the internet of insecure things: 10 most wanted list - derbycon 2014
DESCRIPTION
The Internet of Things (IoT) aims to makes our lives better, yet there is still no foundation for security controls on the devices that allow us to access the Internet, listen to music, watch television, control the temperature in our homes and more. This talk will look at the history of embedded device insecurity. We’ll explore some real-world example of how devices are exploited (and attackers profited). You will also learn what we can do to help fix these problems and push the industry for a much higher level of security for devices affecting our daily lives.TRANSCRIPT
The Internet Of Insecure Things: 10 Most Wanted List
!Paul Asadoorian Founder & CEO
http://securityweekly.com
http://securityweekly.com Copyright 2014
Things About Paul
Work Thing
Podcast thing
Hacks things
Enjoys things
http://securityweekly.com Copyright 2014
Things About This Presentation
• Yes, I may say “The Internet of Things”
• This is not about “watch me hack this device”
• While this is fun, we’ve established things are vulnerable
• Also, the sky is not falling because someone can hack your toaster (yet)
http://securityweekly.com Copyright 2014
Its More About…
• Real attack vectors against embedded systems
• Some examples of vulnerabilities and attacks (we have to have some fun!)
• Understanding the different types of systems and applications
• Most important, what do “we” do about it?
• The manufacturers of embedded systems
• The folks tasked with protecting networks, systems and infrastructure
Embedded Systems
“An embedded system is a special-purpose system in which the computer is completely encapsulated by the device it controls.” !
http://www.ece.ncsu.edu/research/cas/ecs
http://securityweekly.com Copyright 2014
I Think This Is Cool but…
http://hackalizer.com/nest-thermostat-torn-analyzed/
People cared when…
http://securityweekly.com Copyright 2014
Why Do We Care?
• Who cares if someone hacks my TV, fridge, lights, scale or treadmill or wireless router?
• Attackers install Adware/Spyware/Ransomware to these devices
• Ads will be displayed on your devices without your permission
Care more now?
http://securityweekly.com Copyright 2014
Why Do We Care? Privacy.
• I can see you watching TV
• I know what you eat and drink, how often you do laundry, and when you turn your lights/TV on
• I know how long you spend on the toilet
• I collect all this data and use it to send targeted ads
• Distribute pictures of you getting a snack in your underwear at 3AM
http://securityweekly.com Copyright © 2014 by Defensive Intuition, LLC
Why We [Should] Care
• Attackers will find ways to monetize
• They will use any system to:
• Mine Bitcoins (as silly as that sounds, essentially printing currency)
• Build botnets to send SPAM and launch DDoS attacks
http://threatpost.com/dns-based-amplification-attacks-key-on-home-routers/105220
!http://www.wired.com/2014/04/hikvision/
http://securityweekly.com Copyright 2014
Industrial Control Systems
TextTurck BL67 Tridium Niagara AX
Siemens SCALANCE X-200
Clorius Controls ISC
Magnum MNS-6K
http://www.tenable.com/plugins/index.php?view=all&family=SCADA
http://securityweekly.com Copyright 2014
Why Do We Care?
• Potentially life threatening
• Historically operated on closed networks
• Physical attacks are in play
• Economics still apply, cost is a huge factor
• Devices have to “live” for a really long time
• It costs money to replace them
http://securityweekly.com Copyright 2014
Corporate
• Building Entry
• Environmental
• Lighting
• Security Cameras
• Hotel Key Cards
• Timeclocks
• Headsets & Phones
• Printers & Multi-Function
http://securityweekly.com Copyright 2014
Why Do We Care?
• Attackers will use “things” as a jumping off point (ala Target)
• Attackers will prey on weaknesses, such as POS systems
• Physical access is not the primary concern, but still possible
• The challenge of economics applies, low cost solutions that solve problems will win over security
http://securityweekly.com Copyright 2014
Medical
• IV Pumps / Drug infusion pumps
• Insulin Pumps (Wearable)
• Surgical and anesthesia devices
• Ventilators
• External defibrillators
• Patient monitors
• Laboratory and analysis equipment
Researchers Billy Rios and Terry McCorkle of Cylance have reported a hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors. According to their report, the vulnerability could be exploited to potentially change critical settings and/or modify device firmware.
http://arstechnica.com/security/2013/06/vast-array-of-medical-devices-vulnerable-to-serious-hacks-feds-warn/
http://securityweekly.com Copyright 2014
Why Do We Care?
