Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014


Published on

The Internet of Things (IoT) aims to makes our lives better, yet there is still no foundation for security controls on the devices that allow us to access the Internet, listen to music, watch television, control the temperature in our homes and more. This talk will look at the history of embedded device insecurity. We’ll explore some real-world example of how devices are exploited (and attackers profited). You will also learn what we can do to help fix these problems and push the industry for a much higher level of security for devices affecting our daily lives.

Published in: Technology
  • Be the first to comment

The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014

  1. 1. The Internet Of Insecure Things: 10 Most Wanted List ! Paul Asadoorian Founder & CEO
  2. 2. Things About Paul Copyright 2014 Work Thing Podcast thing Hacks things Enjoys things
  3. 3. Things About This Presentation • Yes, I may say “The Internet of Things” • This is not about “watch me hack this device” • While this is fun, we’ve established things are vulnerable • Also, the sky is not falling because someone can hack your toaster (yet) Copyright 2014
  4. 4. Its More About… • Real attack vectors against embedded systems • Some examples of vulnerabilities and attacks (we have to have some fun!) • Understanding the different types of systems and applications • Most important, what do “we” do about it? • The manufacturers of embedded systems • The folks tasked with protecting networks, systems and infrastructure Copyright 2014
  5. 5. Embedded Systems “An embedded system is a special-purpose system in which the computer is completely encapsulated by the device it controls.” !
  6. 6. Consumer Copyright 2014
  7. 7. I Think This Is Cool but… Copyright 2014
  8. 8. People cared when…
  9. 9. Why Do We Care? • Who cares if someone hacks my TV, fridge, lights, scale or treadmill or wireless router? • Attackers install Adware/Spyware/Ransomware to these devices • Ads will be displayed on your devices without your permission Copyright 2014
  10. 10. Care more now?
  11. 11. Why Do We Care? Privacy. • I can see you watching TV • I know what you eat and drink, how often you do laundry, and when you turn your lights/TV on • I know how long you spend on the toilet • I collect all this data and use it to send targeted ads • Distribute pictures of you getting a snack in your underwear at 3AM Copyright 2014
  12. 12. Things are real Copyright 2014
  13. 13. What if this could be prevented? Copyright 2014
  14. 14. By This? Copyright 2014
  15. 15. Why We [Should] Care • Attackers will find ways to monetize • They will use any system to: • Mine Bitcoins (as silly as that sounds, essentially printing currency) • Build botnets to send SPAM and launch DDoS attacks key-on-home-routers/105220 Copyright © 2014 by Defensive Intuition, LLC !
  16. 16. Industrial Control Systems Turck BL67 Tridium Niagara AX Text Siemens SCALANCE X-200 Copyright 2014 Clorius Controls ISC Magnum MNS-6K
  17. 17. Why Do We Care? • Potentially life threatening • Historically operated on closed networks • Physical attacks are in play • Economics still apply, cost is a huge factor • Devices have to “live” for a really long time • It costs money to replace them Copyright 2014
  18. 18. Corporate • Building Entry • Environmental • Lighting • Security Cameras • Hotel Key Cards • Timeclocks • Headsets & Phones • Printers & Multi-Function Copyright 2014
  19. 19. Why Do We Care? • Attackers will use “things” as a jumping off point (ala Target) • Attackers will prey on weaknesses, such as POS systems • Physical access is not the primary concern, but still possible • The challenge of economics applies, low cost solutions that solve problems will win over security Copyright 2014
  20. 20. Medical • IV Pumps / Drug infusion pumps • Insulin Pumps (Wearable) • Surgical and anesthesia devices • Ventilators • External defibrillators • Patient monitors • Laboratory and analysis equipment Researchers Billy Rios and Terry McCorkle of Cylance have reported a hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors. According to their report, the vulnerability could be exploited to potentially change critical settings and/or modify device firmware. Copyright 2014
  21. 21. Why Do We Care? • Life threatening for sure • Patient care will trump security every time • Connectivity and ease of use will trump security • Oh sorry, I can’t give you pain meds, IV pump is updating patches • Patient confidentiality also trumps security • More important to be compliant than secure Copyright 2014
  22. 22. Already Happening • 01162014.php • “More than 750,000 Phishing and SPAM emails Launched from "Thingbots" Including Televisions, Fridge” • Okay, well one fridge, on purpose? By accident? Where is the data? • Copyright 2014 enabled.html • “A Linux worm named Linux.Darlloz, earlier used to target Internet of Things (IoT) devices, i.e. Home Routers, Set-top boxes, Security Cameras, printers and Industrial control systems; now have been upgraded to mine Crypto Currencies like Bitcoin.”
