The Internet of Things (IoT) aims to makes our lives better, yet there is still no foundation for security controls on the devices that allow us to access the Internet, listen to music, watch television, control the temperature in our homes and more. This talk will look at the history of embedded device insecurity. We’ll explore some real-world example of how devices are exploited (and attackers profited). You will also learn what we can do to help fix these problems and push the industry for a much higher level of security for devices affecting our daily lives.
Automating Google Workspace (GWS) & more with Apps Script
The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014
1. The Internet Of Insecure Things:
10 Most Wanted List
!
Paul Asadoorian
Founder & CEO
http://securityweekly.com
2. Things About Paul
http://securityweekly.com Copyright 2014
Work Thing
Podcast thing
Hacks things
Enjoys things
3. Things About This
Presentation
• Yes, I may say “The Internet of Things”
• This is not about “watch me hack this device”
• While this is fun, we’ve established things are vulnerable
• Also, the sky is not falling because someone can hack your
toaster (yet)
http://securityweekly.com Copyright 2014
4. Its More About…
• Real attack vectors against embedded systems
• Some examples of vulnerabilities and attacks (we have to
have some fun!)
• Understanding the different types of systems and
applications
• Most important, what do “we” do about it?
• The manufacturers of embedded systems
• The folks tasked with protecting networks, systems and infrastructure
http://securityweekly.com Copyright 2014
5. Embedded Systems
“An embedded system is
a special-purpose system
in which the computer is
completely encapsulated
by the device it controls.”
!
http://www.ece.ncsu.edu/research/cas/ecs
9. Why Do We Care?
• Who cares if someone hacks my TV, fridge, lights, scale or
treadmill or wireless router?
• Attackers install Adware/Spyware/Ransomware to these devices
• Ads will be displayed on your devices without your permission
http://securityweekly.com Copyright 2014
11. Why Do We Care? Privacy.
• I can see you watching TV
• I know what you eat and drink,
how often you do laundry, and
when you turn your lights/TV on
• I know how long you spend on the
toilet
• I collect all this data and use it to
send targeted ads
• Distribute pictures of you getting a
snack in your underwear at 3AM
http://securityweekly.com Copyright 2014
16. Industrial Control Systems
Turck BL67 Tridium Niagara AX
Text
Siemens SCALANCE X-200
http://securityweekly.com Copyright 2014
Clorius Controls ISC
Magnum MNS-6K
http://www.tenable.com/plugins/index.php?view=all&family=SCADA
17. Why Do We Care?
• Potentially life threatening
• Historically operated on closed networks
• Physical attacks are in play
• Economics still apply, cost is a huge factor
• Devices have to “live” for a really long time
• It costs money to replace them
http://securityweekly.com Copyright 2014
19. Why Do We Care?
• Attackers will use “things” as a jumping off point (ala
Target)
• Attackers will prey on weaknesses, such as POS systems
• Physical access is not the primary concern, but still possible
• The challenge of economics applies, low cost solutions that
solve problems will win over security
http://securityweekly.com Copyright 2014
20. Medical
• IV Pumps / Drug infusion pumps
• Insulin Pumps (Wearable)
• Surgical and anesthesia devices
• Ventilators
• External defibrillators
• Patient monitors
• Laboratory and analysis equipment
Researchers Billy Rios and Terry McCorkle of Cylance have reported a hard-coded password vulnerability
affecting roughly 300 medical devices across approximately 40 vendors. According to their report, the
vulnerability could be exploited to potentially change critical settings and/or modify device firmware.
http://arstechnica.com/security/2013/06/vast-array-of-medical-devices-vulnerable-to-serious-hacks-feds-warn/
http://securityweekly.com Copyright 2014
21. Why Do We Care?
• Life threatening for sure
• Patient care will trump security every time
• Connectivity and ease of use will trump security
• Oh sorry, I can’t give you pain meds, IV pump is updating patches
• Patient confidentiality also trumps security
• More important to be compliant than secure
http://securityweekly.com Copyright 2014
22. Already Happening
• http://www.proofpoint.com/about-us/press-releases/
01162014.php
• “More than 750,000 Phishing and SPAM emails Launched from
"Thingbots" Including Televisions, Fridge”
• Okay, well one fridge, on purpose? By accident? Where is the
data?
• http://thehackernews.com/2014/03/linux-worm-targets-internet-
http://securityweekly.com Copyright 2014
enabled.html
• “A Linux worm named Linux.Darlloz, earlier used to target Internet of
Things (IoT) devices, i.e. Home Routers, Set-top boxes, Security
Cameras, printers and Industrial control systems; now have been
upgraded to mine Crypto Currencies like Bitcoin.”
23. More Already Happening
• https://blog.kaspersky.com/gaming-console-hacks/
• “I also have a bad feeling that the time for gaming malware is now, and I
am not totally sure what it will take to protect ourselves.”
• http://www.wired.com/2014/04/hikvision/
• “Hackers Turn Security Camera DVRs Into Worst Bitcoin Miners Ever”
• “The low-powered ARM chip is one of the worst possible processors
you could pick for the crypto-heavy calculations that make up bitcoin
mining.”
