Infecting Internet of Things

Axelle Apvrille - Fortinetaapvrille@fortinet.com

DefCamp, November 2016

Outline

1 Introduction

2 Ransomware on IoT

3 Trojans on IoT

4 SMS Dialer on IoT

5 Spyware on IoT

6 Existing IoT malware

7 Future

8 Conclusion

Defcamp November 2016 - A. Apvrille 2/33

Who am I?

whoamimy $self = {

realname => ’Axelle Apvrille’,

nickname => ’Crypto Girl’,

company => ’Fortinet, Fortiguard Labs, Research EMEA’,

time => ’8 years’,

job => ’Senior Anti-Virus Researcher’,

topics => ’Malware for smart objects (phones, IoT...)’,

twitter => ’@cryptax’,

languages => ’French, English, Hexadecimal :)’

};

Defcamp November 2016 - A. Apvrille 3/33

Outline

1 Introduction

2 Ransomware on IoT

3 Trojans on IoT

4 SMS Dialer on IoT

5 Spyware on IoT

6 Existing IoT malware

7 Future

8 Conclusion

Defcamp November 2016 - A. Apvrille 4/33

Demo: Ransomware on Smart Glasses

Defcamp November 2016 - A. Apvrille 5/33

How the PoC works: architecture

OMAP 4430

LPS25 MEMS

Pressuresensor

LSM9DS0Accelerometer

GyroscopeCompass

TMP103Temperature

sensor

Free FallSensor

APDS9900Ambient

Light Sensor

Android 4.1.2

Recon Camera

app

Recon Compass Calibration

Assisted GPS

Heading Service

3rd party expanded apps

PoCRecon SDK

System apps (/system/app)

Data apps (/data/app)

Defcamp November 2016 - A. Apvrille 6/33

How the PoC works: source code

public void onCreate(Bundle savedInstanceState) {

super.onCreate(savedInstanceState);

CharSequence msg = (CharSequence)

this.getIntent().getStringExtra("message");

if (msg == null) {

msg = "No text provided!";

}

int duration = Toast.LENGTH_LONG;

for (int i=0; i<40; i++) { // Quick hack for a longer toast ;)

Toast.makeText((Context)this,

(CharSequence)msg, duration).show();

}

this.finish();

}

That simple? Yes. That makes even more scary :=)

Defcamp November 2016 - A. Apvrille 7/33

What will you do? 1/3

Did they really record your activity? Perhaps...Smart glasses cost 500 USD ≈ 2030 RON

Defcamp November 2016 - A. Apvrille 8/33

What will you do? 2/3

You can’t use your bloodpressure monitor any longer.

But, given your medicalcondition, you need it

This is a fake screenshot - no knownransomware on that app (yet)

Defcamp November 2016 - A. Apvrille 9/33

What will you do? 2bis /3

Your insulin pump has beenhacked!

NB. This is a fake screenshot -however vulnerabilities exist

I October 2016 - R7-2016-07:Multiple Vulnerabilities inAnimas OneTouch Ping InsulinPump

I More on medical devices: seeMarie Moe’s talks onpacemakers

Defcamp November 2016 - A. Apvrille 10/33

What will you do? 3/3

Defcamp November 2016 - A. Apvrille 11/33

Ransomware on IoT “business case”

Higher interest &Risk for ransomware

Smart Cars

Internet of Medical Things

Smart TV

Smart glasses

Smart watch

Sports wristband

Device cost + Criticality (+ bonus: ease of implementation)

Defcamp November 2016 - A. Apvrille 12/33

Outline

1 Introduction

2 Ransomware on IoT

3 Trojans on IoT

4 SMS Dialer on IoT

5 Spyware on IoT

6 Existing IoT malware

7 Future

8 Conclusion

Defcamp November 2016 - A. Apvrille 13/33

Advanced Trojan Malware on Smart Glasses

I ≈ 5,000 new Android malwareper day

I Are the smart glasses vulnerableto those?

I In theory, yes.

I In practice, it’s worth checking:no GSM/3G, wifi possible butnot easy, virtual keyboard,difficult to upgrade the OS...

Defcamp November 2016 - A. Apvrille 14/33

Advanced Trojan Malware on Smart Glasses

I ≈ 5,000 new Android malwareper day

I Are the smart glasses vulnerableto those?

I In theory, yes.

I In practice, it’s worth checking:no GSM/3G, wifi possible butnot easy, virtual keyboard,difficult to upgrade the OS...