  23. 23. More Already Happening • • “I also have a bad feeling that the time for gaming malware is now, and I am not totally sure what it will take to protect ourselves.” • • “Hackers Turn Security Camera DVRs Into Worst Bitcoin Miners Ever” • “The low-powered ARM chip is one of the worst possible processors you could pick for the crypto-heavy calculations that make up bitcoin mining.” • “The malicious software seems to spread using the default usernames and passwords for the Hikvision devices” Copyright 2014
  24. 24. If I Had To Pick One Example…. Of a really insecure embedded system it would be…
  25. 25. “Inside Joel’s Backdoor” D-LINK DIR-100
  26. 26. Background • I want to show how an attacker would exploit vulnerabilities on embedded systems for profit • I found some excellent research published by Craig Heffner, author of binwalk and one of the most talented embedded device security researchers on the planet - Hak.5 Interview with Craig Heffner on the issues: http:// Copyright © 2014 by Defensive Intuition, LLC
  27. 27. Background • The other rock star is Zach Cutlip, both work for Tactical Network Solutions and deserve A LOT of praise for their research • Joel’s Backdoor is one of the most interesting embedded device vulnerabilities I’ve seen Text in some time • Combined with several other flaws on the D-Link DIR-100 Copyright © 2014 by Defensive Intuition, LLC
  28. 28. Exemplify Problem Areas 1. Backdoors inside of firmware 2. Default credentials 3. Functions prone to overflow conditions 4. Secure web management interfaces Copyright © 2014 by Defensive Intuition, LLC
  29. 29. BTW, Many of these vulns are old… Not as old as Jack…
  30. 30. Joel’s Backdoor • October 2013 Craig Heffner released details on a backdoor affecting D-Link routers • Reverse engineering the authentication process, Craig finds a special compare • Turns out if you set your User-Agent to “xmlset_roodkcableoj28840ybtide” you can access web management • No password required! edit by 04882 joel backdoor • Who is Joel anyway? • Copyright © 2014 by Defensive Intuition, LLC
  31. 31. Why Joel Did This? The ever neighborly Travis Goodspeed pointed out that this backdoor is used by the /bin/xmlsetc binary in the D-Link firmware. After some grepping, I found several binaries that appear to use xmlsetc to automatically re-configure the device’s settings (example: dynamic DNS). My guess is that the developers realized that some programs/services needed to be able to change the device’s settings automatically; realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something. The only problem was that the web server required a username and password, which the end user could change. Then, in a eureka moment, Joel jumped up and said, “Don’t worry, for I have a cunning plan!”. Copyright © 2014 by Defensive Intuition, LLC