• Life threatening for sure
• Patient care will trump security every time
• Connectivity and ease of use will trump security
• Oh sorry, I can’t give you pain meds, IV pump is updating patches
• Patient confidentiality also trumps security
• More important to be compliant than secure
http://securityweekly.com Copyright 2014
Already Happening
• http://www.proofpoint.com/about-us/press-releases/01162014.php
• “More than 750,000 Phishing and SPAM emails Launched from "Thingbots" Including Televisions, Fridge”
• Okay, well one fridge, on purpose? By accident? Where is the data?
• http://thehackernews.com/2014/03/linux-worm-targets-internet-enabled.html
• “A Linux worm named Linux.Darlloz, earlier used to target Internet of Things (IoT) devices, i.e. Home Routers, Set-top boxes, Security Cameras, printers and Industrial control systems; now have been upgraded to mine Crypto Currencies like Bitcoin.”
http://securityweekly.com Copyright 2014
More Already Happening
• https://blog.kaspersky.com/gaming-console-hacks/
• “I also have a bad feeling that the time for gaming malware is now, and I am not totally sure what it will take to protect ourselves.”
• http://www.wired.com/2014/04/hikvision/
• “Hackers Turn Security Camera DVRs Into Worst Bitcoin Miners Ever”
• “The low-powered ARM chip is one of the worst possible processors you could pick for the crypto-heavy calculations that make up bitcoin mining.”
• “The malicious software seems to spread using the default usernames and passwords for the Hikvision devices”
If I Had To Pick One Example….
Of a really insecure embedded system it would be…
“Inside Joel’s Backdoor”
D-LINK DIR-100
http://securityweekly.com Copyright © 2014 by Defensive Intuition, LLC
Background
• I want to show how an attacker would exploit vulnerabilities on embedded systems for profit
• I found some excellent research published by Craig Heffner, author of binwalk and one of the most talented embedded device security researchers on the planet
- Hak.5 Interview with Craig Heffner on the issues: http://hak5.org/episodes/hak5-1513
http://wiki.securityweekly.com/wiki/index.php/Episode320#Interview:_Craig_Heffner
http://securityweekly.com Copyright © 2014 by Defensive Intuition, LLC
Background
• The other rock star is Zach Cutlip, both work for Tactical Network Solutions and deserve A LOT of praise for their research
• Joel’s Backdoor is one of the most interesting embedded device vulnerabilities I’ve seen in some time
• Combined with several other flaws on the D-Link DIR-100
Text
http://wiki.securityweekly.com/wiki/index.php/Episode342#Tech_Segment:_Zach_Cutlip
http://securityweekly.com Copyright © 2014 by Defensive Intuition, LLC
Exemplify Problem Areas
1. Backdoors inside of firmware
2. Default credentials
3. Functions prone to overflow conditions
4. Secure web management interfaces
BTW, Many of these vulns are old…
Not as old as Jack…
http://securityweekly.com Copyright © 2014 by Defensive Intuition, LLC
Joel’s Backdoor
• October 2013 Craig Heffner released details on a backdoor affecting D-Link routers
• Reverse engineering the authentication process, Craig finds a special compare
• Turns out if you set your User-Agent to “xmlset_roodkcableoj28840ybtide” you can access web management
• No password required!
• Who is Joel anyway?
• http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/
edit by 04882 joel backdoor
http://securityweekly.com Copyright © 2014 by Defensive Intuition, LLC
Why Joel Did This?
The ever neighborly Travis Goodspeed pointed out that this backdoor is used by the /bin/xmlsetc binary in the D-Link firmware. After some grepping, I found several
binaries that appear to use xmlsetc to automatically re-configure the device’s settings (example: dynamic DNS). My guess is that the developers realized that some programs/services needed to be able to change the device’s settings automatically; realizing that the web server already had all the code to change
these settings, they decided to just send requests to the web server whenever they needed to change something. The only problem was that the web server required a
username and password, which the end user could change. Then, in a eureka moment, Joel jumped up and said, “Don’t worry, for I have a cunning plan!”.
http://pastebin.com/aMz8eYGa
http://securityweekly.com Copyright © 2014 by Defensive Intuition, LLC
Russians Found It First
• Looking to root an ISPs router
• They found the string, and tried it as the TELNET login
• They could have found it and never posted it
• Or they never figured out its the User-Agent string
http://forum.codenet.ru/q58748/%D0%BF%D0%B5%D1%80%D0%B5%D0%B1%D0%BE%D1%80+%D0%BB%D0%BE%D0%B3%D0%B8%D0%BD%D0%BE%D0%B2+-+%D0%B4%D0%B0%D0%B9%D1%82%D0%B5+%D1%81%D0%BE%D0%B2%D0%B5%D1%82
January 24, 2010
http://securityweekly.com Copyright © 2014 by Defensive Intuition, LLC
Exploit Is Simple
DIR-100: !
