The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014

The Internet Of Insecure Things:
10 Most Wanted List
!
Paul Asadoorian
Founder & CEO
http://securityweekly.com

Things About Paul
http://securityweekly.com Copyright 2014
Work Thing
Podcast thing
Hacks things
Enjoys things

Things About This
Presentation
• Yes, I may say “The Internet of Things”
• This is not about “watch me hack this device”
• While this is fun, we’ve established things are vulnerable
• Also, the sky is not falling because someone can hack your
toaster (yet)

Its More About…
• Real attack vectors against embedded systems
• Some examples of vulnerabilities and attacks (we have to
have some fun!)
• Understanding the different types of systems and
applications
• Most important, what do “we” do about it?
• The manufacturers of embedded systems
• The folks tasked with protecting networks, systems and infrastructure

Embedded Systems
“An embedded system is
a special-purpose system
in which the computer is
completely encapsulated
by the device it controls.”
!
http://www.ece.ncsu.edu/research/cas/ecs

Consumer

I Think This Is Cool but…
http://hackalizer.com/nest-thermostat-torn-analyzed/

Why Do We Care?
• Who cares if someone hacks my TV, fridge, lights, scale or
treadmill or wireless router?
• Attackers install Adware/Spyware/Ransomware to these devices
• Ads will be displayed on your devices without your permission

Why Do We Care? Privacy.
• I can see you watching TV
• I know what you eat and drink,
how often you do laundry, and
when you turn your lights/TV on
• I know how long you spend on the
toilet
• I collect all this data and use it to
send targeted ads
• Distribute pictures of you getting a
snack in your underwear at 3AM

Things are real

What if this could be
prevented?

By This?

Why We [Should] Care
• Attackers will find ways to monetize
• They will use any system to:
• Mine Bitcoins (as silly as that sounds, essentially printing currency)
• Build botnets to send SPAM and launch DDoS attacks
http://threatpost.com/dns-based-amplification-attacks-
key-on-home-routers/105220
http://securityweekly.com Copyright © 2014 by Defensive Intuition, LLC
!
http://www.wired.com/2014/04/hikvision/

Industrial Control Systems
Turck BL67 Tridium Niagara AX
Text
Siemens SCALANCE X-200
Clorius Controls ISC
Magnum MNS-6K
http://www.tenable.com/plugins/index.php?view=all&family=SCADA

Why Do We Care?
• Potentially life threatening
• Historically operated on closed networks
• Physical attacks are in play
• Economics still apply, cost is a huge factor
• Devices have to “live” for a really long time
• It costs money to replace them

Corporate
• Building Entry
• Environmental
• Lighting
• Security Cameras
• Hotel Key Cards
• Timeclocks
• Headsets & Phones
• Printers & Multi-Function

Why Do We Care?
• Attackers will use “things” as a jumping off point (ala
Target)
• Attackers will prey on weaknesses, such as POS systems
• Physical access is not the primary concern, but still possible
• The challenge of economics applies, low cost solutions that
solve problems will win over security

Medical
• IV Pumps / Drug infusion pumps
• Insulin Pumps (Wearable)
• Surgical and anesthesia devices
• Ventilators
• External defibrillators
• Patient monitors
• Laboratory and analysis equipment
Researchers Billy Rios and Terry McCorkle of Cylance have reported a hard-coded password vulnerability
affecting roughly 300 medical devices across approximately 40 vendors. According to their report, the
vulnerability could be exploited to potentially change critical settings and/or modify device firmware.
http://arstechnica.com/security/2013/06/vast-array-of-medical-devices-vulnerable-to-serious-hacks-feds-warn/

Why Do We Care?
• Life threatening for sure
• Patient care will trump security every time
• Connectivity and ease of use will trump security
• Oh sorry, I can’t give you pain meds, IV pump is updating patches
• Patient confidentiality also trumps security
• More important to be compliant than secure

Already Happening
• http://www.proofpoint.com/about-us/press-releases/
01162014.php
• “More than 750,000 Phishing and SPAM emails Launched from
"Thingbots" Including Televisions, Fridge”
• Okay, well one fridge, on purpose? By accident? Where is the
data?
• http://thehackernews.com/2014/03/linux-worm-targets-internet-
enabled.html
• “A Linux worm named Linux.Darlloz, earlier used to target Internet of
Things (IoT) devices, i.e. Home Routers, Set-top boxes, Security
Cameras, printers and Industrial control systems; now have been
upgraded to mine Crypto Currencies like Bitcoin.”

More Already Happening
• https://blog.kaspersky.com/gaming-console-hacks/
• “I also have a bad feeling that the time for gaming malware is now, and I
am not totally sure what it will take to protect ourselves.”
• http://www.wired.com/2014/04/hikvision/
• “Hackers Turn Security Camera DVRs Into Worst Bitcoin Miners Ever”
• “The low-powered ARM chip is one of the worst possible processors
you could pick for the crypto-heavy calculations that make up bitcoin
mining.”
• “The malicious software seems to spread using the default usernames
and passwords for the Hikvision devices”