  32. 32. Russians Found It First • Looking to root an ISPs router • They found the string, and tried it as the TELNET login • They could have found it and never posted it • Or they never figured out its the User-Agent string January 24, 2010 %D0%B4%D0%B0%D0%B9%D1%82%D0%B5+%D1%81%D0%BE%D0%B2%D0%B5%D1%82 Copyright © 2014 by Defensive Intuition, LLC
  33. 33. Exploit Is Simple DIR-100: ! wget -U ‘xmlset_roodkcableoj28840ybtide’ http:// TM-G5240 (Firmware Version:v4.0.0b28) ! wget -U 'xmlset_roodkcableoj28840ybtide' http:// Copyright © 2014 by Defensive Intuition, LLC
  34. 34. But, No One Exposes Web Management Interfaces To The Internet? Because no presentation is complete without a Shodan screenshot
  35. 35. Canadians & Chinese Copyright © 2014 by Defensive Intuition, LLC thttpd-alphanetworks is a fork of thttpd by a spin-off of Dlinks
  36. 36. Remote Exploitation Via Browser • But wait, what if you could get someone to click on a link? • Could you send authentication + exploit to the router? • You need a few things to happen: • The victim must load a web page with your exploit code • Your exploit code must be able to modify the User-Agent • Your have to know the IP address ( of the device • Your must run a command through the web interface to do something evil • Your must bypass the Same Origin policy Copyright © 2014 by Defensive Intuition, LLC
  37. 37. DIR-100 Buffer Overflow • But wait, there’s more! Craig also released a buffer overflow vulnerability and exploit code: • • Limited to 200 bytes of shellcode • Requires admin # strings webs | egrep '(sprintf|strcpy)' strcpy sprintf Benefit: Now we can upload and execute code on the device, allowing us to execute commands and/or install software. Copyright © 2014 by Defensive Intuition, LLC
  38. 38. Multi-Stage Dropper MIPS Shellcode • Zach Cutlip is awesome, and his shellcode is damn sexy: • trojan-dropper • Or callback in 184 bytes: • connect-back/ Copyright © 2014 by Defensive Intuition, LLC
  39. 39. It’s not dead yet... But wait, there’s even more!
  40. 40. Dir-100 XSS & So Much More • December 2013 researcher Felix Richter exposes several more vulnerabilities affecting DIR-100 routers • Authentication.html • Retrieve the Administrator password without authentication leading to authentication bypass [CWE-255] • Retrieve sensitive configuration parameters like the pppoe username and password without authentication [CWE-200] • Execute privileged Commands without authentication through a race condition leading to weak authentication enforcement [CWE-287] • Sending formatted request to a victim which then will execute arbitrary commands on the device (CSRF) [CWE-352] • Store arbitrary javascript code which will be executed when a victim accesses the administrator interface [CWE-79] Copyright © 2014 by Defensive Intuition, LLC
