SlideShare a Scribd company logo
1 of 27
Download to read offline
Eystein Stenberg
CTO
Mender.io
Linux IoT Botnet Wars and the Lack of Security Hardening
- Chris Pirillo
● Eystein Stenberg
○ 8 years in systems security management
○ M. Sc., Computer Science, Cryptography
○ eystein@mender.io
● Mender.io
○ Over-the-air updater for Embedded Linux
○ Open source (Apache License, v2)
○ Dual A/B rootfs layout (client)
○ Remote deployment management (server)
○ Under active development
About me
We need to learn from past compromises
● Avoid the same mistakes
● Think about security design of your products or code
● Peace of mind you will not be next
Session overview
● Case-studies of device compromises & botnets
○ Mirai (August 2016)
○ Hajime (October 2016)
○ BrickerBot (March 2017)
● Common security problems
● Solution designs
Mirai - Purpose and impact
● Discovered: August 2016
○ Mirai means “future” in Japanese
● 200,000 - 300,000 “stable” infections
○ Peaked at 600,000 infections
● Used for DDoS in late 2016
○ Krebs on Security (600 GBps), OVH
○ Dyn DNS
○ Can be extended for other uses
● Source code on GitHub
○ Leaked in hacker forums, published by researchers
○ https://github.com/jgamblin/Mirai-Source-Code
Source: Understanding the Mirai Botnet, Usenix
Mirai - Design (1/2 - Discovery)
1. IPv4 TCP SYN probes for port 23 and 2323
○ Later iteration: SSH, CWMP/TR-069 exploit
2. 10 brute force Telnet login attempts
○ From list of 62 username/passwords
3. Send IP & credentials to report server
Existing infection
23
2323
1. Scan
2. Login
admin/admin
IP: 1.2.3.4
Report server
(attacker-controlled)
3. IP: 1.2.3.4
admin/admin
Mirai - Design (2/2 - Infection)
1. Loader program
○ Detects environment and installs Mirai
2. Obfuscation
○ Randomize process name
○ Delete executable
○ I.e. Mirai does not survive reboots
3. Remove “competitive” services
○ Remote login (Telnet, SSH)
○ Other malware
4. Listen for commands, scan for more victims
23
2323
IP: 1.2.3.4
Report server
(attacker-controlled)
Loader
(attacker
controlled)
1. IP: 1.2.3.4
admin/admin
Infection
Install Mirai
Command
& Control
server
Mirai - Summary
● Embedded Linux devices
○ DVRs, IP cameras, routers, printers
○ ~30 vendors, many devices
● Efficient spreading
○ Remote login (port open)
○ Internet-wide scanning
○ Asynchronous
● Exploited default credentials
○ username / password
● “...demonstrate that novice malicious techniques can compromise enough low-end devices to
threaten even some of the best-defended targets...”
○ Surprising scale of trivial problems (600,000+ devices)
Hajime - Purpose and impact
● Discovered: October 2016
○ Similar timeframe and net pattern as Mirai
○ Named “beginning” (Japanese) by researchers
○ Hajime author adapted it after report published
● Modest estimate: ~30,000 infections
○ Likely 200,000 max infections
● Seemingly not used for attacks
○ No DDoS capability
○ No attack code
○ Can change at any time (via update)
● Displays a terminal message every 10 minutes
○ “White worm” by a vigilante?
Sources: Hajime worm battles Mirai for control of the Internet of Things, Symantec
Hajime: Analysis of a decentralized internet worm for IoT devices, Rapidity Networks
Hajime - Design (1/2 - Discovery)
1. IPv4 TCP SYN probes for port 23
2. Brute force Telnet login attempts
○ From list of 64 username/passwords
○ Same as Mirai + 2 more
3. Write a file transfer binary on victim
○ 484 bytes (raw TCP transfer binary)
○ Written in assembly(!)
4. Victim connects to attacker and downloads Hajime binary
Existing infection
23
1. Scan
2. Login
admin/admin
3. Write file
transfer binary
IP: 1.2.3.4
4. Connect back
to download
Hajime binary
Hajime - Design (2/2 - Infection)
1. Victim connects to decentralized “overlay” peer network
○ BitTorrent DHT (discovery)
○ uTorrent Transport Protocol (data)
○ Installs Hajime scanner (“exp module”) and network configuration
2. Obfuscation
○ Renames itself to telnetd
○ Remove its binary
○ Does not survive reboots
3. Improves security of device
○ Closes ports 23, 7547, 5555, and 5358
○ Mirai targeted some of these
4. Scan for more victims
IP: 1.2.3.4
Join peer
network
Infected peer network
Hajime - Summary
● Embedded Linux devices
○ ARMv5, ARMv7
○ Intel x86-64, MIPS (little-endian)
● Decentralized spreading
○ Remote login (port open)
○ DHT/uTP based
● Exploited default credentials
○ username / password
● Target the same devices as Mirai
BrickerBot - Purpose and impact
● Discovered: March 2017
● Author claims 2,000,000 total infections
● Erases all storage and bricks the device
○ Destructive “white worm” by a vigilante
○ “PDoS” attack against devices
Sources: BrickerBot, the permanent denial-of-service botnet, is back with a vengeance
BrickerBot PDoS Attack: Back With A Vengeance
