![Experimenting
Design
2. Internet Connectivity
- 192.168.1.254 192.168.1.66 DNS 92 Standard query
response 0x0170 A www.dahuap2p.com A 223.6.252.231
-192.168.1.66 192.168.1.254 DNS 76 Standard query 0x0170 A
www.dahuap2p.com
- 192.168.1.66 223.6.252.231 TCP 60 41776 12366 [ACK]
Seq=1 Ack=1 Win=14608 Len=0
What are you sending?](https://image.slidesharecdn.com/12052016ieeecomputersociotsecurity-161206152345/85/IoT-Security-How-Your-TV-and-Thermostat-are-Attacking-the-Internet-28-320.jpg)
IoT Security: How Your TV and Thermostat are Attacking the Internet
- 2. Outline • The Internet of Things (Everything) Examples of IoT Devices Power Grid (‘Grid of Things’) • Security Challenges End-Point Security, Global Issues, 0-Days, No Motivation • The Mirai Botnet Background (DNS) Oct. 21st Summary • Tinkering Around Experimenting with an IP Cam What is this ‘thing’ really doing
- 3. Source: http://www.comsoc.org/blog/infographic-internet-things-iot By the numbers
- 4. By the numbers Source: http://www.comsoc.org/blog/infographic-internet-things-iot
- 5. By the numbers Source: http://www.comsoc.org/blog/infographic-internet-things-iot
- 7. FEATURES Integrated cleansing. Adjustable spray shape, position, water pressure, temperature, pulsate. Self-cleaning Warm-air drying system with adjustable temperature settings. Automatic deodorization system. Heated seat with adjustable temperature settings. Motion-activated LED lighting illuminates the bowl to serve as a night-light. Touchscreen LCD remote control. Plays Music Internet of Things Examples Video
- 8. Grid of Things State of Affairs Power Grid “Our expectations is that the modernized electricity grid will be 100 to 1000 times larger than the Internet” – CISCO VP Advanced Metering Electric Vehicles Distributed Generation Grid Modernization Distribution Automation
- 9. IoT Security => Safety ICS-CERT
- 10. Wait, so what exactly is IoT?
- 11. Wait, so what exactly is IoT? Source: IoT European Research Cluster, IERC, 2014
- 12. IoT Defined... Now Security... Implementing security with: • No Incentives (or Consequences) • Do vendors and consumers even care • World economy, markets, and conflicts • Engineering silos • Engineering ethical barriers • Limited understanding of complexity and emergent issues
- 13. Miria Botnet Source: Level 3 Communications Outage Map October 21 2016
- 14. Background Source: Simon Liu, "Surviving Distributed Denial-of-Service Attacks", IT Professional vol. 11, p. 51-53, September/October, 2009
- 15. Background How Domain Name Service Works ‘The Phone Book of the Internet’ (1) Where is Google? DNS Server Google (2) Google is at 108.177.8.113 (3) Searching the Web 108.177.8.113/search?q=IEEE
- 16. Summary Source: http://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/ Dyn’s Key Findings: • ‘The Friday October 21, 2016 attack has been analyzed as a complex & sophisticated attack, using maliciously targeted, masked TCP and UDP traffic over port 53.’ • Dyn confirms Mirai botnet as primary source of malicious attack traffic. • Attack generated compounding recursive DNS retry traffic, further exacerbating its impact. DNS Server
- 17. DYN Attack cont. and IoT Security Hearing ‘Level 3 detected approximately 150,000 IoT devices were used to … generate significant amount of bandwidth use that threatens the fabric of the global internet.’ Source: U.S. House of Representatives Joint Hearing “Understanding the Role of Connected Devices in Recent Cyber Attacks” November 16, 2016 ‘We believe that in the case of Dyn, the relatively unsophisticated’ Summary ‘The distributed denial-of-service attack that caused the outages, and the vulnerabilities that made the attack possible, was as much a failure of market and policy as it was of technology’ Witness Testimonies
- 18. Recon... the Internet of Things Power Plants, Refrigerators, …, Buildings, Webcams, … Source: Shodan
- 20. Experimenting IP Camera 3.6mm 4MP Full HD IR Mini Dome PoE Network Camera Built-in Mic What is this ‘thing’ really doing…?
- 22. Experimenting Design 1. No Router Connection 2. Internet Connectivity 3. Port Forwarding (Future) - Network Monitoring - Port Scan - Network Monitoring - Port Scan - Network Monitoring - Port Scan
- 23. Experimenting Design 1. No Router Connection
- 24. Experimenting Design 1. No Router Connection Default Open Ports Web Real Time Streaming Print Services Interface Universal Plug and Play Well Known Ports: 0 through 1023. Registered Ports: 1024 through 49151. Dynamic/Private : 49152 through 65535.
- 25. Experimenting Design 1. No Router Connection Multicasting Who has 192.168.1.1? Tell 192.168.1.108 Simple Service Discovery Protocol 192.168.1.108 239.255.255.250 NOTIFY 192.168.1.108 224.0.0.22 IGMPv360 Report / Join group 239.255.255.250 for any sources
- 26. Experimenting Design 2. Internet Connectivity -ROUTER_12:6d:81 e0:50:8b:0a:06:d3 192.168.1.254 is at … target 192.168.1.66 -192.168.1.66 192.168.1.254 DNS 81 Standard query 0x016f A www.dahuap2pcloud.com -192.168.1.254192.168.1.66 DNS 97 Standard query response 0x016f A www.dahuap2pcloud.com A 121.199.3.195 DHGET /online/p2psrv/2J03977PAA00347 HTTP/1.1CSeq: 1927610396Authorization: WSSE profile="UsernameToken"X-WSSE: UsernameToken Username="2J03977PAA00347", PasswordDigest="NanYJZWK4bKmrYW7ngt2EK50AY80", Nonce="-691305717", Created="2000-01-01T02:52:12Z" -192.168.1.66 121.199.3.195 UDP 303 58124 8800 Len=261
- 27. ExperimentingDesign 2. Internet Connectivity -192.168.1.254192.168.1.66 DNS 97 Standard query response 0x0173 A www.dahuap2pcloud.com A 120.26.104.240 -192.168.1.66 192.168.1.254 DNS 81 Standard query 0x0173 A www.dahuap2pcloud.com -192.168.1.66 120.26.104.240 UDP 310 46071 8800
- 28. Experimenting Design 2. Internet Connectivity - 192.168.1.254 192.168.1.66 DNS 92 Standard query response 0x0170 A www.dahuap2p.com A 223.6.252.231 -192.168.1.66 192.168.1.254 DNS 76 Standard query 0x0170 A www.dahuap2p.com - 192.168.1.66 223.6.252.231 TCP 60 41776 12366 [ACK] Seq=1 Ack=1 Win=14608 Len=0 What are you sending?
- 29. Experimenting Design 2. Internet Connectivity What are you sending? 192.168.1.66 -> 223.6.252.231
- 30. Experimenting Design 2. Internet Connectivity -192.168.1.66 192.168.1.254 DNS 74 Standard query 0x0171 A rs.lechange.cn -192.168.1.254192.168.1.66 DNS 90 Standard query response 0x0171 A rs.lechange.cn A 114.55.152.165 -192.168.1.66 114.55.152.165 TCP 74 46241 9084 What are you sending?
- 31. ExperimentingDesign 2. Internet Connectivity What are you sending? 192.168.1.66 -> 114.55.152.165 Why would it need to send the local IP address?
- 32. ExperimentingDesign 2. Internet Connectivity What are you sending? 192.168.1.66 -> 114.55.152.165
- 33. ExperimentingDesign 2. Internet Connectivity Same story… Summary: Time Elapsed: 00:03:50 Packets: 3647 Total External IPs: 7 Total UDP: 3 IPs Total TCP: 4 IPs
- 34. Experimenting Wireshark I/O Graph Interesting looking spike…
- 35. Experimenting
- 36. Experimenting Trying to determine exactly what ‘jpeg’ images are being sent… Python Snippet Network Capture File
- 37. Experimenting THIS IS BAD‘Plug and Play’? Automatically streams live feed to remote server.
- 38. Resources http://iot.ieee.org/ http://standards.ieee.org/innovate/iot/ Final Points 1. IoT Security is a Safety/Privacy Issue 2. … 3. Consider the devices you bring into your home and to work
- 39. Questions? Nathan Wallace, PhD, CSSA nathanwallace@computer.org @NathanSWallace Thoughts?