  41. 41. I See Your Privates root@embeddedcourse:/home/firmware/TM-G5240/squashfs-root/etc# cat stunnel.pem -----BEGIN CERTIFICATE----- MIID+jCCAuKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBrjELMAkGA1UEBhMCVFcx DzANBgNVBAgTBlRhaXdhbjEPMA0GA1UEBxMGVGFpcGVpMRwwGgYDVQQKExNBbHBo YSBOZXR3b3JrcyBJbmMuMQwwCgYDVQQLEwNGRDMxJDAiBgNVBAMTG0FscGhhIE5l dHdvcmtzIERlbW8gUm9vdCBDQTErMCkGCSqGSIb3DQEJARYcU3RhbmxleV9MaUBh bHBoYW5ldHdvcmtzLmNvbTAeFw0wNTA1MTMwNzQxMjVaFw0xNTA1MTEwNzQxMjVa <snip> WY3y9dVFwtZdfOgYcCSqnn1ehDxHN8XsjOylZ53SuapRmPTjuOQR4k+P18XdxZuY RlBSV1vTRWsLncFEQH326MQNyxlQG5om9tZ/+k+kuVt3iImdwBp+cveMaRcw3wHz qDfxLwCL9K4icRhPeYk= -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAtkENCho2fHuiaVHofYl87EGYleFFlw9dv9dDeF/2HX9DEQo4 +ctCESsU8uvSIm+iTB2bTN1R1qLGdwXjFWFjveLOkP9UMv33kD/eAvA3WIjK99PH Rz+Be9bLqtZRehNMXAQV0HFTiLZD3mzo/2gUYtHDUXFAU22HcM/iSVQUpPNytL1/ wE3xtBExLgB51d0CHKL6NXoM0JXEdmpUAhee3QlyGGZU8XpDDizThBnD/QoI2RAN iBcVm/Frcls2dzZ8Qsg1ipJ1OCdZJ4KmdfQhrCTTNCeZ8xyzvyUBrBUkJ+sb6O2f J8OoZ2OIRVIjJ4GeAu5T4vFteLh3XRTVkT8JLQIDAQABAoIBAEI5pQlUuRPGwR9Q GhDz0qbutwlPUEAx3zkEeYnWJNJXGgGpG0b5aspeQ0B6HGNS+UB7SaFGkqRRhZhe <snip> vSC/wQKBgDnnrkbsCg5HsnDFHQu9zSlNrMNwtc3H9fD5TMgFOj7nJBJTLGh/JbXM GaXBOxb1BbVVTmNDvYEMpS+7QPIsA1PVZE3ixYDCI9EuGNSCCd6wwsLkf2mcUH3G mDUZ/Mdnc5uQWU+NWA0LpnVPt546RMk9l5soHc7W5M8MtmnCwMDD -----END RSA PRIVATE KEY-----
  42. 42. Let’s Recap • For your enjoyment, DIR-100 has: • At least 2 different authentication bypass vulnerabilities • Information disclosure, leading to PPPOE passwords • A CSRF vulnerability • A remote buffer overflow • A stored XSS vulnerability • Select models use static keys Copyright © 2014 by Defensive Intuition, LLC
  43. 43. 0wning D-Link? • DIR_100/Status/st_device.htm Copyright © 2014 by Defensive Intuition, LLC
  44. 44. These Conditions Can’t Exist On Other Devices? • Medical: devices-vulnerable-to-serious-hacks-feds-warn/ • SCADA: • Industrial Automation: ioactive_discovers_backdoor_vulnerabilities_in_turck_industrial_a utomation_devices.html • Building Automation: v=c4LMrKEO_t0 (BACNet) • Home Automation: IOActive_advisory_belkinwemo_2014.html Copyright © 2014 by Defensive Intuition, LLC
  45. 45. Even More Attacks • HD Moore found several flaws in VxWorks, scanned 3.1 billion IP addresses and found 250,000 systems exposed to the Internet - • Craig Heffner discovered a DNS rebinding attack on several routers allowing attackers to gain control of administrative interfaces - Copyright 2014
  46. 46. Even More Attacks (2) • Ki-Chan Ahn and Dong-Joo Ha created malware for Nintendo Wii and DS systems - ds-and-the-wii-to-spread-malware/ • Barnaby Jack remotely attacked two different ATMs and “made the money come out” (without a card+pin #) - Copyright 2014
  47. 47. But Why? Why are embedded systems left out in the cold when it comes to security?