BrickerBot - Design
1. IPv4 TCP SYN probes for port 23
2. Brute force Telnet login attempts
3. Brick device
○ Erase disk partitions & files
○ Disable networking
○ Reboot
4. Connect to next device
○ Victim is not attacking other devices (gets bricked)
○ Static set of attacking devices (tens)
Attacking devices
(just 10s of them)
23
1. Scan
2. Login
admin/admin
3. Brick device
IP: 1.2.3.4
BrickerBot - Manifesto of claimed author
“[...] I was dismayed by the indiscriminate DDoS attacks by
IoT botnets in 2016. I thought for sure that the large
attacks would force the industry to finally get its act
together, but after a few months of record-breaking
attacks it became obvious that in spite of all the sincere
efforts the problem couldn't be solved quickly enough by
conventional means.”
BrickerBot - Summary
● Embedded Linux devices as attackers
○ Dropbear with Telnet
● Fixed set of attacker devices
○ Likely in just in the 10s
○ Cannot spread as it bricks the victim
● Exploited default credentials
○ username / password
● Target the same devices as Mirai and Hajime
Mirai Hajime BrickerBot
Discovered 2016, August 2016, October 2017, March
Purpose DDoS (profit?) Secure devices (?) “Secure” devices
(permanently)
Negative impact Internet-wide outages No significant (so far) 2 million bricked devices
Reconnaissance Async SYN, multi port Test port 23 Test port 23
Access Default user/pass Default user/pass Default user/pass
Architecture Centralized Distributed Centralized
Est. peak reach 600,000 30,000 - 200,000 2,000,000 (all time)
Est. attacking devices 600,000 30,000 - 200,000 <100
Malware summary
Attack vector Mirai Hajime BrickerBot
Remote login (port open)
Default credentials
Elevated privileges
Software exploit (vulnerability) New strains? New strains?
The attack vectors (even credential list) are almost identical!
Malware attack vectors
Improving motivation of device manufacturers
● The attack vectors are too trivial
○ Like Windows in the 90s
○ Can be significantly remediated with little effort
● Device manufacturers should be held accountable
○ It should not be end users!
○ Buyers can demand better security
● IoT Cybersecurity Improvement Act of 2017
○ Basic security for devices purchased by government
○ Covers all Internet-connected devices
○ Likely improves security of other sectors
○ Not passed to law yet
● More BrickerBot flavors?
● It is always possible to compromise
● Lower Return on Investment (ROI) for attacker
○ Decrease value of successful attack
○ Increase cost of successful attack
● There are generic solutions to increasing cost of an attack
Your goal is to lower attacker Return on Investment
Action
1. Reconnaissance
2. Intrusion
3. Insert backdoor
4. Clean up
Desired outcome
➔ Discover vulnerabilities
➔ Initial access
➔ Ongoing access
➔ Avoid detection
Anatomy of an attack
Action
1. Reconnaissance
2. Intrusion
3. Insert backdoor
4. Clean up
Approach
➔ Distributed & fast portscan, especially telnet
➔ Default username/password list (64 combos),
CWMP exploit
➔ Detect environment, download & run binary
➔ Process name obfuscation, remove binaries
Anatomy of the three botnet attacks
Action
1. Reconnaissance
2. Intrusion
3. Insert backdoor
4. Clean up
Approach
➔ Distributed & fast portscan, especially telnet
➔ Default username/password list (64 combos),
CWMP exploit
➔ Detect environment, download & run binary
➔ Process name obfuscation, remove binaries
Default closed ports
Network segmentation
Random initial passwords
Service security updates
Principle of least privilege
Mitigating the botnet attacks
Action
1. Reconnaissance
2. Intrusion
3. Insert backdoor
4. Clean up
Approach
➔ Distributed & fast portscan, especially telnet
➔ Default username/password list (64 combos),
CWMP exploit
➔ Detect environment, download & run binary
➔ Process name obfuscation, remove binaries
Default closed ports
Network segmentation
Random initial passwords
Service security updates
Principle of least privilege
Some of the vendors had manual 1-by-1 updatability; passing the burden to the user (like your wifi router).
OTA updates can also address
currently unknown vulnerabilities.
OTA updates can mitigate most cases
● Power loss during the update process
○ Atomic? Automated rollback?
● Secure communication (e.g. TLS, certs)
● Signed updates
● Homegrown seems easy?
Tesla hacked by security researchers
in September 2016
“Cryptographic validation of firmware
updates is something we’ve wanted to do
for a while[…]” - Tesla’s CTO JB Straubel
Vulnerability in Deutsche Telekom’s updater exploited
https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/
We need robust and secure OTA updates
Let us remove the similarities with basic security hardening

