The Internet of Insecure Things: 10 Most Wanted List
Upcoming SlideShare
Loading in...5

Like this? Share it with your network


The Internet of Insecure Things: 10 Most Wanted List



In this talk I will quickly bring you up to speed on the history of embedded device insecurity. Next, we will look at a real-world example or two of how devices are exploited (And attackers profited). ...

In this talk I will quickly bring you up to speed on the history of embedded device insecurity. Next, we will look at a real-world example or two of how devices are exploited (And attackers profited). Finally, you will learn what we can do to help fix these problems and push the industry for a much higher level of security for devices affecting our daily lives.

You may have heard about this threat, one that has plagued our lives and networks for well over a decade. A problem so ubiquitous, it can't be ignored. Yet, this threat has a history of hiding in plain sight. Users are, for the most part, unaware of the dangers. Security researchers and the media have attempted to highlight this problem for years, without making an impact on improving security. However, vendors and users are still very much at risk and the problem is still largely being ignored by the masses. The Internet of Things (IoT) aims to makes our lives better, yet there is still no foundation for security controls on the devices that allow us to access the Internet, listen to music, watch television, control the temperature in our homes and more. The goal of this talk is to enable the audience to help raise awareness and influence the security of embedded systems in a positive way.



Total Views
Views on SlideShare
Embed Views



5 Embeds 761 751 6 2 1 1



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

The Internet of Insecure Things: 10 Most Wanted List Presentation Transcript

  • 1. The Internet Of Insecure Things: 10 Most Wanted List Paul Asadoorian Founder & CEO ! June 2014 Ver 3.0 ! (Formerly “PaulDotCom”)
  • 2. Copyright 2014 Embedded Hacking 2-Day Course Read more and sign up for this course here: ! ! Instructor: Paul Asadoorian Hosted By: The SANS Institute Next class: Oct. 26-27 in Las Vegas
  • 3. Copyright 2014 Why We [Should] Care • Who cares if someone hacks my TV, fridge, lights, scale or treadmill or wireless router? • You will care once attackers put malware on these devices • Ads will be displayed on your devices without your permission • AV will be useless • Privacy concerns: • I can see you watching TV • I know what you eat and drink, how often you do laundry, and when you turn your lights/TV on • I know how long you spend on the toilet
  • 4. Copyright 2014 Why We [Should] Care • Attackers will find ways to monetize • They will use any system to build botnets: • Mine Bitcoins (as silly as that sounds, essentially printing currency) • Send SPAM • Launch DDoS attacks • Ransomeware schemes
  • 5. Copyright 2014 Already Happening • 01162014.php • “More than 750,000 Phishing and SPAM emails Launched from "Thingbots" Including Televisions, Fridge” • Okay, well one fridge, on purpose? By accident? • internet-enabled.html • “A Linux worm named Linux.Darlloz, earlier used to target Internet of Things (IoT) devices, i.e. Home Routers, Set-top boxes, Security Cameras, printers and Industrial control systems; now have been upgraded to mine Crypto Currencies like Bitcoin.”
  • 6. Copyright 2014 More Already Happening • • “I also have a bad feeling that the time for gaming malware is now, and I am not totally sure what it will take to protect ourselves.” • • “Hackers Turn Security Camera DVRs Into Worst Bitcoin Miners Ever” • “The low-powered ARM chip is one of the worst possible processors you could pick for the crypto-heavy calculations that make up bitcoin mining.” • “The malicious software seems to spread using the default usernames and passwords for the Hikvision devices”
  • 7. Exploring Embedded Systems: What Are The Targets? Briefly look at some major categories...
  • 8. Copyright 2014 Consumer
  • 9. Copyright 2014 The Wifi Toilet • “A Japanese company has built a “smart toilet” that uses WiFi, and of course hackers have figured out how to remotely take over the toilet and make it spray you in the butt or flush repeatedly. Who would want a WiFi toilet?”
