judgment day: april 12 th 2015 the internet of things: who is in control? johannes b. ullrich, ph.d....

Judgment Day: April 12th 2015The Internet of Things: Who is in Control?

Johannes B. Ullrich, Ph.D.jullrich@sans.edu

@johullrich

1

About Me

• Dean of Research, SANS Technology Institute

• SANS Internet Storm Centerhttps://isc.sans.edu

• Created DShield.org• Instructor for SANS• Past: Physicist, Web Developer• Living in Jacksonville, FL

2

3

Are We in Control?

4

Quantified Self

Data

Internet of

Things

Devices

Quantified Self: Dawn to Dusk

5

Photo: Withings.com

Quantified Self: Dawn to Dusk

6

Photo: thevesl.com

Quantified Self: Dawn to Dusk

7

Photo: Progressive

Quantified Self: Dawn to Dusk

8

Photo: Fitbit

Hello Barbie

9

Quantified Self: Dawn to Dusk

10

Home / Small Business

11

Enterprise Networks

12

Municipal/Gov Networks

13

The “Internet of Things”

14

New Protocols: IPv6

• Easier to Scale then IPv4• Auto configuration• Extensible• Integrated with various Layer 2

options

15

New Protocols: 6LoWPAN / IEEE 802.15.4

• IPv6 over Low power Wireless Personal Area Network

• Easier network management• Low Power• Low Hardware Requirements• Security

16

Risks: New Wireless Protocols

• IEEE 802.15.4 / 6LoWPAN• AES identified as encryption

algorithm• Key Management challenge: Auto

configuration / on-boarding at scale• IPSec (IKEv2) may not work due to

power constraints

17

Example: LIFX Light Bulbs

• Light Bulbs communicate via 6LoWPAN with each other (mesh)

• One light bulb acts as router/controller to connect to Wi-Fi (802.11)

• Pre-shared AES key hardcoded. Same for all bulbs

• 6LoWPAN is used to exchange WiFi credentials (which are now at risk)

• Solution: Derive 6LoWPAN key from Wi-Fi Password.

18

Risks: New Attack Platforms

• Many devices use customized versions of commodity operating systems (Linux/Windows)

• Wide range of architectures, not just x86

• Embedded systems can even be found inside conventional systems

19

SciFi

20

Photo: Warner BrothersPhoto: Paramount Pictures

Photo: tailgrab.org

ISC Mission

• Global Network Security Information Sharing Community

• We share fast, ask readers for insight• Expanding diverse sensors for

automatic data collection• Built around DShield platform• Raw data available for others to

analyze

21

ISC: The big picture

22

ISC Handlers

• Currently about 30 volunteer handlers

• Located worldwide and working in different industries

23

How to use our data

• Threat Intelligence– Diaries– IP Address Feeds– Domain Feeds

• Data is free to use for your own network (Creative Commons License)

• Share back!

24

Case #1 – Compromised Routers

• E-Mail + phone call from ISP in Wyoming– Affects Linksys E1000/1200– Scanning for Port 80/8080– Latest firmware not affected– Reset of router clears malware

25

Case #1: Verification

• Check DShield Logs: No spike in port 80/8080, but they are always busy

26

Case #1: Honeypot Data

Seeing “interesting” requests:

GET /HNAP1/ HTTP/1.1Host: a.b.c.d:8080

But nothing else…Something seems to be going on, publishing first “Diary”

27

Case #1: Experiment

wget http://routerip/HNAP1/

<?xml version="1.0" encoding="utf-8"?><soap:Envelope xmlns:xsi="http://www.w3.org/…”><soap:Body><GetDeviceSettingsResponse ... >

<DeviceName>Cisco40033</DeviceName><VendorName>Linksys</VendorName>…<ModelName>E4200</ModelName>…</GetDeviceSettingsResponse></soap:Body></soap:Envelope>

28

Case #1: Honeypot

• Setting up a simple Honeypot to simulate router (reply with correct HNAP response)

• Scanning routers now send exploit:POST /tmUnblock.cgi HTTP/1.1Host: [ip of honeypot]:8080Authorization: Basic YWRtaW46JmkxKkBVJDZ4dmNH

29

Case #1: The Moon Worm

30

Case #1: Challenges

• MIPS Architecture• No common virtual environments

available• Most reverse analysis tools are x86

centric• Exploit requires specific firmware

versions• NO PATCH?!!