More Related Content

What's hot

Хакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовХакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовPositive Hack Days
 
Cryptographic Protocol is and isn't like LEGO.
Cryptographic Protocol is and isn't like LEGO.Cryptographic Protocol is and isn't like LEGO.
Cryptographic Protocol is and isn't like LEGO.Shin'ichiro Matsuo
 
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]RootedCON
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementationsTrupti Shiralkar, CISSP
 
Network Security Applications
Network Security ApplicationsNetwork Security Applications
Network Security ApplicationsHatem Mahmoud
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hackingPranshu Pareek
 
Network Security fundamentals
Network Security fundamentalsNetwork Security fundamentals
Network Security fundamentalsTariq kanher
 
cryptography deepan fav subject
cryptography deepan fav subjectcryptography deepan fav subject
cryptography deepan fav subjectdeepan v
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin
 
e-Extortion Trends and Defense
e-Extortion Trends and Defensee-Extortion Trends and Defense
e-Extortion Trends and DefenseErik Iker
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedThomas Roccia
 
Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationTamas K Lengyel
 
Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]RootedCON
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringbartblaze
 

What's hot (20)

Cryto Party at CCU
Cryto Party at CCUCryto Party at CCU
Cryto Party at CCU
 
Хакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентовХакеры хотят ваш банк больше, чем ваших клиентов
Хакеры хотят ваш банк больше, чем ваших клиентов
 
Cryptographic Protocol is and isn't like LEGO.
Cryptographic Protocol is and isn't like LEGO.Cryptographic Protocol is and isn't like LEGO.
Cryptographic Protocol is and isn't like LEGO.
 
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
Ángel Palomo Cisneros - Programming and playing a MITM attack [rooted2018]
 
Cys Report Krack Attack Threat Briefing
Cys Report Krack Attack Threat BriefingCys Report Krack Attack Threat Briefing
Cys Report Krack Attack Threat Briefing
 
Common crypto attacks and secure implementations
Common crypto attacks and secure implementationsCommon crypto attacks and secure implementations
Common crypto attacks and secure implementations
 
Network Security Applications
Network Security ApplicationsNetwork Security Applications
Network Security Applications
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
 
Network Security fundamentals
Network Security fundamentalsNetwork Security fundamentals
Network Security fundamentals
 
Backtrack os 5
Backtrack os 5Backtrack os 5
Backtrack os 5
 
CS6004 CYBER FORENSICS
CS6004 CYBER FORENSICS CS6004 CYBER FORENSICS
CS6004 CYBER FORENSICS
 
cryptography deepan fav subject
cryptography deepan fav subjectcryptography deepan fav subject
cryptography deepan fav subject
 
Linux Security
Linux SecurityLinux Security
Linux Security
 
Backtrack
BacktrackBacktrack
Backtrack
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on Honeypots
 
e-Extortion Trends and Defense
e-Extortion Trends and Defensee-Extortion Trends and Defense
e-Extortion Trends and Defense
 
Wannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons LearnedWannacry | Technical Insight and Lessons Learned
Wannacry | Technical Insight and Lessons Learned
 
Malware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware VirtualizationMalware Collection and Analysis via Hardware Virtualization
Malware Collection and Analysis via Hardware Virtualization
 
Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]Dario Durando - IoT: Battle of Bots [rooted2018]
Dario Durando - IoT: Battle of Bots [rooted2018]
 
Malware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineeringMalware analysis, threat intelligence and reverse engineering
Malware analysis, threat intelligence and reverse engineering
 

Similar to Linux IoT Botnet Wars and the lack of basic security hardening

Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Mender.io
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDebra Baker, CISSP CSSP
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008ClubHack
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008ClubHack
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CDamiable_indian
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomwareSophos Benelux
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9Geoff Pesimo
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2ShapeBlue
 