wget -U ‘xmlset_roodkcableoj28840ybtide’ http://192.168.1.85/Status/Device_Info.shtml
TM-G5240 (Firmware Version:v4.0.0b28) !
wget -U 'xmlset_roodkcableoj28840ybtide' http://192.168.1.87/Status/st_devic.htm
But, No One Exposes Web Management Interfaces To
The Internet?
Because no presentation is complete without a Shodan screenshot
http://securityweekly.com Copyright © 2014 by Defensive Intuition, LLC
Canadians & Chinese
thttpd-alphanetworks is a fork of thttpd by a spin-off of
Dlinks
http://securityweekly.com Copyright © 2014 by Defensive Intuition, LLC
Remote Exploitation Via Browser
• But wait, what if you could get someone to click on a link?
• Could you send authentication + exploit to the router?
• You need a few things to happen:
• The victim must load a web page with your exploit code
• Your exploit code must be able to modify the User-Agent
• Your have to know the IP address (192.168.0.1) of the device
• Your must run a command through the web interface to do something evil
• Your must bypass the Same Origin policy
http://securityweekly.com Copyright © 2014 by Defensive Intuition, LLC
DIR-100 Buffer Overflow
• But wait, there’s more! Craig also released a buffer overflow vulnerability and exploit code:
• http://pastebin.com/vbiG42VD
• Limited to 200 bytes of shellcode
• Requires admin
Benefit: Now we can upload and execute code on the device, allowing us to execute commands and/or install software.
# strings webs | egrep '(sprintf|strcpy)' strcpy sprintf
http://securityweekly.com Copyright © 2014 by Defensive Intuition, LLC
Multi-Stage Dropper MIPS Shellcode
• Zach Cutlip is awesome, and his shellcode is damn sexy:
• https://github.com/tacnetsol/exploit-tools/tree/master/shellcode/mips/trojan-dropper
• Or callback in 184 bytes:
• https://github.com/tacnetsol/exploit-tools/blob/master/shellcode/mips/connect-back/callback_payload.py
It’s not dead yet...
But wait, there’s even more!
http://securityweekly.com Copyright © 2014 by Defensive Intuition, LLC
Dir-100 XSS & So Much More
• December 2013 researcher Felix Richter exposes several more vulnerabilities affecting DIR-100 routers
• http://packetstormsecurity.com/files/125041/D-Link-DIR-100-CSRF-XSS-Disclosure-Authentication.html
• Retrieve the Administrator password without authentication leading to authentication bypass [CWE-255]
• Retrieve sensitive configuration parameters like the pppoe username and password without authentication [CWE-200]
• Execute privileged Commands without authentication through a race condition leading to weak authentication enforcement [CWE-287]
• Sending formatted request to a victim which then will execute arbitrary commands on the device (CSRF) [CWE-352]
• Store arbitrary javascript code which will be executed when a victim accesses the administrator interface [CWE-79]
I See Your Privatesroot@embeddedcourse:/home/firmware/TM-G5240/squashfs-root/etc# cat stunnel.pem -----BEGIN CERTIFICATE----- MIID+jCCAuKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBrjELMAkGA1UEBhMCVFcx DzANBgNVBAgTBlRhaXdhbjEPMA0GA1UEBxMGVGFpcGVpMRwwGgYDVQQKExNBbHBo YSBOZXR3b3JrcyBJbmMuMQwwCgYDVQQLEwNGRDMxJDAiBgNVBAMTG0FscGhhIE5l dHdvcmtzIERlbW8gUm9vdCBDQTErMCkGCSqGSIb3DQEJARYcU3RhbmxleV9MaUBh bHBoYW5ldHdvcmtzLmNvbTAeFw0wNTA1MTMwNzQxMjVaFw0xNTA1MTEwNzQxMjVa <snip> WY3y9dVFwtZdfOgYcCSqnn1ehDxHN8XsjOylZ53SuapRmPTjuOQR4k+P18XdxZuY RlBSV1vTRWsLncFEQH326MQNyxlQG5om9tZ/+k+kuVt3iImdwBp+cveMaRcw3wHz