analyzing vulnerabilities in the internet of things
TRANSCRIPT
Ike Clinton and Lance Cook
Analyzing Vulnerabilities in Embedded Systems
What is the Internet of Things?
The Internet of Things(IoT) is a vast and rapidly growing frontier of new technology that includes a variety of “smart” devices.
It is the network of physical objects or “things” embedded with electronics, software, sensors, and connectivity.
The IoT can refer to a wide range of devices from heart monitors to smart fridges.
Connect the world
Security of the Internet of Things
How can this interconnected system of “smart” devices affect security?
What implications will it have on the global internet community?
Our Research
Overview of the current internet landscapeSurvey of current TTPs for embedded device reverse engineering
and firmware analysisPractical analysis and penetration test of 3 smart devices.
Our ResearchPurchased 3 “smart” devicesBecome familiar with intended use casesAnalyze default configurations of different devicesStudy past/current exploitation techniquesObtain device firmware through various methodsAnalyze firmware and determine potential vulnerabilitiesTest exploitation techniquesReport findings
Research Timeline24 Feb: Proposal submittedMarch 1: Surveyed current IoT landscapeMarch 9-13: Researched tools and techniques needed for analysisMarch 16-20: Identified devices to order. D-Link device arrives, testing
beginsMarch 20: Two additional devices ordered (WeMo)April 28: Testing concludesMay 5: Presentation of findings
Belkin WeMo Product Line Home automation products Light switches, motion sensors, IP cameras, croc pots. . . Uses one app to control all devices Syncs settings to the cloud Allows for remote access Embedded devices running on Linux
Insight Switch “Control your electronics” Running linux on a MIPS processor Uses UPnP to communicate and punch holes in the router UPnP vulnerable to XML injection Clever trick to get telnetd running on switch
Wemo NetcamHD+ Cloud controlled Ipcam Uses netcam app to control camera Saves video/recordings to cloud service No local access Service intermittent
Device History Several vulnerabilities disclosed in the past
Malicious firmware attack XML UPnP injection Netcam had telnet open by default Netcam default admin:admin creds
Belkin fixed most of them. . .
Binwalk
Firmware analysis tool Extracts .bin files Can view linux file systems of embedded
devices Great for finding default passwords,
grabbing binaries from device for analysis (IDA), etc
Also has nice entropy analysis tools
msf Exploitation framework by HD Moore and
rapid7 DB of known vulnerabilities Modular design Also incorporates auxiliary modules, scanners,
post exploitation, and payload encoders
Nmap Network scanning Service discovery Banner grabbing Other custom scans
IDA Interactive Disassembler Can be compared to ollydbg, gdb,
radare2, etc Used to identify buffer overflows Other RE tasks
Github/Metasploit modules /dev/ttyS0 disconnected.io Custom msf modules from github Slightly modified ruby code Ufuzz
Other tools Netcat (swiss army knife) telnet GPG (GNU Privacy Guard) successor of PGP Other linux utils for RE and analysis (strings, hexdump, find, grep, etc) QEMU
The Good Wemo provides decent home automation solutions with their products when they work Belkin/ D-Link Have addressed most/all of the disclosed vulnerabilities Wemo devices no longer store GPG private key on devices Netcam no longer has telnet open by default Netcam longer has default password on web interface Firmware is now encrypted “properly” SSL encryption used when devices communicate with cloud service
The Bad Netcam requires cloud service to operate, no local access Service is intermittent at best There are still more unaddressed/undisclosed exploits Old exploits still work intermittently on fully patched devices Belkin never changed the GPG keys . . . Legacy hardcoded credentials and blank passwords still exist
The Ugly. . .
Summary of Findings XML UPnP injection still works on other parameters Devices still ship unpatched Belkin never changed GPG keys. . . Can sign and flash our own custom firmware Devices could be flashed with malicious firmware without the owner knowing Dangerous considering some users wont bother to update
Further Research More 0-Days?
Fuzz the other attack surfaces/UPnP commands Flash custom firmware onto device Discover devices on the internet using shodan/masscan Investigate other embedded devices
Belkin WeMo Remote Shell and Rapid State Change Exploit
https://www.youtube.com/watch?v=BcW2q0aHOFo
Lessons Learned Pay attention to your professor when he lectures on protocols Sanitize, sanitize, sanitize Vendors are not implementing UPnP properly/securely Sometimes logical security > Technical security
Resources http://binwalk.org/ https://github.com/phikshun http://disconnected.io/ http://www.devttys0.com/ https://github.com/issackelly/wemo http://www.ioactive.com/pdfs/IOActive_Belkin-advisory-lite.pdf http://www.shodan.io https://www.scadahacker.com http://www.exploit-db.com/ https://nvd.nist.gov/ http://1337day.com/exploit/20633
Various Blackhat and Defcon presentations Scholarly journals/whitepapers
Special Thanks Thanks to The Citadel CSCI department for purchasing the two WeMo devices!
Questions?