Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Embedded Security in the
Land of the Rising Sun
Ben Schmidt (presenter) // @_supernothing
Lord Commander of Security Resea...
this talk: Japanese router hacking
●  motivation
●  0knowledge to 0day
●  landscape
●  attack surface
●  vulnerabilities
●...
why hack Japanese routers?
●  comparatively little public research
●  who doesn’t loves junk hacking?*
●  in seriousness, ...
0knowledge to 0day
* there’s still plenty we don’t know
●  when we started, we knew nothing about the
Japanese router land...
0knowledge to 0day
●  mostly cultural, few technical obstacles
mitigation enabled? good for us?
full ASLR (including PIE) ...
landscape
●  a boatload of:
o  routers
o  modems
o  wifi hotspots
o  webcams
o  internet-connected picture frames
o  … muc...
landscape, con’t
many manufacturers; this is a small sample
(likely)
corp
how to ID models protections good for
us?
OKI di...
landscape, con’t
many manufacturers; this is a small sample
(likely)
corp
how to ID models protections good for
us?
Buffal...
attack surface
●  HTTP
o  frequently LAN-facing
●  FTP
●  …
●  UPnP
o  frequently WAN-facing
speaking of UPnP...
Security Flaws in UPnP:
Unplug, Don’t Play, Rapid7
Security Flaws in UPnP:
Unplug, Don’t Play, Rapid7
speaking of UPnP...
we looked here
●  Shodan
o  3mil hosts in Japan
o  almost none anywhere else
●  our research
o  ~200,000 hosts in Japan at
any single tim...
our favorite UPnP daemon: XXXXXX
●  case study: CompSci security 101
●  every vulnerability you can imagine,
everywhere fe...
spot-the-vuln(s)
our favorite UPnP daemon: XXXXXX
attacker controlled
attacker controlled
spot-the-vuln(s)
our favorite UPnP daemon: XXXXXX
...here
buffer is overflown...
attacker controlled
attacker controlled
spot-the-vuln(s)
our favorite UPnP daemon: XXXXXX
...here
oh
yeah
and
here
too
buffer is overflown...
attacker controlled
...
spot-the-vuln(s)
our favorite UPnP daemon: XXXXXX
...herebut why try
harder?
root command
injection...
...here
oh
yeah
and...
spot-the-vuln(s)
our favorite UPnP daemon: XXXXXX
...here
oh
yeah
and
here
too
but why try
harder?
root command
injection....
our favorite UPnP daemon: XXXXXX
in other words…
●  4 lines
●  4 remotely
exploitable
vulnerabilities
demo: UPnP command injection
HTTP: signedness confusion
1.  specify a negative Content-Length
2.  sanity check does a signed comparison
o  the check pa...
demo: HTTP signedness confusion
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((“192.168.1....
HTTP: path traversal
1. http://192.168.1.1:2869/../SuperSecretStuff
2. ???
3. profit
seriously.
demo: HTTP path traversal
import requests
print requests.get('http://192.168.1.1:2869/../mainConfig.xml').text
why this matters
●  what to do with 200,000 home routers?
o  violate privacy, capture all traffic
o  impersonate victims
o...
more Japanese statistics
●  200,000+: number of routers / modems running the
discussed vulnerable UPnP service on WAN
●  5...
remediation
●  patching vulns is a non-starter
o  there’s too many, no one cares to find them all
●  what we’ve demonstrat...
remediation: manufacturers (1/3)
●  use modern exploit mitigations
o  userspace: NX / DEP, ASLR*, stack / heap
hardening
o...
remediation: manufacturers (2/3)
●  privilege separation
o  there is no reason to run everything as root*
●  sandbox every...
remediation: manufacturers (3/3)
●  deter physical access
o  cut unnecessary debug ports, no JTAG, no serial
o  limited ef...
things that don’t work
●  security through obscurity
o  yes, someone* has figured out how to extract
YetAnotherObscureFile...
remediation: end users
●  firewall everything
o  only sane approach is to assume compromise on
seldom-updated embedded dev...
conclusions
●  there needs to be more (public) research interest in
Japanese infrastructure
●  cultural barriers are surmo...
thanks
●  Google translate
●  Yahoo! auctions
●  Icons licensed under CC BY 3.0:
o  router, modem, wifi, webcam, question ...
questions?
?Want to learn more?
Narf offers custom embedded device security training classes in Japanese &
English. Materi...
CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI
Upcoming SlideShare
Loading in …5
×

CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI

1,124 views

Published on

Embedded device security is an issue of global importance, and one that has grown exponentially over the last few years. Because of their slow patch cycles and the increasing difficulty of exploiting other,more traditional platforms, they have quickly become a favorite target for researchers and attackers alike. While deeply fragmented, each country has its own unique “footprint” of these devices on the Internet, based largely on the embedded devices distributed by major ISPs. We will use our survey of Japanese devices as an example of how, by fingerprinting and examining popular devices on a given country's networks, it is possible for an attacker to very quickly go from zero knowledge to widespread remote code execution.