qDfxLwCL9K4icRhPeYk= -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAtkENCho2fHuiaVHofYl87EGYleFFlw9dv9dDeF/2HX9DEQo4 +ctCESsU8uvSIm+iTB2bTN1R1qLGdwXjFWFjveLOkP9UMv33kD/eAvA3WIjK99PH Rz+Be9bLqtZRehNMXAQV0HFTiLZD3mzo/2gUYtHDUXFAU22HcM/iSVQUpPNytL1/ wE3xtBExLgB51d0CHKL6NXoM0JXEdmpUAhee3QlyGGZU8XpDDizThBnD/QoI2RAN iBcVm/Frcls2dzZ8Qsg1ipJ1OCdZJ4KmdfQhrCTTNCeZ8xyzvyUBrBUkJ+sb6O2f J8OoZ2OIRVIjJ4GeAu5T4vFteLh3XRTVkT8JLQIDAQABAoIBAEI5pQlUuRPGwR9Q GhDz0qbutwlPUEAx3zkEeYnWJNJXGgGpG0b5aspeQ0B6HGNS+UB7SaFGkqRRhZhe <snip> vSC/wQKBgDnnrkbsCg5HsnDFHQu9zSlNrMNwtc3H9fD5TMgFOj7nJBJTLGh/JbXM GaXBOxb1BbVVTmNDvYEMpS+7QPIsA1PVZE3ixYDCI9EuGNSCCd6wwsLkf2mcUH3G mDUZ/Mdnc5uQWU+NWA0LpnVPt546RMk9l5soHc7W5M8MtmnCwMDD -----END RSA PRIVATE KEY-----
http://securityweekly.com Copyright © 2014 by Defensive Intuition, LLC
Let’s Recap
• For your enjoyment, DIR-100 has:
• At least 2 different authentication bypass vulnerabilities
• Information disclosure, leading to PPPOE passwords
• A CSRF vulnerability
• A remote buffer overflow
• A stored XSS vulnerability
• Select models use static keys
http://securityweekly.com Copyright © 2014 by Defensive Intuition, LLC
0wning D-Link?
• http://suporte.dlink.com.br/suporte/emuladores/DIR/DIR_100/Status/st_device.htm
http://securityweekly.com Copyright © 2014 by Defensive Intuition, LLC
These Conditions Can’t Exist On Other Devices?
• Medical: http://arstechnica.com/security/2013/06/vast-array-of-medical-devices-vulnerable-to-serious-hacks-feds-warn/
• SCADA: http://seclists.org/fulldisclosure/2012/Apr/277
• Industrial Automation: http://www.ioactive.com/news-events/ioactive_discovers_backdoor_vulnerabilities_in_turck_industrial_automation_devices.html
• Building Automation: https://www.youtube.com/watch?v=c4LMrKEO_t0 (BACNet)
• Home Automation: http://www.ioactive.com/news-events/IOActive_advisory_belkinwemo_2014.html
http://securityweekly.com Copyright 2014
Even More Attacks
• HD Moore found several flaws in VxWorks, scanned 3.1 billion IP addresses and found 250,000 systems exposed to the Internet
- http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html
• Craig Heffner discovered a DNS rebinding attack on several routers allowing attackers to gain control of administrative interfaces
- http://code.google.com/p/rebind/
http://securityweekly.com Copyright 2014
Even More Attacks (2)
• Ki-Chan Ahn and Dong-Joo Ha created malware for Nintendo Wii and DS systems
- http://games.venturebeat.com/2010/07/31/live-demos-of-hacking-the-nintendo-ds-and-the-wii-to-spread-malware/
• Barnaby Jack remotely attacked two different ATMs and “made the money come out” (without a card+pin #)
- http://www.youtube.com/watch?v=qwMuMSPW3bU
But Why?
Why are embedded systems left out in the cold when it comes to security?
http://securityweekly.com Copyright © 2014 by Defensive Intuition, LLC
Why?
• Embedded systems, across all major categories are designed with two things in mind:
• Usability - Does the system work as intended for the user? (e.g. my TV turns on, allows me to change the channel, displays an image)
• Reliability - Does the system catch fire, break, fall over, or cease functioning under certain conditions? (e.g. does my TV catch fire if left on or melt due to temperature being too high?)
!
• What are they not designing for?
http://securityweekly.com Copyright © 2014 by Defensive Intuition, LLC
Why?
• What happens if an external user takes control of the system and makes it to “bad things”?
• Think of it like a hammer:
• I make sure it can pound stuff (usability)
• I make sure the head doesn’t come flying off and kill someone (reliability)
• I don’t design it so someone doesn’t try to use it to smash someone’s face
Credit: http://wiki.securityweekly.com/wiki/
index.php/Episode_386#Interview:_Mike_Murray
http://securityweekly.com Copyright © 2014 by Defensive Intuition, LLC
These are no ordinary hammers
• The hammers, embedded systems, we speak of have connectivity!
• Ethernet
• Wifi
• Bluetooth
• ZigBee
• RFID
• NFC
What Do We Do About It?
10 Most Wanted List: A Guide For Embedded Device Manufacturer and Software Developers
http://securityweekly.com Copyright 2014
10 Most Wanted List
1. Backdoors inside of firmware
2. Default credentials
3. Insecure Remote management (Defaults & Clear-Text Transmissions)
4. Open-source software and drivers, NOT binary blobs
5. Functions prone to overflow conditions
6. Firmware and configuration encryption
7. Easy-to-use firmware updates (auto-updates)
8. Secure web management interfaces
9. Maintain a CIRT and provide a program for security researchers
10. Implement Protocols Security / Implement Secure Protocols
http://securityweekly.com Copyright 2014
1. Firmware Backdoors
• A “secret” account (or access) created by the vendor that allows remote management
• Excuse is this is done for support reasons (password resets)
• The problem is: its not so secret
Backdoor password was...
Derived from the MAC address....
http://securityweekly.com Copyright 2014
2. Default Credentials
• A known set of credentials used out-of-the-box
• Typically found via Google or in documentation
• The problems: Anyone can discover this value and users/administrators don’t change it
• Also: Firmware updates sometimes reset it to the default value
http://securityweekly.com Copyright 2014
3. Insecure Remote Management
• HTTP & TELNET - Its 2014, why are we still using these protocols to manage systems?
• HTTPS - Yes, there is a cost for a certificate. And yes, sometimes vendors will use the same one for every device
• SSH - Same thing here, but easier to enable by default
• Oh, and weak passwords
http://securityweekly.com Copyright 2014
4. Open-Source drivers
• Interoperability is nice, but also begs the security question
• How do I keep my software and hardware up-to-date if you don’t provide me with a new driver!
• Open-source drivers allow for more eyes, and typically are patched more quickly
http://securityweekly.com Copyright 2014
5. Functions prone to overflow
• Wait, we know strcpy() is bad, right?
• Why do we still use it?
• And yes, programmers still use it
• In fact, if you take it out, they will just put it back
!
• https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities
http://securityweekly.com Copyright 2014
6. Firmware Encryption
• Signing firmware updates makes it harder to backdoor existing firmware
• Encrypting firmware makes it tougher to reverse engineer (though don’t let that replace real security)
• Also, XOR is NOT encryption
!
• http://www.darkreading.com/vulnerabilities---threats/hacking-firmware-and-detecting-backdoors/d/d-id/1139859?
http://securityweekly.com Copyright 2014
7. User Friendly Firmware Updates
• Take a page right from Microsoft’s playbook (I can’t believe I just wrote that, but...)
• Step back, most are unaware devices need to be updated for security, amazed that it actually works
• Even the term “update firmware” is too geeky, we need to change this
• Smartphones are a great example
http://securityweekly.com Copyright 2014
8. Secure Web Frameworks
• The code behind the web management interface is typically poorly implemented
• Java, Ruby, Python, .NET - all too “heavy” to implement on small systems
• Developers typically write their own, similar results to “Well, I’ll just implement my own encryption algorithm”
http://securityweekly.com Copyright 2014
9. Maintain a CIRT
• Look, this FREE help!
• D-Link has fixed the problems we covered earlier
• Some vulnerabilities never get fixed
• Researchers get frustrated and just post the exploits to pastebin
• Prezi got hacked, paid the researcher money, and wrote a nice blog post about it and linked to the researcher’s presentation (not in Prezi)
• It pays to work and collaborate with security researchers
http://securityweekly.com Copyright 2014
10. Secure Protocols
• UPnP, IPMI, HNLP, DLNA are common protocols on consumer devices
• Modbus is popular on SCADA devices
• The problem is they offer great functionality
• But security is often left out entirely
• IPMI and HNLP have had huge problems, leading to major issues and even the “Linksys Router Worm”
• The protocols desperately need security...
For Slides Join Our Mailing List: http://securityweekly.com/insider !
Podcasts/Blogs/Videos: http://securityweekly.com !
Contact Me: [email protected]
http://www.blackhillsinfosec.com