon Worm 30

31 Case #1: Challenges MIPS Architecture No common virtual environments available Most reverse analysis tools are x86 centric Exploit requires specific firmware versions NO PATCH?!! 31

32 Case #2: Port 5000 Traffic 32

33 Case #2: Compromised DVRs Security Camera DVRs Exposed to Internet for remote monitoring 33

34 Case #2: Exploit Very simple exploit: default username/password (root/12345) used to telnet Various binaries copied to DVR – Bitcoin miner – Scanner for Synology Vulnerability – wget / helper tools 34

35 Case #2: Why Vulnerable? Simple Password Dialog Not possible to turn off telnet 35

36 Case #2: Who Did it? 36

37 Case #2: Who did it? 37

38 Case #2: Why Vulnerable? 38

39 Echo File Transfer echo -ne '\x00\x00\x00\x2f\x00\x00\x00\x1a\x00\x00 \x00\x00\x00\x00\x00\x05\x00\x00\x00\x00 \x00\x00\x00\x04\x00\x00\x00\x00\x00\x00 \x00\x31\x00\x00\x00\x00\x00 \x00\x00\x2a\x00\x00\x00\x1b\x00\x00\x00 \x14\x00\x00\x00' >> /var/run/rand0-btcminer-arm && echo -e '\x64\x6f\x6e\x65 ' 39

40 Case #3: Synology Disk Stations Vulnerable web based admin interface Exposed on port 5000 Allows remote code execution Exploited before patch became available Difficult to patch devices 40

41 Case #3: Synology Vulnerability History CVE-2014-2264: Hardcoded VPN Password CVE-2013-6955: webman vulnerability allows appending to arbitrary files CVE-2013-6987: read/write/delete files via directory traversal 41

42 Case #3: Iowa State Breach Iowa State stored student data including SSNs on Synology devices Devices got breached by Bitcoin miner campaign 5 devices breached 29,780 SSNs exposed 42

43 Case #3: Continuation … Synolocker 43 s?extra_data%5Bstart _date%5D=2015%2F0 4%2F11

44 Case #4: Handheld Inventory Scanners 44

45 Case #4: Targeted Attack 12 of 40 scanners delivered to a robotics/logistic company came with malware pre-installed Malware attacked network “from the inside” Targeting accounting systems Exfiltrating data Firmware downloaded from manufacturer site was infected as well 45

46 Case #4: Malware Details Scanner runs Windows XP Embedded Malware only detected due to network monitoring Not possible to install standard AV or Whitelist tools on scanner 46

47 Defensive Strategies 47

48 We need solutions that scale! 48

49 Network Segmentation Target: Air Conditioner network not sufficiently segmented, allowed for breach of “business” network. How many segments can we manage? Do all devices fit into the same segment? How do they talk to the rest of the network? 49

50 Onboarding Devices Accounting for devices / inventory Configuring security parameters (passwords, keys) Establishing baseline configuration Develop/Procure tools to provision devices at scale securely 50

51 Patching How are patches distributed / validated? Can automatic patching be used? Centralized patch management solutions? Inventory/Onboarding first. Needs to integrate with Patching 51

52 Logging / Monitoring What logs to collect and how? Flooded by meaningless logs? Setup “satellite collectors” that aggregate and pre-filter before sending to central log management system 52

53 Solution 1: Don’t buy crap Ask the right questions before purchasing devices: – Onboarding tools? – Logging standards? – Support contracts? 53

54 Solution 2: Scalable & Repeatable Processes Take what you learned from your desktop/server environment Automation! 54

55 Conclusion Are we still in control? Probably not… but not clear who is in control… the machines? The cloud? The miscreant pw0ning your machines? 55

56 Thanks! Questions? Daily Updates * Daily Podcast * Data Feeds Twitter: @johullrich / @sans_isc LinkedIn 56

Download ppt "Judgment Day: April 12 th 2015 The Internet of Things: Who is in Control? Johannes B. Ullrich, 1."

Similar presentations

Ads by Google