Defcamp November 2016 - A. Apvrille 14/33

Advanced Trojan Malware on Smart Glasses

I ≈ 5,000 new Android malwareper day

I Are the smart glasses vulnerableto those?

I In theory, yes.

I In practice, it’s worth checking:no GSM/3G, wifi possible butnot easy, virtual keyboard,difficult to upgrade the OS...

Defcamp November 2016 - A. Apvrille 14/33

Advanced Trojan Malware on Smart Glasses

I ≈ 5,000 new Android malwareper day

I Are the smart glasses vulnerableto those?

I In theory, yes.

I In practice, it’s worth checking:no GSM/3G, wifi possible butnot easy, virtual keyboard,difficult to upgrade the OS...

Defcamp November 2016 - A. Apvrille 14/33

Android AngeCryption PoC on Smart Glasses

See A. Apvrille, A. Albertini, Hide Android Applications in Images,BlackHat Europe 2014

AES decrypt

Defcamp November 2016 - A. Apvrille 15/33

AngeCryption “trick”

PNGPNG Header

Dummy chunkType = 'aaaa'

Data=Encrypted APK

Chunk IHDR

Chunk IDAT

...

Works on Android 4.4.2.Smart glasses are Android 4.1.2.Should work.

1 Put the image in an apparentlybenign Android application

2 Trigger decryption...

3 ... Install malicious application

Defcamp November 2016 - A. Apvrille 16/33

Step 1: Install benign application

$ adb install PocActivity.apk

Screenshots taken from the smart glasses:

Defcamp November 2016 - A. Apvrille 17/33

Step 2: Trigger decryption

Click!

This is PoC for encrypting APK as imagenot a PoC for hiding install

but this is possible via DexClassLoader

Defcamp November 2016 - A. Apvrille 18/33

Step 2: Trigger decryption

Click!

This is PoC for encrypting APK as imagenot a PoC for hiding install

but this is possible via DexClassLoader

Defcamp November 2016 - A. Apvrille 18/33

Step 3: Malware installed on the smart glasses

So, yes, it worked - without modification

Defcamp November 2016 - A. Apvrille 19/33

Outline

1 Introduction

2 Ransomware on IoT

3 Trojans on IoT

4 SMS Dialer on IoT

5 Spyware on IoT

6 Existing IoT malware

7 Future

8 Conclusion

Defcamp November 2016 - A. Apvrille 20/33

Demo: SMS Dialer on a Smart Watch

I Sony SmartWatch SW2

I ARM Cortex M4 with MicriumµC/OS-II

I Light sensor and accelerator

I NFC, Bluetooth 3.0

I Launched in Sept 2013

I ≈ 600 RON

Defcamp November 2016 - A. Apvrille 21/33

How it works: architecture

Smart Accessory Smartphone

Constanza msg

SmartConnectSmartConnect

......

Bluetooth

Smart Extensions

ControlExtension

API

Low Power

API

Host application

Defcamp November 2016 - A. Apvrille 22/33

How it works: code

Trigger a command from the Smart Watch

class SmartWatchSms extends ControlExtension {

Act when clicked

ControlView btn = mLayout.findViewById(...);

btn.setOnClickListener(new OnClickListener() {

public void onClick() {

sendSms();

}

});

Work when not lit

public boolean supportsLowPowerMode() {

return true;

}

Defcamp November 2016 - A. Apvrille 23/33

Outline

1 Introduction

2 Ransomware on IoT

3 Trojans on IoT

4 SMS Dialer on IoT

5 Spyware on IoT

6 Existing IoT malware

7 Future

8 Conclusion

Defcamp November 2016 - A. Apvrille 24/33

Mom Attack :)

Credits: Dilbert Comic Strips

“Business” case for attacker depends on:

Onboard sensors, Wearable or not, Target population

Defcamp November 2016 - A. Apvrille 25/33

Outline

1 Introduction

2 Ransomware on IoT

3 Trojans on IoT

4 SMS Dialer on IoT

5 Spyware on IoT

6 Existing IoT malware

7 Future

8 Conclusion

Defcamp November 2016 - A. Apvrille 26/33

Some of the (in)famous IoT malware

Carna 2012 Research botnetLinux/Darlloz 2013 Worm exploiting PHP vuln. Infects

ADSL routers, satellite and televisionreceivers. Mine cryptocurrencies.

