presented by: rick ramgattie (@rramgattie)
TRANSCRIPT
![Page 1: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/1.jpg)
I o T L i v e H a c k i n g D e m o
Written By: Jacob Holcomb (@rootHack42)
Presented By: Rick Ramgattie (@rramgattie)
![Page 2: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/2.jpg)
./whoami
• Rick Ramgattie– Coding– Web Security– Cryptography– Reverse Engineering
• Security Analyst @ Independent Security Evaluators
![Page 3: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/3.jpg)
Independent Security Evaluators
• Where: – Baltimore, MD
• What: – Security Assessments
• Web• Mobile• Infrastructure• Native Applications
• How:– Whitebox, Blackbox, and everything in between
![Page 4: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/4.jpg)
Outline
• What is IoT?
• IoT in Enterprise
• What are the dangers?
• Demos
• What can be done?
![Page 5: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/5.jpg)
What is the Internet of Things (IoT)?
• Non-conventional, network-connected devices– Refrigerators– Washing Machines– Surveillance Cameras– Thermostats– Lightbulbs– Door Locks
![Page 6: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/6.jpg)
IoT in Enterprise
• Potential to improve efficiency and productivity– Utilities– Industrial– Health care– Transportation– Agriculture
![Page 7: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/7.jpg)
IoT in Enterprise
• Potential to increase attack surface of corporate networks– 67% of executives will adopt IoT despite potential risks1
– 25% of remote workers have at least one IoT device connected to a corporate network1
– “[B]y the end of 2017, over 20 per cent of organizations will have digital security services devoted to protecting business initiatives using devices and services in IoT”2
1 https://www.tripwire.com/register/enterprise-of-things-report2 https://www.gartner.com/newsroom/id/2905717
![Page 8: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/8.jpg)
What are the Dangers?
• Corporate bring-your-own-device (BYOD) policies undetected breaches
• Similarly, IoT introduces unaudited devices with poor security to the network– Often exempt from compliance with security policies– Hard to install updates/patches– Lack built-in security (encryption, authentication, hardening,
etc.)– Default credentials (major infection vector for botnets)
![Page 9: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/9.jpg)
What are the Dangers? (cont.)
• “70% of IoT devices were vulnerable to some sort of attack; 60% of IoT devices with a user interface were vulnerable to issues like cross-site scripting and weak credentials; and 70% of IoT devices used encrypted network services”1
• Potential for mass exploitation2
– Examples: Mirai (1 Tbps DDoS, took down Internet DNS), BASHLITE (1 million IoT bots), Linux.Darlloz, Remaiten
1 http://fortifyprotect.com/HP_IoT_Research_Study.pdf2 https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/sshowdown-exploitation-of-iot-devices-for-launching-mass-scale-attack-campaigns.pdf
![Page 10: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/10.jpg)
What are the Dangers? (cont.)
10
![Page 11: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/11.jpg)
Demo Devices
• Netgear ReadyNAS RN10400 Network Attached Storage (NAS)
• Belkin N900 Router• ASUS RT-N56U Router• Motorola Focus73 Camera
![Page 12: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/12.jpg)
Netgear ReadyNAS RN10400
1 https://www.netgear.com/support/product/RN10400
![Page 13: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/13.jpg)
Netgear ReadyNAS RN10400
• Network Attached Storage• Web Interface which connects back to Netgear• Running Linux• Has Busybox installed• Open ports – tcp/22, tcp/80
![Page 14: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/14.jpg)
Netgear ReadyNAS RN10400
2 Vulnerabilities– Lack of CSRF Protection– Arbitrary Command Injection
![Page 15: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/15.jpg)
Netgear ReadyNAS RN10400
![Page 16: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/16.jpg)
DEMO: ReadyNAS
![Page 17: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/17.jpg)
Belkin N900
1 http://www.resettoo.com/factory-reset-belkin-advance-n900-db-wireless-dual-band-n-router
![Page 18: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/18.jpg)
Belkin N900
• Wireless Router• Web Interface which connects back to Belkin• Running Linux • Has Busybox installed• Open ports – tcp/53, tcp/80
![Page 19: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/19.jpg)
Belkin N900
2 Vulnerabilities– Client-side authentication– Missing authorization checks
![Page 20: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/20.jpg)
Belkin N900
![Page 21: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/21.jpg)
Belkin N900
![Page 22: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/22.jpg)
Belkin N900
![Page 23: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/23.jpg)
Belkin N900
![Page 24: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/24.jpg)
DEMO: Belkin N900
![Page 25: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/25.jpg)
Motorola Focus73
1 http://www.argos-support.co.uk/uploads/2189589_D001.pdf
![Page 26: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/26.jpg)
Motorola Focus73
• IP Camera• Running Linux • Has Busybox installed• Open ports – tcp/80, tcp/8080
![Page 27: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/27.jpg)
Motorola Focus73
3 vulnerabilities– Lack of Authentication and Authorization Mechanisms in
Nuvoton Web Server– Command Injection– Remote File Inclusion
![Page 28: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/28.jpg)
Motorola Focus73
![Page 29: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/29.jpg)
Motorola Focus73
• Uploaded file does not need to be a real firmware file• /fwupgrade.html calls a CGI script • This script is vulnerable to both command injection and
remote file upload
![Page 30: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/30.jpg)
Motorola Focus73
![Page 31: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/31.jpg)
Motorola Focus73
![Page 32: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/32.jpg)
DEMO: Motorola Focus73
![Page 33: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/33.jpg)
Asus RT-N56U
1 https://www.asus.com/us/Networking/RTN56U/
![Page 34: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/34.jpg)
Asus RT-N56U
• Wireless Router• Running Linux • Has Busybox installed • Open ports – tcp/53, tcp/80, tcp/515, tcp/18017
![Page 35: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/35.jpg)
Asus RT-N56U
2 vulnerabilities– Client-side credential disclosure– Web server stack-based buffer overflow
![Page 36: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/36.jpg)
Asus RT-N56U
![Page 37: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/37.jpg)
DEMO: Asus RT-N56U
1 https://www.asus.com/us/Networking/RTN56U/
![Page 38: Presented By: Rick Ramgattie (@rramgattie)](https://reader034.vdocuments.net/reader034/viewer/2022051804/6281dc0be6c74e493061bab4/html5/thumbnails/38.jpg)
What can be done?
• Revamped IT infrastructure– Distributed network architecture1
– Netflow analysis, watch for anomalous traffic patterns from similar classes of devices
• Updated security and IT policies– Mandated patching of IoT/embedded devices– Credential management and commissioning process
• IPv6 – Start planning and be aware of security implications
• Supply chain of trust: vetting your device vendors1 http://internetofthingsagenda.techtarget.com/feature/Plan-an-Internet-of-Things-architecture-in-the-data-center