Malware's Most Wanted: Linux and Internet of Things Malware
Malware's Most Wanted: Linux and Internet of Things MalwareMalware's Most Wanted: Linux and Internet of Things Malware
Malware's Most Wanted: Linux and Internet of Things MalwareCyphort
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
Chapter 09
Chapter 09Chapter 09
Chapter 09 Google
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Maksim Shudrak
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxAmitesh Bharti
 

Similar to Linux IoT Botnet Wars and the lack of basic security hardening (20)

Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
Linux IOT Botnet Wars and the Lack of Basic Security Hardening - OSCON 2018
 
Hacking by Pratyush Gupta
Hacking by Pratyush GuptaHacking by Pratyush Gupta
Hacking by Pratyush Gupta
 
Analysing Ransomware
Analysing RansomwareAnalysing Ransomware
Analysing Ransomware
 
Disruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptxDisruptionware-TRustedCISO103020v0.7.pptx
Disruptionware-TRustedCISO103020v0.7.pptx
 
Hacking tutorial
Hacking tutorialHacking tutorial
Hacking tutorial
 
Botnets Attacks.pptx
Botnets Attacks.pptxBotnets Attacks.pptx
Botnets Attacks.pptx
 
Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008Kunal - Introduction to BackTrack - ClubHack2008
Kunal - Introduction to BackTrack - ClubHack2008
 
Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008Kunal - Introduction to backtrack - ClubHack2008
Kunal - Introduction to backtrack - ClubHack2008
 
Workshop on BackTrack live CD
Workshop on BackTrack live CDWorkshop on BackTrack live CD
Workshop on BackTrack live CD
 
How to stay protected against ransomware
How to stay protected against ransomwareHow to stay protected against ransomware
How to stay protected against ransomware
 
IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai Revisited
 
Hacking 1224807880385377-9
Hacking 1224807880385377-9Hacking 1224807880385377-9
Hacking 1224807880385377-9
 
Hacking
HackingHacking
Hacking
 
Hacking
HackingHacking
Hacking
 
Securing your Cloud Environment v2
Securing your Cloud Environment v2Securing your Cloud Environment v2
Securing your Cloud Environment v2
 
Malware's Most Wanted: Linux and Internet of Things Malware
Malware's Most Wanted: Linux and Internet of Things MalwareMalware's Most Wanted: Linux and Internet of Things Malware
Malware's Most Wanted: Linux and Internet of Things Malware
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
Chapter 09
Chapter 09Chapter 09
Chapter 09
 
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
Tricky sample? Hack it easy! Applying dynamic binary inastrumentation to ligh...
 
Threats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in LinuxThreats, Vulnerabilities & Security measures in Linux
Threats, Vulnerabilities & Security measures in Linux
 

More from Mender.io

Mender: The open-source software update solution
Mender: The open-source software update solutionMender: The open-source software update solution
Mender: The open-source software update solutionMender.io
 
IoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesIoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesMender.io
 
The ultimate guide to software updates on embedded linux devices
The ultimate guide to software updates on embedded linux devicesThe ultimate guide to software updates on embedded linux devices
The ultimate guide to software updates on embedded linux devicesMender.io
 
A million ways to provision embedded linux devices
A million ways to provision embedded linux devicesA million ways to provision embedded linux devices
A million ways to provision embedded linux devicesMender.io
 
Embedded linux build systems
Embedded linux build systems  Embedded linux build systems
Embedded linux build systems Mender.io
 
Integrate IoT cloud analytics and over the-air (ota) updates with google and ...
Integrate IoT cloud analytics and over the-air (ota) updates with google and ...Integrate IoT cloud analytics and over the-air (ota) updates with google and ...
Integrate IoT cloud analytics and over the-air (ota) updates with google and ...Mender.io
 
Configuring wifi in open embedded builds
Configuring wifi in open embedded buildsConfiguring wifi in open embedded builds
Configuring wifi in open embedded buildsMender.io
 
Mender; the open-source software update solution
Mender; the open-source software update solutionMender; the open-source software update solution
Mender; the open-source software update solutionMender.io
 
IoT Prototyping using BBB and Debian
IoT Prototyping using BBB and DebianIoT Prototyping using BBB and Debian
IoT Prototyping using BBB and DebianMender.io
 
Why the yocto project for my io t project elc_edinburgh_2018
Why the yocto project for my io t project elc_edinburgh_2018Why the yocto project for my io t project elc_edinburgh_2018
Why the yocto project for my io t project elc_edinburgh_2018Mender.io
 
Strategies for developing and deploying your embedded applications and images
Strategies for developing and deploying your embedded applications and imagesStrategies for developing and deploying your embedded applications and images
Strategies for developing and deploying your embedded applications and imagesMender.io
 