• “The malicious software seems to spread using the default usernames
and passwords for the Hikvision devices”
http://securityweekly.com Copyright 2014
24. If I Had To Pick One
Example….
Of a really insecure embedded system it would be…
45. Even More Attacks
• HD Moore found several flaws in VxWorks, scanned 3.1
billion IP addresses and found 250,000 systems exposed
to the Internet
- http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html
• Craig Heffner discovered a DNS rebinding attack on
several routers allowing attackers to gain control of
administrative interfaces
- http://code.google.com/p/rebind/
http://securityweekly.com Copyright 2014
46. Even More Attacks (2)
• Ki-Chan Ahn and Dong-Joo Ha created malware for
Nintendo Wii and DS systems
- http://games.venturebeat.com/2010/07/31/live-demos-of-hacking-the-nintendo-
ds-and-the-wii-to-spread-malware/
• Barnaby Jack remotely attacked two different ATMs and
“made the money come out” (without a card+pin #)
- http://www.youtube.com/watch?v=qwMuMSPW3bU
http://securityweekly.com Copyright 2014
47. But Why?
Why are embedded systems left out in the cold when it comes to
security?
51. What Do We Do About It?
10 Most Wanted List: A Guide For Embedded Device
Manufacturer and Software Developers
52. 10 Most Wanted List
1. Backdoors inside of firmware
2. Default credentials
3. Insecure Remote management (Defaults & Clear-Text Transmissions)
4. Open-source software and drivers, NOT binary blobs
5. Functions prone to overflow conditions
6. Firmware and configuration encryption
7. Easy-to-use firmware updates (auto-updates)
8. Secure web management interfaces
9. Maintain a CIRT and provide a program for security researchers
10. Implement Protocols Security / Implement Secure Protocols
http://securityweekly.com Copyright 2014
53. 1. Firmware Backdoors
• A “secret” account (or access) created by the vendor that
allows remote management
• Excuse is this is done for support reasons (password
resets)
• The problem is: its not so secret
http://securityweekly.com Copyright 2014
55. 2. Default Credentials
• A known set of credentials used out-of-the-box
• Typically found via Google or in documentation
• The problems: Anyone can discover this value and users/
administrators don’t change it
• Also: Firmware updates sometimes reset it to the default
value
http://securityweekly.com Copyright 2014
56. 3. Insecure Remote
Management
• HTTP & TELNET - Its 2014, why are we still using these
protocols to manage systems?
• HTTPS - Yes, there is a cost for a certificate. And yes,
sometimes vendors will use the same one for every device
• SSH - Same thing here, but easier to enable by default
• Oh, and weak passwords
http://securityweekly.com Copyright 2014
57. 4. Open-Source drivers
• Interoperability is nice, but also begs the security question
• How do I keep my software and hardware up-to-date if
you don’t provide me with a new driver!
• Open-source drivers allow for more eyes, and typically are
patched more quickly
http://securityweekly.com Copyright 2014
58. 5. Functions prone to
overflow
• Wait, we know strcpy() is bad, right?
• Why do we still use it?
• And yes, programmers still use it
• In fact, if you take it out, they will just put it back
!
• https://community.rapid7.com/community/metasploit/blog/2013/11/06/
supermicro-ipmi-firmware-vulnerabilities
http://securityweekly.com Copyright 2014
59.
60.
61. Funny Thing About
Encryption
http://securityweekly.com Copyright 2014
62. 6. Firmware Encryption
• Signing firmware updates makes it harder to backdoor
existing firmware
• Encrypting firmware makes it tougher to reverse engineer
(though don’t let that replace real security)
• Also, XOR is NOT encryption
!
• http://www.darkreading.com/vulnerabilities---threats/hacking-firmware-and-
detecting-backdoors/d/d-id/1139859?
http://securityweekly.com Copyright 2014
63. 7. User Friendly Firmware
Updates
• Take a page right from Microsoft’s playbook (I can’t believe
I just wrote that, but...)
• Step back, most are unaware devices need to be updated
for security, amazed that it actually works
• Even the term “update firmware” is too geeky, we need to
change this
• Smartphones are a great example
http://securityweekly.com Copyright 2014
64. 8. Secure Web Frameworks
• The code behind the web management interface is typically
poorly implemented
• Java, Ruby, Python, .NET - all too “heavy” to implement on
small systems
• Developers typically write their own, similar results to
“Well, I’ll just implement my own encryption algorithm”
http://securityweekly.com Copyright 2014
65. 9. Maintain a CIRT
• Look, this FREE help!
• D-Link has fixed the problems we covered earlier
• Some vulnerabilities never get fixed
• Researchers get frustrated and just post the exploits to
pastebin
• Prezi got hacked, paid the researcher money, and wrote a
nice blog post about it and linked to the researcher’s
presentation (not in Prezi)
• It pays to work and collaborate with security researchers
http://securityweekly.com Copyright 2014
66. 10. Secure Protocols
• UPnP, IPMI, HNLP, DLNA are common protocols on
consumer devices
• Modbus is popular on SCADA devices
• The problem is they offer great functionality
• But security is often left out entirely
• IPMI and HNLP have had huge problems, leading to major
issues and even the “Linksys Router Worm”
• The protocols desperately need security...
http://securityweekly.com Copyright 2014