The Moon 2014 Worm exploiting CGI exploit. InfectsLinksys routers

ELF/Gafgyt 2014 DDoS. Targets CCTVLinux/Wifatch 2015 Trojan/Vigilante. Targets DVR,

CCTVLinux/Moose 2015 Perform illegimate likes/followsLinux/PnScan 2015 DDoS. Targets routers (India mainly)Linux/Remaiten 2016 DDoS. IRC basedLinux/Mirai 2016 DDoS. Targets DVR, CCTV...Linux/IRCTelnet 2016 DDoS. IRC based. IPv6 ready

Defcamp November 2016 - A. Apvrille 27/33

Outline

1 Introduction

2 Ransomware on IoT

3 Trojans on IoT

4 SMS Dialer on IoT

5 Spyware on IoT

6 Existing IoT malware

7 Future

8 Conclusion

Defcamp November 2016 - A. Apvrille 28/33

Worm propagation via wearable

Attacker

INJECT MALICIOUS CODE

IoT is infected

Victim’s laptop

PROPAGATEINFECT PC

More IoT, computers...PROPAGATE

Defcamp November 2016 - A. Apvrille 29/33

Worm propagation via wearable

Attacker

INJECT MALICIOUS CODE

IoT is infected

Victim’s laptop

PROPAGATEINFECT PC

More IoT, computers...PROPAGATE

Defcamp November 2016 - A. Apvrille 29/33

Worm propagation via wearable

Attacker

INJECT MALICIOUS CODE

IoT is infected

Victim’s laptop

PROPAGATEINFECT PC

More IoT, computers...PROPAGATE

Defcamp November 2016 - A. Apvrille 29/33

Worm propagation via wearable

Attacker

INJECT MALICIOUS CODE

IoT is infected

Victim’s laptop

PROPAGATEINFECT PC

More IoT, computers...PROPAGATE

Defcamp November 2016 - A. Apvrille 29/33

Worm propagation via wearable

Attacker

INJECT MALICIOUS CODE

IoT is infected

Victim’s laptop

PROPAGATEINFECT PC

More IoT, computers...PROPAGATE

Defcamp November 2016 - A. Apvrille 29/33

Worm propagation via wearable

Attacker

INJECT MALICIOUS CODE

IoT is infected

Victim’s laptop

PROPAGATE

INFECT PC

More IoT, computers...PROPAGATE

Defcamp November 2016 - A. Apvrille 29/33

Worm propagation via wearable

Attacker

INJECT MALICIOUS CODE

IoT is infected

Victim’s laptop

PROPAGATEINFECT PC

More IoT, computers...PROPAGATE

Defcamp November 2016 - A. Apvrille 29/33

Worm propagation via wearable

Attacker

INJECT MALICIOUS CODE

IoT is infected

Victim’s laptop

PROPAGATEINFECT PC

More IoT, computers...PROPAGATE

Defcamp November 2016 - A. Apvrille 29/33

Malware of (Every)Things

So far, we have had malware on complex IoT

Prediction: we will have them everywhere

They have a firmware. They can have a malware ;)

Defcamp November 2016 - A. Apvrille 30/33

Malware of (Every)Things

So far, we have had malware on complex IoT

Prediction: we will have them everywhere

They have a firmware. They can have a malware ;)

Defcamp November 2016 - A. Apvrille 30/33

Outline

1 Introduction

2 Ransomware on IoT

3 Trojans on IoT

4 SMS Dialer on IoT

5 Spyware on IoT

6 Existing IoT malware

7 Future

8 Conclusion

Defcamp November 2016 - A. Apvrille 31/33

References

I Reversing Internet of Things from Mobile Applications,presented at AREA 41, 2016

I Is Ransomware Coming to IoT? by Candid Wuest(Symantec), presented at Insomni’hack, 2016

I Mirai: source code, analysis, protocol

I Thermostat Ransomware: a lesson in IoT security by KenMunro, August 2016

I IoT Goes Nuclear: Creating a ZigBee Chain Reaction by EyalRonen et al - worm propagation with ZigBee on Philips Huelightbulbs - 2016

I SDK: Sony Smart Watch, Recon Instruments

I Videos: Remotely controlling a toothbrush, Fitness trackerhacking

Defcamp November 2016 - A. Apvrille 32/33

Thanks for your attention!

PowerPoint slides? No way! This is LATEX/ Beamer

Defcamp November 2016 - A. Apvrille 33/33