31

Case #2: Port 5000 Traffic

32

Case #2: Compromised DVRs

• Security Camera DVRs• Exposed to Internet for remote

monitoring

33

Case #2: Exploit

• Very simple exploit: default username/password (root/12345) used to telnet

• Various binaries copied to DVR– Bitcoin miner– Scanner for Synology Vulnerability– wget / helper tools

34

Case #2: Why Vulnerable?

• Simple Password Dialog• Not possible to turn off telnet

35

Case #2: Who Did it?

36

Case #2: Who did it?

37

Case #2: Why Vulnerable?

38

Echo File Transfer

echo -ne '\x00\x00\x00\x2f\x00\x00\x00\x1a\x00\x00 \x00\x00\x00\x00\x00\x05\x00\x00\x00\x00 \x00\x00\x00\x04\x00\x00\x00\x00\x00\x00 \x00\x31\x00\x00\x00\x00\x00 \x00\x00\x2a\x00\x00\x00\x1b\x00\x00\x00 \x14\x00\x00\x00' >> /var/run/rand0-btcminer-arm && echo -e '\x64\x6f\x6e\x65'

39

Case #3: Synology Disk Stations

• Vulnerable web based admin interface• Exposed on port 5000• Allows remote code execution• Exploited before patch

became available• Difficult to patch devices

40

Case #3: Synology Vulnerability History

• CVE-2014-2264: Hardcoded VPN Password

• CVE-2013-6955: webman vulnerability allows appending to arbitrary files

• CVE-2013-6987: read/write/delete files via directory traversal

41

Case #3: Iowa State Breach

• Iowa State stored student data including SSNs on Synology devices

• Devices got breached by Bitcoin miner campaign

• 5 devices breached• 29,780 SSNs exposed

42

Case #3: Continuation … Synolocker

43

https://www.facebook.com/events/birthdays?extra_data%5Bstart_date%5D=2015%2F04%2F11

Case #4: Handheld Inventory Scanners

44

Case #4: Targeted Attack

• 12 of 40 scanners delivered to a robotics/logistic company came with malware pre-installed

• Malware attacked network “from the inside”

• Targeting accounting systems• Exfiltrating data• Firmware downloaded from

manufacturer site was infected as well

45

Case #4: Malware Details

• Scanner runs Windows XP Embedded• Malware only detected due to

network monitoring• Not possible to install standard AV or

Whitelist tools on scanner

46

Defensive Strategies

47

We need solutions that scale!

48

Network Segmentation

• Target: Air Conditioner network not sufficiently segmented, allowed for breach of “business” network.

• How many segments can we manage?• Do all devices fit into the same

segment?• How do they talk to the rest of the

network?

49

Onboarding Devices

• Accounting for devices / inventory• Configuring security parameters

(passwords, keys)• Establishing baseline configuration• Develop/Procure tools to provision

devices at scale securely

50

Patching

• How are patches distributed / validated?

• Can automatic patching be used?• Centralized patch management

solutions?• Inventory/Onboarding first. Needs to

integrate with Patching

51

Logging / Monitoring

• What logs to collect and how?• Flooded by meaningless logs?• Setup “satellite collectors” that

aggregate and pre-filter before sending to central log management system

52

Solution 1: Don’t buy crap

• Ask the right questions before purchasing devices:– Onboarding tools?– Logging standards?– Support contracts?

53

Solution 2: Scalable & Repeatable Processes

• Take what you learned from your desktop/server environment

• Automation!

54

Conclusion

Are we still in control?

Probably not… but not clear who is in control… the machines? The cloud? The miscreant pw0ning your machines?

55

Thanks!

Questions?jullrich@sans.edu

http://isc.sans.edu

Daily Updates * Daily Podcast * Data FeedsTwitter: @johullrich / @sans_isc

LinkedIn

56