IoT Development from Prototype to Production
IoT Development from Prototype to ProductionIoT Development from Prototype to Production
IoT Development from Prototype to ProductionMender.io
 
Software Updates for Connected Devices - OSCON 2018
Software Updates for Connected Devices - OSCON 2018Software Updates for Connected Devices - OSCON 2018
Software Updates for Connected Devices - OSCON 2018Mender.io
 
Embedded Linux Build Systems - Texas Linux Fest 2018
Embedded Linux Build Systems - Texas Linux Fest 2018Embedded Linux Build Systems - Texas Linux Fest 2018
Embedded Linux Build Systems - Texas Linux Fest 2018Mender.io
 
Iot development from prototype to production
Iot development from prototype to productionIot development from prototype to production
Iot development from prototype to productionMender.io
 
Securing the Connected Car - SCaLE 2018
Securing the Connected Car - SCaLE 2018Securing the Connected Car - SCaLE 2018
Securing the Connected Car - SCaLE 2018Mender.io
 
Mender.io | Securing the Connected Car
Mender.io | Securing the Connected CarMender.io | Securing the Connected Car
Mender.io | Securing the Connected CarMender.io
 
Mender.io | Develop embedded applications faster | Comparing C and Golang
Mender.io | Develop embedded applications faster | Comparing C and GolangMender.io | Develop embedded applications faster | Comparing C and Golang
Mender.io | Develop embedded applications faster | Comparing C and GolangMender.io
 

More from Mender.io (18)

Mender: The open-source software update solution
Mender: The open-source software update solutionMender: The open-source software update solution
Mender: The open-source software update solution
 
IoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSesIoT: Contrasting Yocto/Buildroot to binary OSes
IoT: Contrasting Yocto/Buildroot to binary OSes
 
The ultimate guide to software updates on embedded linux devices
The ultimate guide to software updates on embedded linux devicesThe ultimate guide to software updates on embedded linux devices
The ultimate guide to software updates on embedded linux devices
 
A million ways to provision embedded linux devices
A million ways to provision embedded linux devicesA million ways to provision embedded linux devices
A million ways to provision embedded linux devices
 
Embedded linux build systems
Embedded linux build systems  Embedded linux build systems
Embedded linux build systems
 
Integrate IoT cloud analytics and over the-air (ota) updates with google and ...
Integrate IoT cloud analytics and over the-air (ota) updates with google and ...Integrate IoT cloud analytics and over the-air (ota) updates with google and ...
Integrate IoT cloud analytics and over the-air (ota) updates with google and ...
 
Configuring wifi in open embedded builds
Configuring wifi in open embedded buildsConfiguring wifi in open embedded builds
Configuring wifi in open embedded builds
 
Mender; the open-source software update solution
Mender; the open-source software update solutionMender; the open-source software update solution
Mender; the open-source software update solution
 
IoT Prototyping using BBB and Debian
IoT Prototyping using BBB and DebianIoT Prototyping using BBB and Debian
IoT Prototyping using BBB and Debian
 
Why the yocto project for my io t project elc_edinburgh_2018
Why the yocto project for my io t project elc_edinburgh_2018Why the yocto project for my io t project elc_edinburgh_2018
Why the yocto project for my io t project elc_edinburgh_2018
 
Strategies for developing and deploying your embedded applications and images
Strategies for developing and deploying your embedded applications and imagesStrategies for developing and deploying your embedded applications and images
Strategies for developing and deploying your embedded applications and images
 
IoT Development from Prototype to Production
IoT Development from Prototype to ProductionIoT Development from Prototype to Production
IoT Development from Prototype to Production
 
Software Updates for Connected Devices - OSCON 2018
Software Updates for Connected Devices - OSCON 2018Software Updates for Connected Devices - OSCON 2018
Software Updates for Connected Devices - OSCON 2018
 
Embedded Linux Build Systems - Texas Linux Fest 2018
Embedded Linux Build Systems - Texas Linux Fest 2018Embedded Linux Build Systems - Texas Linux Fest 2018
Embedded Linux Build Systems - Texas Linux Fest 2018
 
Iot development from prototype to production
Iot development from prototype to productionIot development from prototype to production
Iot development from prototype to production
 
Securing the Connected Car - SCaLE 2018
Securing the Connected Car - SCaLE 2018Securing the Connected Car - SCaLE 2018
Securing the Connected Car - SCaLE 2018
 
Mender.io | Securing the Connected Car
Mender.io | Securing the Connected CarMender.io | Securing the Connected Car
Mender.io | Securing the Connected Car
 
