Judgment Day: April 12 th 2015 The Internet of Things: Who is in Control? Johannes B. Ullrich, 1
About Me Dean of Research, SANS Technology Institute SANS Internet Storm Center Created DShield.org Instructor for SANS Past: Physicist, Web Developer Living in Jacksonville, FL 2
3
Are We in Control? 4 Quantified Self Data Internet of Things Devices
Quantified Self: Dawn to Dusk 5 Photo: Withings.com
Quantified Self: Dawn to Dusk 6 Photo: thevesl.com
Quantified Self: Dawn to Dusk 7 Photo: Progressive
Quantified Self: Dawn to Dusk 8 Photo: Fitbit
Hello Barbie 9
Quantified Self: Dawn to Dusk 10
Home / Small Business 11
Enterprise Networks 12
Municipal/Gov Networks 13
The “Internet of Things” 14
New Protocols: IPv6 Easier to Scale then IPv4 Auto configuration Extensible Integrated with various Layer 2 options 15
New Protocols: 6LoWPAN / IEEE IPv6 over Low power Wireless Personal Area Network Easier network management Low Power Low Hardware Requirements Security 16
Risks: New Wireless Protocols IEEE / 6LoWPAN AES identified as encryption algorithm Key Management challenge: Auto configuration / on-boarding at scale IPSec (IKEv2) may not work due to power constraints 17
Example: LIFX Light Bulbs Light Bulbs communicate via 6LoWPAN with each other (mesh) One light bulb acts as router/controller to connect to Wi-Fi (802.11) Pre-shared AES key hardcoded. Same for all bulbs 6LoWPAN is used to exchange WiFi credentials (which are now at risk) Solution: Derive 6LoWPAN key from Wi- Fi Password. 18
Risks: New Attack Platforms Many devices use customized versions of commodity operating systems (Linux/Windows) Wide range of architectures, not just x86 Embedded systems can even be found inside conventional systems 19
SciFi 20 Photo: Warner Brothers Photo: Paramount Pictures Photo: tailgrab.org
ISC Mission Global Network Security Information Sharing Community We share fast, ask readers for insight Expanding diverse sensors for automatic data collection Built around DShield platform Raw data available for others to analyze 21
ISC: The big picture 22
ISC Handlers Currently about 30 volunteer handlers Located worldwide and working in different industries 23
How to use our data Threat Intelligence – Diaries – IP Address Feeds – Domain Feeds Data is free to use for your own network (Creative Commons License) Share back! 24
Case #1 – Compromised Routers + phone call from ISP in Wyoming – Affects Linksys E1000/1200 – Scanning for Port 80/8080 – Latest firmware not affected – Reset of router clears malware 25
Case #1: Verification Check DShield Logs: No spike in port 80/8080, but they are always busy 26
Case #1: Honeypot Data Seeing “interesting” requests: GET /HNAP1/ HTTP/1.1 Host: a.b.c.d:8080 But nothing else… Something seems to be going on, publishing first “Diary” 27
Case #1: Experiment wget Cisco40033 Linksys … E4200 … 28
Case #1: Honeypot Setting up a simple Honeypot to simulate router (reply with correct HNAP response) Scanning routers now send exploit: POST /tmUnblock.cgi HTTP/1.1 Host: [ip of honeypot]:8080 Authorization: Basic YWRtaW46JmkxKkBVJDZ4dmNH 29
Case #1: The Moon Worm 30
Case #1: Challenges MIPS Architecture No common virtual environments available Most reverse analysis tools are x86 centric Exploit requires specific firmware versions NO PATCH?!! 31
Case #2: Port 5000 Traffic 32
Case #2: Compromised DVRs Security Camera DVRs Exposed to Internet for remote monitoring 33
Case #2: Exploit Very simple exploit: default username/password (root/12345) used to telnet Various binaries copied to DVR – Bitcoin miner – Scanner for Synology Vulnerability – wget / helper tools 34
Case #2: Why Vulnerable? Simple Password Dialog Not possible to turn off telnet 35
Case #2: Who Did it? 36
Case #2: Who did it? 37
Case #2: Why Vulnerable? 38
Echo File Transfer echo -ne '\x00\x00\x00\x2f\x00\x00\x00\x1a\x00\x00 \x00\x00\x00\x00\x00\x05\x00\x00\x00\x00 \x00\x00\x00\x04\x00\x00\x00\x00\x00\x00 \x00\x31\x00\x00\x00\x00\x00 \x00\x00\x2a\x00\x00\x00\x1b\x00\x00\x00 \x14\x00\x00\x00' >> /var/run/rand0-btcminer-arm && echo -e '\x64\x6f\x6e\x65 ' 39
Case #3: Synology Disk Stations Vulnerable web based admin interface Exposed on port 5000 Allows remote code execution Exploited before patch became available Difficult to patch devices 40
Case #3: Synology Vulnerability History CVE : Hardcoded VPN Password CVE : webman vulnerability allows appending to arbitrary files CVE : read/write/delete files via directory traversal 41
Case #3: Iowa State Breach Iowa State stored student data including SSNs on Synology devices Devices got breached by Bitcoin miner campaign 5 devices breached 29,780 SSNs exposed 42
Case #3: Continuation … Synolocker 43 s?extra_data%5Bstart _date%5D=2015%2F0 4%2F11
Case #4: Handheld Inventory Scanners 44
Case #4: Targeted Attack 12 of 40 scanners delivered to a robotics/logistic company came with malware pre-installed Malware attacked network “from the inside” Targeting accounting systems Exfiltrating data Firmware downloaded from manufacturer site was infected as well 45
Case #4: Malware Details Scanner runs Windows XP Embedded Malware only detected due to network monitoring Not possible to install standard AV or Whitelist tools on scanner 46
Defensive Strategies 47
We need solutions that scale! 48
Network Segmentation Target: Air Conditioner network not sufficiently segmented, allowed for breach of “business” network. How many segments can we manage? Do all devices fit into the same segment? How do they talk to the rest of the network? 49
Onboarding Devices Accounting for devices / inventory Configuring security parameters (passwords, keys) Establishing baseline configuration Develop/Procure tools to provision devices at scale securely 50
Patching How are patches distributed / validated? Can automatic patching be used? Centralized patch management solutions? Inventory/Onboarding first. Needs to integrate with Patching 51
Logging / Monitoring What logs to collect and how? Flooded by meaningless logs? Setup “satellite collectors” that aggregate and pre-filter before sending to central log management system 52
Solution 1: Don’t buy crap Ask the right questions before purchasing devices: – Onboarding tools? – Logging standards? – Support contracts? 53
Solution 2: Scalable & Repeatable Processes Take what you learned from your desktop/server environment Automation! 54
Conclusion Are we still in control? Probably not… but not clear who is in control… the machines? The cloud? The miscreant pw0ning your machines? 55
Thanks! Questions? Daily Updates * Daily Podcast * Data Feeds LinkedIn 56