During this talk, we provide an in-depth analysis of various routers and modems provided by popular Japanese ISPs, devices which we had never heard of on networks we had never used . We discuss how we approached surveying approximate market usage, reverse engineering obfuscated and encrypted firmware images, performing vulnerability analysis on the recovered binaries, and developing of proof-of-concept exploits for discovered vulnerabilities, all from the United States. In addition, we provide recommendations as to how ISPs and countries might begin to address the serious problems introduced by these small but important pieces of the Internet.

All vulnerabilities discovered were promptly and responsibly disclosed to affected parties.

Published in: Technology
  • Be the first to comment

CODE BLUE 2014 : Embedded Security in The Land of the Rising Sun by BEN SCHMIDT & PAUL MAKOWSKI

  1. 1. Embedded Security in the Land of the Rising Sun Ben Schmidt (presenter) // @_supernothing Lord Commander of Security Research @NarfIndustries Paul Makowski (assistant to the presenter) // @myhndl Director of World Domination @NarfIndustries
  2. 2. this talk: Japanese router hacking ●  motivation ●  0knowledge to 0day ●  landscape ●  attack surface ●  vulnerabilities ●  exploitation demos ●  remediation
  3. 3. why hack Japanese routers? ●  comparatively little public research ●  who doesn’t loves junk hacking?* ●  in seriousness, these routers matter a lot o  there are many listening on WAN o  they run notoriously insecure software * the answer is Dave Aitel: https://lists.immunityinc.com/pipermail/dailydave/2014-September/000746.html ← top countries with hosts listening on WAN port 1900 (UPnP default). ●  Japan is #4 ●  more on UPnP later
  4. 4. 0knowledge to 0day * there’s still plenty we don’t know ●  when we started, we knew nothing about the Japanese router landscape* ●  barriers: language, infrastructure, hardware acquisition & testing we hope we don’t set ourselves on fire...
  5. 5. 0knowledge to 0day ●  mostly cultural, few technical obstacles mitigation enabled? good for us? full ASLR (including PIE) no NX / DEP? mostly no stack or heap cookies mostly yes Such security, many lulz, wow
  6. 6. landscape ●  a boatload of: o  routers o  modems o  wifi hotspots o  webcams o  internet-connected picture frames o  … much more
  7. 7. landscape, con’t many manufacturers; this is a small sample (likely) corp how to ID models protections good for us? OKI distributed as .bin, is actually .tar.gz, contains ROOTIMG.BIN which is several JFFS2 partitions XXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXXX ... none
  8. 8. landscape, con’t many manufacturers; this is a small sample (likely) corp how to ID models protections good for us? Buffalo binary blob, begins with “bgn” XXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXXX XXXXXXXXXXX ... encrypted, (slightly) modified RC4 w/ static key “Buffalo” Watch https://narfindustries.com/codeblue2014 for more complete list.
  9. 9. attack surface ●  HTTP o  frequently LAN-facing ●  FTP ●  … ●  UPnP o  frequently WAN-facing
  10. 10. speaking of UPnP... Security Flaws in UPnP: Unplug, Don’t Play, Rapid7
  11. 11. Security Flaws in UPnP: Unplug, Don’t Play, Rapid7 speaking of UPnP... we looked here
  12. 12. ●  Shodan o  3mil hosts in Japan o  almost none anywhere else ●  our research o  ~200,000 hosts in Japan at any single time ●  What would you do with a 200,000+ botnet? our favorite UPnP daemon: XXXXXX
  13. 13. our favorite UPnP daemon: XXXXXX ●  case study: CompSci security 101 ●  every vulnerability you can imagine, everywhere feasible o  stack & heap buffer overflows !  memcpy, strcpy, sprintf, oh my! o  path traversal !  download passwords in config files o  command injection
  14. 14. spot-the-vuln(s) our favorite UPnP daemon: XXXXXX attacker controlled attacker controlled
  15. 15. spot-the-vuln(s) our favorite UPnP daemon: XXXXXX ...here buffer is overflown... attacker controlled attacker controlled
  16. 16. spot-the-vuln(s) our favorite UPnP daemon: XXXXXX ...here oh yeah and here too buffer is overflown... attacker controlled attacker controlled
  17. 17. spot-the-vuln(s) our favorite UPnP daemon: XXXXXX ...herebut why try harder? root command injection... ...here oh yeah and here too buffer is overflown... attacker controlled attacker controlled
  18. 18. spot-the-vuln(s) our favorite UPnP daemon: XXXXXX ...here oh yeah and here too but why try harder? root command injection... ...here also here buffer is overflown... attacker controlled attacker controlled
  19. 19. our favorite UPnP daemon: XXXXXX in other words… ●  4 lines ●  4 remotely exploitable vulnerabilities