  • 10. Copyright 2014 Industrial Control Systems Text Turck BL67 Tridium Niagara AX Siemens SCALANCE X-200 Clorius Controls ISC Magnum MNS-6K
  • 11. Copyright 2014 Corporate • Building Entry • Environmental • Lighting • Security Cameras • Hotel Key Cards • Timeclocks • Headsets & Phones • Printers & Multi-Function
  • 12. Copyright 2014 Medical • IV Pumps / Drug infusion pumps • Insulin Pumps (Wearable) • Surgical and anesthesia devices • Ventilators • External defibrillators • Patient monitors • Laboratory and analysis equipment Researchers Billy Rios andTerry McCorkle of Cylance have reported a hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors.According to their report, the vulnerability could be exploited to potentially change critical settings and/or modify device firmware. warn/
  • 13. It’s Nice To Have Goals I came up with this list...
  • 14. Copyright 2014 10 Most Wanted List 1. Backdoors inside of firmware 2. Default credentials 3. Insecure Remote management (Defaults & Clear-Text Transmissions) 4. Open-source software and drivers, NOT binary blobs 5. Functions prone to overflow conditions 6. Firmware and configuration encryption 7. Easy-to-use firmware updates (auto-updates) 8. Secure web management interfaces 9. Maintain a CIRT and provide a program for security researchers 10. Implement Protocols Security / Implement Secure Protocols
  • 15. We’re going to explore one of the most horrific, insecure embedded systems on the planet But still… Who Cares?
  • 16. “Inside Joel’s Backdoor” D-LINK DIR-100
  • 17. Copyright 2014 Background • I want to show how an attacker would exploit vulnerabilities on embedded systems for profit • I found some excellent research published by Craig Heffner, author of binwalk and one of the most talented embedded device security researchers on the planet - Hak.5 Interview with Craig Heffner on the issues: http://
  • 18. Copyright 2014 Background • The other rock star is Zach Cutlip, both work for Tactical Network Solutions and deserve A LOT of praise for their research • Joel’s Backdoor is one of the most interesting embedded device vulnerabilities I’ve seen in some time • Combined with several other flaws on the D-Link DIR-100
  • 19. For those just reading the slides… root@embeddedcourse:/home/firmware/TM-G5240# file TM-G5240-4.0.0b28.bix TM-G5240-4.0.0b28.bix: data ! root@embeddedcourse:/home/firmware/TM-G5240# binwalk -e TM-G5240-4.0.0b28.bix ! DECIMAL HEX DESCRIPTION ------------------------------------------------------------------------------- 4 0x4 Realtek firmware header (ROME bootloader) image type: RUN, header version: 1, created: 3/7/2007, image size: 2845036 bytes, body checksum: 0xF, header checksum: 0xE0 13014 0x32D6 mcrypt 2.2 encrypted data, algorithm: blowfish-256, mode: CBC, keymode: 8bit 26664 0x6828 7-zip archive data, version 48.107 WARNING: Extractor.execute failed to run '/opt/firmware-mod-kit/trunk/ 'C0988.squashfs'': [Errno 2] No such file or directory 788872 0xC0988 Squashfs filesystem, big endian, version 2.0, size: 2056186 bytes, 510 inodes, blocksize: 65536 bytes, created: Mon Mar 26 19:33:56 2007 ! ! Mini-Demo: Firmware Basics (1)
  • 20. root@embeddedcourse:/home/firmware/TM-G5240# unsquashfs C0988.squashfs Reading a different endian SQUASHFS filesystem on C0988.squashfs Parallel unsquashfs: Using 2 processors 484 inodes (544 blocks) to write ! [=======================================================================|] 544/544 100% created 348 files created 26 directories created 49 symlinks created 87 devices created 0 fifos ! ! root@embeddedcourse:/home/firmware/TM-G5240# cd squashfs-root/sbin ! root@embeddedcourse:/home/firmware/TM-G5240/squashfs-root/sbin# file webs webs: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), dynamically linked (uses shared libs), stripped ! root@embeddedcourse:/home/firmware/TM-G5240/squashfs-root/sbin# strings webs | grep strcpy strcpy ! For those just reading the slides… Mini-Demo: Firmware Basics (2)
  • 21. Copyright 2014 Exemplify Problem Areas 1.Backdoors inside of firmware 2.Default credentials 3.Functions prone to overflow conditions 4.Secure web management interfaces