Mender.io | Develop embedded applications faster | Comparing C and Golang
Mender.io | Develop embedded applications faster | Comparing C and GolangMender.io | Develop embedded applications faster | Comparing C and Golang
Mender.io | Develop embedded applications faster | Comparing C and Golang
 

Recently uploaded

Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...OnePlan Solutions
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfWSO2
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Eraconfluent
 
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate  AI Earns First Commission in 3 Hours..pdfAuto Affiliate  AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdfSelfMade bd
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletAndrea Goulet
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024SimonedeGijt
 
Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Soroosh Khodami
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIInflectra
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Gáspár Nagy
 
^Clinic ^%[+27788225528*Abortion Pills For Sale In soweto
^Clinic ^%[+27788225528*Abortion Pills For Sale In soweto^Clinic ^%[+27788225528*Abortion Pills For Sale In soweto
^Clinic ^%[+27788225528*Abortion Pills For Sale In sowetokasambamuno
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfkalichargn70th171
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Henry Schreiner
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024Shane Coughlan
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Andrea Goulet
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio, Inc.
 
What is a Recruitment Management Software?
What is a Recruitment Management Software?What is a Recruitment Management Software?
What is a Recruitment Management Software?NYGGS Automation Suite
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringPrakhyath Rai
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMarkus Moeller
 

Recently uploaded (20)

Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
Optimizing Operations by Aligning Resources with Strategic Objectives Using O...
 
architecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdfarchitecting-ai-in-the-enterprise-apis-and-applications.pdf
architecting-ai-in-the-enterprise-apis-and-applications.pdf
 
Evolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI EraEvolving Data Governance for the Real-time Streaming and AI Era
Evolving Data Governance for the Real-time Streaming and AI Era
 
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
Auto Affiliate  AI Earns First Commission in 3 Hours..pdfAuto Affiliate  AI Earns First Commission in 3 Hours..pdf
Auto Affiliate AI Earns First Commission in 3 Hours..pdf
 
Community is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea GouletCommunity is Just as Important as Code by Andrea Goulet
Community is Just as Important as Code by Andrea Goulet
 
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
Abortion Clinic In Johannesburg ](+27832195400*)[ 🏥 Safe Abortion Pills in Jo...
 
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
Wired_2.0_CREATE YOUR ULTIMATE LEARNING ENVIRONMENT_JCON_16052024
 
Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024
 
From Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST APIFrom Theory to Practice: Utilizing SpiraPlan's REST API
From Theory to Practice: Utilizing SpiraPlan's REST API
 
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
Tree in the Forest - Managing Details in BDD Scenarios (live2test 2024)
 
^Clinic ^%[+27788225528*Abortion Pills For Sale In soweto
^Clinic ^%[+27788225528*Abortion Pills For Sale In soweto^Clinic ^%[+27788225528*Abortion Pills For Sale In soweto
^Clinic ^%[+27788225528*Abortion Pills For Sale In soweto
 
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdfThe Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
The Evolution of Web App Testing_ An Ultimate Guide to Future Trends.pdf
 
Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024Modern binary build systems - PyCon 2024
Modern binary build systems - PyCon 2024
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024
 
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
Entropy, Software Quality, and Innovation (presented at Princeton Plasma Phys...
 
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-CloudAlluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
Alluxio Monthly Webinar | Simplify Data Access for AI in Multi-Cloud
 
What is a Recruitment Management Software?
What is a Recruitment Management Software?What is a Recruitment Management Software?
What is a Recruitment Management Software?
 
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
Abortion Clinic In Polokwane ](+27832195400*)[ 🏥 Safe Abortion Pills in Polok...
 
Software Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements EngineeringSoftware Engineering - Introduction + Process Models + Requirements Engineering
Software Engineering - Introduction + Process Models + Requirements Engineering
 
Microsoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdfMicrosoft365_Dev_Security_2024_05_16.pdf
Microsoft365_Dev_Security_2024_05_16.pdf
 

Linux IoT Botnet Wars and the lack of basic security hardening

  • 1. Eystein Stenberg CTO Mender.io Linux IoT Botnet Wars and the Lack of Security Hardening
  • 3. ● Eystein Stenberg ○ 8 years in systems security management ○ M. Sc., Computer Science, Cryptography ○ eystein@mender.io ● Mender.io ○ Over-the-air updater for Embedded Linux ○ Open source (Apache License, v2) ○ Dual A/B rootfs layout (client) ○ Remote deployment management (server) ○ Under active development About me
  • 4. We need to learn from past compromises ● Avoid the same mistakes ● Think about security design of your products or code ● Peace of mind you will not be next
  • 5. Session overview ● Case-studies of device compromises & botnets ○ Mirai (August 2016) ○ Hajime (October 2016) ○ BrickerBot (March 2017) ● Common security problems ● Solution designs
  • 6. Mirai - Purpose and impact ● Discovered: August 2016 ○ Mirai means “future” in Japanese ● 200,000 - 300,000 “stable” infections ○ Peaked at 600,000 infections ● Used for DDoS in late 2016 ○ Krebs on Security (600 GBps), OVH ○ Dyn DNS ○ Can be extended for other uses ● Source code on GitHub ○ Leaked in hacker forums, published by researchers ○ https://github.com/jgamblin/Mirai-Source-Code Source: Understanding the Mirai Botnet, Usenix
  • 7. Mirai - Design (1/2 - Discovery) 1. IPv4 TCP SYN probes for port 23 and 2323 ○ Later iteration: SSH, CWMP/TR-069 exploit 2. 10 brute force Telnet login attempts ○ From list of 62 username/passwords 3. Send IP & credentials to report server Existing infection 23 2323 1. Scan 2. Login admin/admin IP: 1.2.3.4 Report server (attacker-controlled) 3. IP: 1.2.3.4 admin/admin
  • 8. Mirai - Design (2/2 - Infection) 1. Loader program ○ Detects environment and installs Mirai 2. Obfuscation ○ Randomize process name ○ Delete executable ○ I.e. Mirai does not survive reboots 3. Remove “competitive” services ○ Remote login (Telnet, SSH) ○ Other malware 4. Listen for commands, scan for more victims 23 2323 IP: 1.2.3.4 Report server (attacker-controlled) Loader (attacker controlled) 1. IP: 1.2.3.4 admin/admin Infection Install Mirai Command & Control server
  • 9. Mirai - Summary ● Embedded Linux devices ○ DVRs, IP cameras, routers, printers ○ ~30 vendors, many devices ● Efficient spreading ○ Remote login (port open) ○ Internet-wide scanning ○ Asynchronous ● Exploited default credentials ○ username / password ● “...demonstrate that novice malicious techniques can compromise enough low-end devices to threaten even some of the best-defended targets...” ○ Surprising scale of trivial problems (600,000+ devices)
  • 10. Hajime - Purpose and impact ● Discovered: October 2016 ○ Similar timeframe and net pattern as Mirai ○ Named “beginning” (Japanese) by researchers ○ Hajime author adapted it after report published ● Modest estimate: ~30,000 infections ○ Likely 200,000 max infections ● Seemingly not used for attacks ○ No DDoS capability ○ No attack code ○ Can change at any time (via update) ● Displays a terminal message every 10 minutes ○ “White worm” by a vigilante? Sources: Hajime worm battles Mirai for control of the Internet of Things, Symantec Hajime: Analysis of a decentralized internet worm for IoT devices, Rapidity Networks
  • 11. Hajime - Design (1/2 - Discovery) 1. IPv4 TCP SYN probes for port 23 2. Brute force Telnet login attempts ○ From list of 64 username/passwords ○ Same as Mirai + 2 more 3. Write a file transfer binary on victim ○ 484 bytes (raw TCP transfer binary) ○ Written in assembly(!) 4. Victim connects to attacker and downloads Hajime binary Existing infection 23 1. Scan 2. Login admin/admin 3. Write file transfer binary IP: 1.2.3.4 4. Connect back to download Hajime binary
  • 12. Hajime - Design (2/2 - Infection) 1. Victim connects to decentralized “overlay” peer network ○ BitTorrent DHT (discovery) ○ uTorrent Transport Protocol (data) ○ Installs Hajime scanner (“exp module”) and network configuration 2. Obfuscation ○ Renames itself to telnetd ○ Remove its binary ○ Does not survive reboots 3. Improves security of device ○ Closes ports 23, 7547, 5555, and 5358 ○ Mirai targeted some of these 4. Scan for more victims IP: 1.2.3.4 Join peer network Infected peer network
  • 13. Hajime - Summary ● Embedded Linux devices ○ ARMv5, ARMv7 ○ Intel x86-64, MIPS (little-endian) ● Decentralized spreading ○ Remote login (port open) ○ DHT/uTP based ● Exploited default credentials ○ username / password ● Target the same devices as Mirai
  • 14. BrickerBot - Purpose and impact ● Discovered: March 2017 ● Author claims 2,000,000 total infections ● Erases all storage and bricks the device ○ Destructive “white worm” by a vigilante ○ “PDoS” attack against devices Sources: BrickerBot, the permanent denial-of-service botnet, is back with a vengeance BrickerBot PDoS Attack: Back With A Vengeance
