SESSION ID:SESSION ID:

#RSAC

Florian Lukavsky

Unveiling Vulnerabilities in IoT Firmware

CMI-R01

DirectorSEC Consult Singapore Pte. Ltd.

#RSAC

2

Internet of Things.what is it exactly?

#RSAC

The Internet of Things (IoT) is the network of dedicated physical objects (things) that contain embedded technology to sense or interact with their internal state or external environment.

The IoT comprises an ecosystem that includes things, communications, applications and data analysis.

Source: Gartner, The Internet of Things and Related Definitions, 23.10.2014

3

#RSAC

Example Enterprise vs. Consumer IoT

Source: Gartner, The Internet of Things and Related Definitions, 23.10.2014

ENTERPRISE CONSUMER

Applications & Analyticsback-end IT systems

predictive maintenance analytics

mobile apps

elderly person monitoring service

Connectivity M2M connectivityhome broadband

standard mobile data

Gateway / Controller processor for monitoring & control of things

smartphone gateway

wireless router

Things

jet engine

ATM

robot

baby monitor

health & fitness wearable

Internet of Things

M2M CommunicationServices

Operational Technology

(can include stand-alone machines outside of the IoT)

4

#RSAC

Asymmetric Encryption Basics

Server generates key pair (e.g. RSA public and private

key)

Server keeps private key private!

Server provides public key to clients

Clients can encrypt information with the public key for

the server

Server can decrypt information with the private key

Client and server establish secure

channel

ENCRYPTDECRYPTHello! Hello!y6uW$I

public key exchange

5

#RSAC

SSH and HTTPS

SSH – Secure Shellcryptographic network protocolfor operating network services securely over an unsecured network

HTTPS – Hypertext Transfer Protocol Secureprotocol for secure communication over a computer network

6

#RSAC

Security for the Internet of ThingsThe Internet of Things is an increasingly attractive early link in attack chains. IoT vendors remain likely to repeat the security mistakes of the past and not embrace modern security, vulnerability management and disclosure practices. […]

Source: Gartner, Predicts 2016: Security for the Internet of Things, 9.12.2015

7

#RSAC

how risky is the key handling in firmware of IoT (embedded) devices in general?

8

#RSAC

We did a large scalesecurity analysis to find out.

internet gateways, routers,modems, IP cameras,

VoIP phones, M2M, etc.

4000 devices 70 vendors

© S

hutte

rsto

ck 4

5735

2956

9

#RSAC

Our Approach

1. establishing a large firmware sample set

2. extraction of firmware

3. efficient analysis of data using plugins data mining

all kinds of certificates, private keys (e.g. for HTTPS, SSH, etc. that are focus of this talk)version informationhardcoded passwordsknown & unknown vulnerabilities, etc.

4. correlation of results and reporting

Internet of Things

M2MCPE etc.

10

#RSAC

Our Approach

11

SEC Consult conducted a long-term studyTo determine the progress of fixing the initial findings

now?2015

House of KeysInitial study

2016

House of KeysReality check

#RSAC

Censys

IoT search engine used to correlate results:

Source: www.technologyreview.com/s/544191/a-search-engine-for-the-internets-dirty-secrets/

12

#RSAC

Key Findings

© shutterstock 431062468

#RSACFinding #1 – Incorrect Asymmetric Encryption Basics

Server Developergenerates key pair

(e.g. RSA public and private key)

Server keeps private key private! Developer embeds the private key in

the firmware image

Server provides public key to clients

Clients can encrypt information with the public key for

the server

Server Everybodycan decrypt

information with the private key

found in the firmware image

Client and server establish secureinsecure channel

14

#RSACFinding #2 – Wrong Configuration & Exposure to the Internet

9% of all HTTPShosts on the web use hardcoded certificates

3.2 million HTTPS hostson the web use

~150 unique key pairs

6% of all SSHhosts on the web use hardcoded certificates

0.9 million SSH hostson the web use

~80 unique key pairs

15

#RSAC

What is the impact of those vulnerabilities?

The private keys are knownso the following attacks are possible:

impersonation of serversman-in-the-middle attackspassive decryption attacks

Attack vectors:from local network easily feasible“global adversary” scans internet traffic

16

#RSAC

Where do static keys originate from?

The curious case of “Daniel” Software Development Kit of US semi-conductor company contains a hardcoded certificate issued to a "Daniel",

email (kiding@broadcom.com).

This certificate was used for a embedded webserver.

8 other companies licensed the webserver code and failed to replace the static certificate.

As a result, more than 480,000 devices are affected.

A similar case involving another semi-conductor company was found as well.

Read the full story on blog.sec-consult.com.

17

#RSAC

Why are so many devices exposed to the web?

Insecure defaultconfiguration by vendor

Services exposed on WAN interfaceAutomatic port forwarding using UPnP

Insecure configurationby purchaser

ISP configuration of CPE devices

Top 10 Countries(% of all affected hosts based on IP addresses, HTTPS / SSH)

18

#RSAC

Why are so many devices exposed to the web?

ISPs with a particularly bad track record:Mexican Telco exposes HTTPS remote administration onmore than 1,000,000 of their subscribers devices

US-based ISP exposes HTTPS remote administration on more than 500,000 devices

Telco in Spain exposes SSH remote administration on more than 170,000 devices

Chinese Telco exposes SSH remote administration on more than 100,000 devices

Read the full story on blog.sec-consult.com.

19

#RSAC

20

more than 900 products from 50 vendors are affected.

informing all vendors is a mammoth task…

#RSAC

Affected Products – Coordination

21

More detailed information on www.sec-consult.com and blog.sec-consult.com

SEC Consult teamed up with CERT/CC(Carnegie Mellon University) to contact all affected vendors

(CERT Vulnerability Note VU#566724)

even fewer devices get fixesa few responded fewer made fixes available

#RSACOfficial CERT Vulnerability Note & affected Vendors

22

https://www.kb.cert.org/vuls/id/566724

Vendor Information for VU#566724Embedded devices use non-unique X.509 certificates and SSH host keys

#RSAC

23

All vendors are informed,public advisories are released.

The internet is saved…

#RSAC

…not so much

We revisited our findings in 2016 – key observations:The number of devices on the web using known private keys for HTTPS server certificates has gone up by 40%

Our beloved Broadcom SDK “Daniel” certificate is used by more than 500,000 devices

Botnets are beginning to attack insecure IoT devices at large scale

24

#RSAC

25

and now?

#RSAC

26

-3,000,000 devices

The number of devices on the web using known private keys for HTTPS server certificates dropped by 66%

1,500,000 devices still use known private keys

#RSAC

27

but why?

#RSAC

Insecure IoT devices are attacked at large scale

BASHLITE

— 1 million infected IoT devices mid 2016

Brickerbot

— Causes denial of service of IoT devices

Hajime

— 300,000 infected IoT devices (no rogue activity)

28

#RSAC

Mirai (Malware) is a Linux-based worm that attempts to login to vulnerable IoT devices using a list of default credentials and infect the device turning it into a remotely controlled bot.

29

#RSAC

How Mirai works

30

Scan for new potential targets

Try to login with a list of

default credentials

Once logged in, infect it with Mirai

#RSAC

Mirai’s victims

Krebs on Security:Sept 20st 2016

620 Gbps

24,000 bots

31

#RSAC

Mirai’s victims

OVH:Sept 21st 2016

1.1 Tbps

145,607 bots

32

#RSAC

Mirai’s victims

Dyn:Oct 26th 2016

1.2 Tbps

100,000 bots

major internet sites not reachable (twitter, Amazon, Netflix, Visa, CNN, BCC, etc.)

33

#RSAC

Mirai’s victims

Deutsche Telekom:Nov 27th 2016

TR-069 vulnerability added to Mirai’s arsenal

900,000 (unintentionally) DoSed

34

#RSAC

35

what can be done?

#RSAC

What can be done

Case study high-tech manufacturing: IoT Security StrategyChallenge: New IoT-oriented product portfolio with unclear cyber-threats and new demands on product design, engineering and software development (!) process

IoT-Security strategy

— Busting of “features > performance > security” imbalance

— Security architecture vs. security firefighting

— Not repeating old security mistakes

— Integration in engineering and software development

Security features and requirements integrated in product management

36

#RSAC

What can be done

Case study ISP: IoT Security Analysis for all CPEsChallenge: Wanted to understand security of CPE product firmware but had more than 100+ firmware versions.

Automated IoT Security Analysis:

— Extraction of firmware

— Efficient analysis of data using plugins & data mining, searching for:

all kinds of certificates, private keys version information

hardcoded passwords

known & unknown vulnerabilities…

— Correlation of results and reporting

Vulnerability Management integrated in Vendor Management for CPE vendors

37

#RSAC

38

and what happensif vendors are waiting to long?

#RSAC

Source: FTC 23.2.2016, www.ftc.gov

2036The FTC has already taken action against

a Taiwanese computer hardware company, requiring a substantial security program for 20 years.

39

#RSAC

For any further questions contact your SEC Consult Expert.

Florian Lukavskyf.lukavsky@sec-consult.com

+65 8261 6403

SEC Consult Singapore Pte. Ltd.51 Changi Business Park Central 2#08-05 The SignatureSingapore 486066

www.sec-consult.com