  • 22. Copyright 2014 Joel’s Backdoor • October 2013 Craig Heffner released details on a backdoor affecting D-Link routers • Reverse engineering the authentication process, Craig finds a special compare • Turns out if you set your User-Agent to “xmlset_roodkcableoj28840ybtide” you can access web management • No password required! • Who is Joel anyway? • link-backdoor/ edit by 04882 joel backdoor
  • 23. Copyright 2014 Why Joel Did This? The ever neighborlyTravis Goodspeed pointed out that this backdoor is used by the /bin/xmlsetc binary in the D-Link firmware.After some grepping, I found several binaries that appear to use xmlsetc to automatically re-configure the device’s settings (example: dynamic DNS). My guess is that the developers realized that some programs/services needed to be able to change the device’s settings automatically; realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something.The only problem was that the web server required a username and password, which the end user could change.Then, in a eureka moment, Joel jumped up and said,“Don’t worry, for I have a cunning plan!”.
  • 24. Copyright 2014 Russians Found It First • Looking to root an ISPs router • They found the string, and tried it as the TELNET login • They could have found it and never posted it • Or they never figured out its the User-Agent string %D0%B4%D0%B0%D0%B9%D1%82%D0%B5+%D1%81%D0%BE%D0%B2%D0%B5%D1%82 January 24, 2010
  • 25. Copyright 2014 Exploit Is Simple DIR-100: ! wget -U ‘xmlset_roodkcableoj28840ybtide’ TM-G5240 (FirmwareVersion:v4.0.0b28) ! wget -U 'xmlset_roodkcableoj28840ybtide'
  • 26. But, No One Exposes Web Management Interfaces To The Internet? Because no presentation is complete without a Shodan screenshot
  • 27. Copyright 2014 Canadians & Chinese thttpd-alphanetworks is a fork of thttpd by a spin-off of Dlink
  • 28. Copyright 2014 Remote Exploitation Via Browser • But wait, what if you could get someone to click on a link? • Could you send authentication + exploit to the router? • You need a few things to happen: • The victim must load a web page with your exploit code • Your exploit code must be able to modify the User-Agent • Your have to know the IP address ( of the device • Your must run a command through the web interface to do something evil • Your must bypass the Same Origin policy
  • 29. Copyright 2014 But, wait... • In AJAX, you can do this: ! ! • And then send this request: xmlhttp.setRequestHeader('User-Agent','xmlset_roodkcableoj28840ybtide'); $sys_remote_enable=1%25;$sys_remote_ip=;$sys _remote_port=80%25;commit But Same Origin Policy will trump you (unless you can get around it in Java/Flash, stay tuned..)
  • 30. Copyright 2014 DIR-100 Buffer Overflow • But wait, there’s more! Craig also released a buffer overflow vulnerability and exploit code: • • Limited to 200 bytes of shellcode • Requires admin • Works on DIR-100 Benefit: Now we can upload and execute code on the device, allowing us to execute commands and/or install software. ! Such as a network sniffer...
  • 31. Copyright 2014 Multi-Stage Dropper MIPS Shellcode • Zach Cutlip is awesome, and his shellcode is damn sexy: • shellcode/mips/trojan-dropper • Or callback in 184 bytes: • connect-back/
  • 32. It’s not dead yet... But wait, there’s even more!
  • 33. Copyright 2014 Dir-100 XSS & So Much More • December 2013 researcher Felix Richter exposes several more vulnerabilities affecting DIR-100 routers • Authentication.html • Retrieve the Administrator password without authentication leading to authentication bypass [CWE-255] • Retrieve sensitive configuration parameters like the pppoe username and password without authentication [CWE-200] • Execute privileged Commands without authentication through a race condition leading to weak authentication enforcement [CWE-287] • Sending formatted request to a victim which then will execute arbitrary commands on the device (CSRF) [CWE-352] • Store arbitrary javascript code which will be executed when a victim accesses the administrator interface [CWE-79]
  • 34. Copyright 2014 Let’s Recap • For your enjoyment, DIR-100 has: • At least 2 different authentication bypass vulnerabilities • Information disclosure, leading to PPPOE passwords • A CSRF vulnerability • A remote buffer overflow • A stored XSS vulnerability
  • 35. Copyright 2014 0wning D-Link Brazil? • DIR_100/Status/st_device.htm
  • 36. Copyright 2014 These Conditions Can’t Exist On Other Devices? • Medical: medical-devices-vulnerable-to-serious-hacks-feds-warn/ • SCADA: • Industrial Automation: ioactive_discovers_backdoor_vulnerabilities_in_turck_industrial_a utomation_devices.html • Building Automation: v=c4LMrKEO_t0 (BACNet) • Home Automation: IOActive_advisory_belkinwemo_2014.html
  • 37. What Do We Do About It? 10 Most Wanted List: A Guide For Embedded Device Manufacturer and Software Developers
  • 38. Copyright 2014 1. Firmware Backdoors • A “secret” account (or access) created by the vendor that allows remote management • Excuse is this is done for support reasons (password resets) • The problem is: its not so secret
  • 39. Backdoor password was... Derived from the MAC address....
  • 40. Copyright 2014 2. Default Credentials • A known set of credentials used out-of-the-box • Typically found via Google or in documentation • The problems: Anyone can discover this value and users/ administrators don’t change it • Also: Firmware updates sometimes reset it to the default value
  • 41. Copyright 2014 3. Insecure Remote Management • HTTP & TELNET - Its 2014, why are we still using these protocols to manage systems? • HTTPS - Yes, there is a cost for a certificate. And yes, sometimes vendors will use the same one for every device • SSH - Same thing here, but easier to enable by default • Oh, and weak passwords
  • 42. Copyright 2014 4. Open-Source drivers • Interoperability is nice, but also begs the security question • How do I keep my software and hardware up-to-date if you don’t provide me with a new driver! • Open-source drivers allow for more eyes, and typically are patched more quickly
  • 43. Copyright 2014 5. Functions prone to overflow • Wait, we know strcpy() is bad, right? • Why do we still use it? • And yes, programmers still use it • In fact, if you take it out, they will just put it back ! • 2013/11/06/supermicro-ipmi-firmware-vulnerabilities
  • 44. Copyright 2014 Funny Thing About Encryption
  • 45. Copyright 2014 6. Firmware Encryption • Signing firmware updates makes it harder to backdoor existing firmware • Encrypting firmware makes it tougher to reverse engineer (though don’t let that replace real security) • Also, XOR is NOT encryption ! • hacking-firmware-and-detecting-backdoors/d/d-id/ 1139859?
  • 46. Copyright 2014 7. User Friendly Firmware Updates • Take a page right from Microsoft’s playbook (I can’t believe I just wrote that, but...) • Step back, most are unaware devices need to be updated for security, amazed that it actually works • Even the term “update firmware” is too geeky, we need to change this • Smartphones are a great example
  • 47. Copyright 2014 8. Secure Web Frameworks • The code behind the web management interface is typically poorly implemented • Java, Ruby, Python, .NET - all too “heavy” to implement on small systems • Developers typically write their own, similar results to “Well, I’ll just implement my own encryption algorithm”
  • 48. Copyright 2014 9. Maintain a CIRT • Look, this FREE help! • D-Link has fixed the problems we covered earlier • Some vulnerabilities never get fixed • Researchers get frustrated and just post the exploits to pastebin • Prezi got hacked, paid the researcher money, and wrote a nice blog post about it and linked to the researcher’s presentation (not in Prezi) • It pays to work and collaborate with security researchers
  • 49. Copyright 2014 10. Secure Protocols • UPnP, IPMI, HNLP, DLNA are common protocols on consumer devices • Modbus is popular on SCADA devices • The problem is they offer great functionality • But security is often left out entirely • IPMI and HNLP have had huge problems, leading to major issues and even the “Linksys Router Worm” • The protocols desperately need security...
  • 50. Copyright 2014 Embedded Hacking 2-Day Course Read more and sign up for this course here: ! ! Instructor: Paul Asadoorian Hosted By: The SANS Institute Next class: Oct. 26-27 in Las Vegas