  48. 48. Why? • Embedded systems, across all major categories are designed with two things in mind: • Usability - Does the system work as intended for the user? (e.g. my TV turns on, allows me to change the channel, displays an image) • Reliability - Does the system catch fire, break, fall over, or cease functioning under certain conditions? (e.g. does my TV catch fire if left on or melt due to temperature being too high?) ! • What are they not designing for? Copyright © 2014 by Defensive Intuition, LLC
  49. 49. Why? • What happens if an external user takes control of the system and makes it to “bad things”? • Think of it like a hammer: • I make sure it can pound stuff (usability) • I make sure the head doesn’t come flying off and kill someone (reliability) • I don’t design it so someone doesn’t try to use it to smash someone’s face Credit: index.php/ Episode_386#Interview:_Mike_Murray Copyright © 2014 by Defensive Intuition, LLC
  50. 50. These are no ordinary hammers • The hammers, embedded systems, we speak of have connectivity! • Ethernet • Wifi • Bluetooth • ZigBee • RFID • NFC Copyright © 2014 by Defensive Intuition, LLC
  51. 51. What Do We Do About It? 10 Most Wanted List: A Guide For Embedded Device Manufacturer and Software Developers
  52. 52. 10 Most Wanted List 1. Backdoors inside of firmware 2. Default credentials 3. Insecure Remote management (Defaults & Clear-Text Transmissions) 4. Open-source software and drivers, NOT binary blobs 5. Functions prone to overflow conditions 6. Firmware and configuration encryption 7. Easy-to-use firmware updates (auto-updates) 8. Secure web management interfaces 9. Maintain a CIRT and provide a program for security researchers 10. Implement Protocols Security / Implement Secure Protocols Copyright 2014
  53. 53. 1. Firmware Backdoors • A “secret” account (or access) created by the vendor that allows remote management • Excuse is this is done for support reasons (password resets) • The problem is: its not so secret Copyright 2014
  54. 54. Backdoor password was... Derived from the MAC address....
  55. 55. 2. Default Credentials • A known set of credentials used out-of-the-box • Typically found via Google or in documentation • The problems: Anyone can discover this value and users/ administrators don’t change it • Also: Firmware updates sometimes reset it to the default value Copyright 2014
  56. 56. 3. Insecure Remote Management • HTTP & TELNET - Its 2014, why are we still using these protocols to manage systems? • HTTPS - Yes, there is a cost for a certificate. And yes, sometimes vendors will use the same one for every device • SSH - Same thing here, but easier to enable by default • Oh, and weak passwords Copyright 2014
  57. 57. 4. Open-Source drivers • Interoperability is nice, but also begs the security question • How do I keep my software and hardware up-to-date if you don’t provide me with a new driver! • Open-source drivers allow for more eyes, and typically are patched more quickly Copyright 2014
  58. 58. 5. Functions prone to overflow • Wait, we know strcpy() is bad, right? • Why do we still use it? • And yes, programmers still use it • In fact, if you take it out, they will just put it back ! • supermicro-ipmi-firmware-vulnerabilities Copyright 2014
  59. 59. Funny Thing About Encryption Copyright 2014
  60. 60. 6. Firmware Encryption • Signing firmware updates makes it harder to backdoor existing firmware • Encrypting firmware makes it tougher to reverse engineer (though don’t let that replace real security) • Also, XOR is NOT encryption ! • detecting-backdoors/d/d-id/1139859? Copyright 2014
  61. 61. 7. User Friendly Firmware Updates • Take a page right from Microsoft’s playbook (I can’t believe I just wrote that, but...) • Step back, most are unaware devices need to be updated for security, amazed that it actually works • Even the term “update firmware” is too geeky, we need to change this • Smartphones are a great example Copyright 2014
  62. 62. 8. Secure Web Frameworks • The code behind the web management interface is typically poorly implemented • Java, Ruby, Python, .NET - all too “heavy” to implement on small systems • Developers typically write their own, similar results to “Well, I’ll just implement my own encryption algorithm” Copyright 2014
  63. 63. 9. Maintain a CIRT • Look, this FREE help! • D-Link has fixed the problems we covered earlier • Some vulnerabilities never get fixed • Researchers get frustrated and just post the exploits to pastebin • Prezi got hacked, paid the researcher money, and wrote a nice blog post about it and linked to the researcher’s presentation (not in Prezi) • It pays to work and collaborate with security researchers Copyright 2014
  64. 64. 10. Secure Protocols • UPnP, IPMI, HNLP, DLNA are common protocols on consumer devices • Modbus is popular on SCADA devices • The problem is they offer great functionality • But security is often left out entirely • IPMI and HNLP have had huge problems, leading to major issues and even the “Linksys Router Worm” • The protocols desperately need security... Copyright 2014
  65. 65. For Slides Join Our Mailing List: ! Podcasts/Blogs/Videos: ! Contact Me: