IoT security is a nightmare. But what is the real risk?
6 likes8,093 views
1) IoT security is a major issue as many devices have poor security and will never receive patches. This leaves them vulnerable to attacks over the internet or through home networks. 2) There are many risks even for devices that are behind routers or firewalls due to issues like UPnP, IPv6, cloud connections, and protocol tunneling that can bypass network protections. 3) Home users should take steps like disconnecting devices when not in use, changing passwords, filtering incoming connections, and monitoring their network to improve their security, but there are no complete solutions given flaws in IoT design and updates.
IoT security is a nightmare. But what is the real risk?
- 1. IoT security is a nightmare. But what is the real risk? Camp++ 0x7e0
- 4. root@kali:~# whoami I’m NOT a CEH Creator of the Zombie Browser Toolkit https://github.com/Z6543/ZombieBrowserPack Creator of the HWFW Bypass tool – Idea later(?) implemented by nation state attackers in Duqu 2.0 https://github.com/MRGEffitas/hwfwbypass Creator of the Malware Analysis Sandbox Tester tool https://github.com/MRGEffitas/Sandbox_tester Invented the idea of encrypted exploit delivery via Diffie-Hellman key exchange, to bypass exploit detection appliances – Implemented by Angler and Nuclear exploit kit developers https://www.mrg-effitas.com/generic-bypass-of-next-gen-intrusion-threat-breach-detection-systems/
- 5. How did I get into this? I bought an IP camera Found multiple high severity issues Notified manufacturer, published blogpost After one year, no patch available The question is: • Now what? I wanted to solve this generic issue
- 6. Examples of terrible home IoT devices – IP Camera – Router – Baby monitor – Smart home – Automated NAS ransomware – Car hacked
- 8. Assumptions For the next ~5-10 years, assume – Your IoT device has horrible security holes – It won’t receive any patches, ever For the sake of this presentation, I assumed: • The IoT device is not intentionally malicious • Is not preloaded with malware I know, I am an optimistic guy ¯_(ツ)_/¯
- 9. IoT Security Excuses a.k.a #YOLOSEC
- 10. I am safe, I changed all IoT passwords
- 11. I am safe, I changed all IoT passwords Vulnerabilities bypassing password protection • Memory corruption issues (BoF, Format string, …) • CSRF (later) • Backdoor accounts • Lack of brute-force protection • …
- 12. I am safe, I regularly patch all of my IoT devices
- 13. I am safe, I regularly patch all of my IoT devices Patches are late by years Most IoT devices do not get a patch, EVER
- 14. Problems with direct IPv4 connection If your IoT device has an Internet routable IPv4 address, without any firewall port filtering Just prepare for apocalypse Seriously, don’t do that CCTV is OCTV today
- 15. The IoT device is only available in a closed network
- 16. The IoT device is only available in a closed network (•_•) <) )╯What / (•_•) ( (> The / (•_•) <) )> fuck were you thinking??? /
- 17. The device is only exposed in my area Physically nearby to open WiFi
- 18. The device is only exposed in my area Physically nearby to open WiFi
- 19. The device is only exposed in my area Smart rifle hacking – open WiFi Full of FUD – but still, interesting research based on the devices you can expect to network connected
- 20. I am safe, home network, behind NAT
- 21. NAT is sneaky evil Due to NAT: • Users believe they are safe behind home router NAT • Developers created ways to connect devices behind NAT, seamlessly What could possibly go wrong? https://youtu.be/v26BAlfWBm8 But, but NATs are good …
- 22. I am safe, home network, behind NAT Think again – UPNP – IPv6 – Teredo – Cloud
- 23. UPNP
- 24. IPv6
- 25. IPv6 Market for private IPv6 Timespan for private IPv6 addresses: ~1 day ICMP means every device is reachable • network stack hack possible Predictable IPv6 addresses (mostly enterprise) • ::0, ::1, ::2, ::service_port, ::IPv4, ::1000-::2000, ::100-::200, ::1.0-::1-2000, ::b00b:babe Reverse DNS enumeration (mostly enterprise)- dnsrevenum6 Zone transfer … AXFR … (mostly enterprise) DNSSEC chain walk (mostly enterprise) DNS brute force (mostly enterprise) – dnsdict6 Recommended: • Marc van Hauser: IPv6 insecurity revolutions • THC IPv6
- 26. Teredo bubble IPv4 Teredo client 1. Teredo server 2.
- 27. Teredo NAT hole IPv4 IPv6 Teredo client Teredo relay 1. 2. 3. 4. Teredo server IPv6 peer 1ce:c01d:bee2:15:a5:900d:a5:11feFirewall 5. 2001:0000:53aa:064c:0055:6bbf:a67b:7887
- 28. Teredo in practice According to a study by Arbor Networks, the 2008 adoption of IPv6 by µTorrent caused a 15-fold increase in IPv6 traffic across the Internet over a ten-month period.
- 29. IP camera cloud hack
- 30. IP camera cloud hack This research is work in progress – Lot of stuff to fine-tune, research The camera has an Android app The app can connect to the IP camera even when it is behind NAT, no port forward But how???
- 34. Demo time
- 35. I am safe, none of these apply, my home network is Sup3rFirewalled
- 36. I am safe, none of these apply, my home network is Sup3rFirewalled
- 37. uBlock demo uBlock is like Adblock, just better I use two browsers, one for Internet access And the other, only use to access internal network
- 38. I am safe, I changed the network range from default (192.168.0.0/24)
- 39. I am safe, I changed the network range from default (192.168.0.0/24) WebRTC (Web Real-Time Communication) is an API definition … that supports browser-to-browser applications for voice calling, video calling, and P2P file sharing … WebRTC + STUN Natively supported in • Chrome (2012) • Firefox (2013) • Opera 18 (2013) • Edge 21 (2015) • Blackberry Not in Safari, mobile Chrome, IE
- 41. BeEF demo
- 42. Same-Origin Policy (SOP) “a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin” Port, protocol and host has to be the same Goal • an ad on webmail won’t be able to access the e- mails
- 43. DNS rebind attack It is (was) possible to bypass browser same origin policy One public and one private IP address for a domain • Use the public IP in first request, deliver malicious script • Use the private IP later, malicious script can access private IP, and leak data Cat and mouse game started in 1996 https://www.usenix.org/conference/usenixsecurity13 /technical-sessions/presentation/johns
- 44. Filet – o – firewall https://github.com/filetofirewall/fof/
- 45. Attackers and motives Script-kiddies: for fun, point-and-click tool, annoy, prank or extort ordinary people. Political activists: Not important, unless operated by government Organized criminals: for profit. Physical presence or no physical presence. NAS ransomware attacks. Smart homes hacked by burglers, internet connected IP-cameras hijacked before burglary, smart-cars stolen via unsecured WiFi, etc. Nation-state attackers: “collect everything”. domestic or foreign surveillance, track and profile people, direct surveillance (audio, video). Bonus - Advertisment industry: smart devices will be sold either exclusively, or at a cheaper price, profit for advertisers, more targeted ads to the people
- 46. IoT development guideline in a Utopia Secure by design Tested for security Patch released if security issues are found
- 47. Current IoT development guideline in reality Secure by design Tested for security Patch released if security issues are found Cheap Be the first on the market Linux (Busybox ?) embedded Webserver or VNC embedded
- 49. IoT Risks
- 50. Lessons learned for home users Disconnect power cord/remove batteries if IoT is not needed 7*24 Patch (if possible) Change passwords to complex, non-reused passwords Disable direct inbound connections (check router) Disable UPnP (check router) Filter IPv6 (inbound default deny a’la NAT) Disable Teredo Monitor for tunneling protocols Prevent CSRF from browser (see uBlock slide) Scan your home network for new devices (LAN, Bluetooth, new AP, Zigbee, IrDA, FM) Dedicated network for IoT devices (use old Wi-Fi router) Separate your guests from your IoT network Disable WebRTC in browser (Chrome: WebRTC Network Limiter) Disable cloud connection (on device and/or router/firewall) Prevent DNS rebind attack – see next slide
- 51. Moar tips for home users Private IP addresses can be filtered out of DNS responses. – External public DNS servers with this filtering e.g. OpenDNS – Local sysadmins can configure the organization's local nameservers to block the resolution of external names into internal IP addresses. – DNS filtering in a firewall or daemon e.g. dnswall Firefox NoScript ABE feature
- 52. “Smart devices will make our life easier” Maybe in ~2100, but until then, it will make our life a nightmare
- 53. My best advice: don’t buy IoT devices ;)
- 54. Lessons learned for IoT vendors SDLC Continuous security testing and bug bounties Seamless auto-update Opt-in cloud
- 55. Lessons learned for goverments Follow Federal Trade Comission FTC – fine vendors who put users at risk to maximize profit https://www.ftc.gov/news-events/press- releases/2016/02/asus-settles-ftc-charges- insecure-home-routers-cloud-services-put
- 56. References, interesting links Best IoT Talk ever! 115 batshit stupid things you can put on the internet in as fast as I can go by Dan Tentler https://www.youtube.com/watch?v=hMtu7vV_HmY https://github.com/mandatoryprogrammer/sonar.js/tree/master https://www.youtube.com/watch?v=34GtH4tghjA https://jumpespjump.blogspot.com/2015/08/how-to-secure-your-home- against.html https://jumpespjump.blogspot.com/2015/09/how-i-hacked-my-ip-camera-and- found.html http://www.theverge.com/circuitbreaker/2016/7/12/12159766/internet-of- things-iot-internet-of-shit-twitter
- 58. Hack the planet! One computer at a time … zoltan.balazs@mrg-effitas.com https://hu.linkedin.com/in/zbalazs Twitter – @zh4ck www.slideshare.net/bz98 Greetz to @CrySySLab, @SpamAndHex Thx to Attila Bartfai for the conversation starter JumpESPJump.blogspot.com