  • 15. BrickerBot - Design 1. IPv4 TCP SYN probes for port 23 2. Brute force Telnet login attempts 3. Brick device ○ Erase disk partitions & files ○ Disable networking ○ Reboot 4. Connect to next device ○ Victim is not attacking other devices (gets bricked) ○ Static set of attacking devices (tens) Attacking devices (just 10s of them) 23 1. Scan 2. Login admin/admin 3. Brick device IP: 1.2.3.4
  • 16. BrickerBot - Manifesto of claimed author “[...] I was dismayed by the indiscriminate DDoS attacks by IoT botnets in 2016. I thought for sure that the large attacks would force the industry to finally get its act together, but after a few months of record-breaking attacks it became obvious that in spite of all the sincere efforts the problem couldn't be solved quickly enough by conventional means.”
  • 17. BrickerBot - Summary ● Embedded Linux devices as attackers ○ Dropbear with Telnet ● Fixed set of attacker devices ○ Likely in just in the 10s ○ Cannot spread as it bricks the victim ● Exploited default credentials ○ username / password ● Target the same devices as Mirai and Hajime
  • 18. Mirai Hajime BrickerBot Discovered 2016, August 2016, October 2017, March Purpose DDoS (profit?) Secure devices (?) “Secure” devices (permanently) Negative impact Internet-wide outages No significant (so far) 2 million bricked devices Reconnaissance Async SYN, multi port Test port 23 Test port 23 Access Default user/pass Default user/pass Default user/pass Architecture Centralized Distributed Centralized Est. peak reach 600,000 30,000 - 200,000 2,000,000 (all time) Est. attacking devices 600,000 30,000 - 200,000 <100 Malware summary
  • 19. Attack vector Mirai Hajime BrickerBot Remote login (port open) Default credentials Elevated privileges Software exploit (vulnerability) New strains? New strains? The attack vectors (even credential list) are almost identical! Malware attack vectors
  • 20. Improving motivation of device manufacturers ● The attack vectors are too trivial ○ Like Windows in the 90s ○ Can be significantly remediated with little effort ● Device manufacturers should be held accountable ○ It should not be end users! ○ Buyers can demand better security ● IoT Cybersecurity Improvement Act of 2017 ○ Basic security for devices purchased by government ○ Covers all Internet-connected devices ○ Likely improves security of other sectors ○ Not passed to law yet ● More BrickerBot flavors?
  • 21. ● It is always possible to compromise ● Lower Return on Investment (ROI) for attacker ○ Decrease value of successful attack ○ Increase cost of successful attack ● There are generic solutions to increasing cost of an attack Your goal is to lower attacker Return on Investment
  • 22. Action 1. Reconnaissance 2. Intrusion 3. Insert backdoor 4. Clean up Desired outcome ➔ Discover vulnerabilities ➔ Initial access ➔ Ongoing access ➔ Avoid detection Anatomy of an attack
  • 23. Action 1. Reconnaissance 2. Intrusion 3. Insert backdoor 4. Clean up Approach ➔ Distributed & fast portscan, especially telnet ➔ Default username/password list (64 combos), CWMP exploit ➔ Detect environment, download & run binary ➔ Process name obfuscation, remove binaries Anatomy of the three botnet attacks
  • 24. Action 1. Reconnaissance 2. Intrusion 3. Insert backdoor 4. Clean up Approach ➔ Distributed & fast portscan, especially telnet ➔ Default username/password list (64 combos), CWMP exploit ➔ Detect environment, download & run binary ➔ Process name obfuscation, remove binaries Default closed ports Network segmentation Random initial passwords Service security updates Principle of least privilege Mitigating the botnet attacks
  • 25. Action 1. Reconnaissance 2. Intrusion 3. Insert backdoor 4. Clean up Approach ➔ Distributed & fast portscan, especially telnet ➔ Default username/password list (64 combos), CWMP exploit ➔ Detect environment, download & run binary ➔ Process name obfuscation, remove binaries Default closed ports Network segmentation Random initial passwords Service security updates Principle of least privilege Some of the vendors had manual 1-by-1 updatability; passing the burden to the user (like your wifi router). OTA updates can also address currently unknown vulnerabilities. OTA updates can mitigate most cases
  • 26. ● Power loss during the update process ○ Atomic? Automated rollback? ● Secure communication (e.g. TLS, certs) ● Signed updates ● Homegrown seems easy? Tesla hacked by security researchers in September 2016 “Cryptographic validation of firmware updates is something we’ve wanted to do for a while[…]” - Tesla’s CTO JB Straubel Vulnerability in Deutsche Telekom’s updater exploited https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/ We need robust and secure OTA updates
  • 27. Let us remove the similarities with basic security hardening