  20. 20. demo: UPnP command injection
  21. 21. HTTP: signedness confusion 1.  specify a negative Content-Length 2.  sanity check does a signed comparison o  the check passes 3. scanf() promotes int to unsigned, copies length specified 4.  overflow heap buffer 5.  ??? 6.  profit
  22. 22. demo: HTTP signedness confusion import socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((“192.168.1.1”, 2869)) s.send('GET AAAArnContent-Length: -34rnrn') s.close()
  23. 23. HTTP: path traversal 1. http://192.168.1.1:2869/../SuperSecretStuff 2. ??? 3. profit seriously.
  24. 24. demo: HTTP path traversal import requests print requests.get('http://192.168.1.1:2869/../mainConfig.xml').text
  25. 25. why this matters ●  what to do with 200,000 home routers? o  violate privacy, capture all traffic o  impersonate victims o  man-in-the-middle, exploit end hosts o  use as basis for covert infrastructure, misattributing further attacks o  cripple national infrastructure through DDoS attacks
  26. 26. more Japanese statistics ●  200,000+: number of routers / modems running the discussed vulnerable UPnP service on WAN ●  500,000+: number of devices running a UPnP daemon and listening on WAN on the default port o  can be used to map internal ports, expose additional vulns ●  1,700,000+: number of devices running an HTTP daemon and listening on WAN on the default port o  93,000+ of these are not running either Apache or IIS
  27. 27. remediation ●  patching vulns is a non-starter o  there’s too many, no one cares to find them all ●  what we’ve demonstrated is only the beginning o  seriously, we ctrl-f’ed for system()... profit ●  need to start over
  28. 28. remediation: manufacturers (1/3) ●  use modern exploit mitigations o  userspace: NX / DEP, ASLR*, stack / heap hardening o  kernelspace: grsecurity ●  fail closed: default settings matter o  don’t listen to anything on WAN by default o  if remote admin is required by the customer, require key-based authentication (e.g. SSH, CWMP/TR-069 or similar) * This means PIE. Binaries that are not PIE are not full ASLR. Anything less than full ASLR is mostly pointless.
  29. 29. remediation: manufacturers (2/3) ●  privilege separation o  there is no reason to run everything as root* ●  sandbox everything: seccomp_bpf() o  Why is your UPnP daemon able to install kernel modules or read / write outside of its home? ●  don’t implement your own HTTP / FTP / UPnP/ Gopher / whatever service o  obscurity < audited code* Laziness doesn’t count. It’s 2014; attackers have a lot to gain, you have a lot to lose and embedded devices are often the lowest hanging fruit.
  30. 30. remediation: manufacturers (3/3) ●  deter physical access o  cut unnecessary debug ports, no JTAG, no serial o  limited effect on determined attackers ●  make analysis difficult o  firmware encryption & signing ●  scope the set of possible vulnerabilities o  if you must write your own software, why not write it in Python or Ruby?
  31. 31. things that don’t work ●  security through obscurity o  yes, someone* has figured out how to extract YetAnotherObscureFileSystem ●  outmoded threat models / thinking your software isn’t interesting o  attackers target more than end hosts o  there is plenty (sometimes more) value in pwning infrastructure * The contributors and projects behind binwalk (https://github.com/devttys0/binwalk) to be specific.
  32. 32. remediation: end users ●  firewall everything o  only sane approach is to assume compromise on seldom-updated embedded devices such as modems and routers o  the catch: many of these embedded devices are between you and the Internet ●  whenever possible, run custom firmware o  let someone else be the easiest target
  33. 33. conclusions ●  there needs to be more (public) research interest in Japanese infrastructure ●  cultural barriers are surmountable even by curious people in their spare time o  we conducted this research from the US, without direct access to Japanese infrastructure or devices o  determined attackers will hardly be slowed ●  the fixes are not simple o  vulnerabilities are numerous o  problems run deep
  34. 34. thanks ●  Google translate ●  Yahoo! auctions ●  Icons licensed under CC BY 3.0: o  router, modem, wifi, webcam, question mark, flame by flaticon.com user Freepik o  picture frame by flaticon.com user Icomoon o  thumb’s up by flaticon.com user Amit Jakhu o  video camera by flaticon.com user
  35. 35. questions? ?Want to learn more? Narf offers custom embedded device security training classes in Japanese & English. Material is licensed & translated from TacNetSol’s world-renowned EDE course. For more information, visit our website: https://narfindustries.com/index.php?id=training

×