If I Had To Pick One
Example….
Of a really insecure embedded system it would be…

“Inside Joel’s Backdoor”
D-LINK DIR-100

Background
• I want to show how an attacker would exploit vulnerabilities on
embedded systems for profit
• I found some excellent research published by Craig Heffner, author
of binwalk and one of the most talented embedded device security
researchers on the planet
- Hak.5 Interview with Craig Heffner on the issues: http://
hak5.org/episodes/hak5-1513
http://wiki.securityweekly.com/wiki/index.php/Episode320#Interview:_Craig_Heffner

Background
• The other rock star is Zach Cutlip, both work for Tactical
Network Solutions and deserve A LOT of praise for their
research
• Joel’s Backdoor is one of the most interesting embedded
device vulnerabilities I’ve seen Text
in some time
• Combined with several other flaws on the D-Link DIR-100
http://wiki.securityweekly.com/wiki/index.php/Episode342#Tech_Segment:_Zach_Cutlip

Exemplify Problem Areas
1. Backdoors inside of firmware
2. Default credentials
3. Functions prone to overflow conditions
4. Secure web management interfaces

BTW, Many of these vulns are
old…
Not as old as Jack…

Joel’s Backdoor
• October 2013 Craig Heffner released details on a backdoor
affecting D-Link routers
• Reverse engineering the authentication process, Craig finds a
special compare
• Turns out if you set your User-Agent to
“xmlset_roodkcableoj28840ybtide” you can access web
management
• No password required!
edit by 04882 joel backdoor
• Who is Joel anyway?
• http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/

Why Joel Did This?
The ever neighborly Travis Goodspeed pointed out that this backdoor is used by
the /bin/xmlsetc binary in the D-Link firmware. After some grepping, I found several
binaries that appear to use xmlsetc to automatically re-configure the device’s
settings (example: dynamic DNS). My guess is that the developers realized that
some programs/services needed to be able to change the device’s settings
automatically; realizing that the web server already had all the code to change
these settings, they decided to just send requests to the web server whenever they
needed to change something. The only problem was that the web server required a
username and password, which the end user could change. Then, in a eureka
moment, Joel jumped up and said, “Don’t worry, for I have a cunning plan!”.
http://pastebin.com/aMz8eYGa

Russians Found It First
• Looking to root an ISPs router
• They found the string, and tried it as the TELNET login
• They could have found it and never posted it
• Or they never figured out its the User-Agent string
January 24, 2010
http://forum.codenet.ru/q58748/%D0%BF%D0%B5%D1%80%D0%B5%D0%B1%D0%BE%D1%80+%D0%BB%D0%BE%D0%B3%D0%B8%D0%BD%D0%BE%D0%B2+-+
%D0%B4%D0%B0%D0%B9%D1%82%D0%B5+%D1%81%D0%BE%D0%B2%D0%B5%D1%82

Exploit Is Simple
DIR-100:
!
wget -U ‘xmlset_roodkcableoj28840ybtide’ http://
192.168.1.85/Status/Device_Info.shtml
TM-G5240 (Firmware Version:v4.0.0b28)
!
wget -U 'xmlset_roodkcableoj28840ybtide' http://
192.168.1.87/Status/st_devic.htm

But, No One Exposes Web
Management Interfaces To
The Internet?
Because no presentation is complete without a Shodan
screenshot

Canadians & Chinese
thttpd-alphanetworks is a
fork of thttpd by a spin-off of
Dlinks

Remote Exploitation Via
Browser
• But wait, what if you could get someone to click on a link?
• Could you send authentication + exploit to the router?
• You need a few things to happen:
• The victim must load a web page with your exploit code
• Your exploit code must be able to modify the User-Agent
• Your have to know the IP address (192.168.0.1) of the device
• Your must run a command through the web interface to do something evil
• Your must bypass the Same Origin policy

DIR-100 Buffer Overflow
• But wait, there’s more! Craig also released a buffer
overflow vulnerability and exploit code:
• http://pastebin.com/vbiG42VD
• Limited to 200 bytes of shellcode
• Requires admin
# strings webs | egrep '(sprintf|strcpy)'
strcpy
sprintf
Benefit: Now we can upload and execute code on the device, allowing
us to execute commands and/or install software.

Multi-Stage Dropper MIPS
Shellcode
• Zach Cutlip is awesome, and his shellcode is damn sexy:
• https://github.com/tacnetsol/exploit-tools/tree/master/shellcode/mips/
trojan-dropper
• Or callback in 184 bytes:
• https://github.com/tacnetsol/exploit-tools/blob/master/shellcode/mips/
connect-back/callback_payload.py

It’s not dead yet...
But wait, there’s even more!

Dir-100 XSS & So Much More
• December 2013 researcher Felix Richter exposes several more
vulnerabilities affecting DIR-100 routers
• http://packetstormsecurity.com/files/125041/D-Link-DIR-100-CSRF-XSS-Disclosure-
Authentication.html
• Retrieve the Administrator password without authentication leading to
authentication bypass [CWE-255]
• Retrieve sensitive configuration parameters like the pppoe username and
password without authentication [CWE-200]
• Execute privileged Commands without authentication through a race condition
leading to weak authentication enforcement [CWE-287]
• Sending formatted request to a victim which then will execute arbitrary commands
on the device (CSRF) [CWE-352]
• Store arbitrary javascript code which will be executed when a victim accesses the
administrator interface [CWE-79]

I See Your Privates
root@embeddedcourse:/home/firmware/TM-G5240/squashfs-root/etc# cat stunnel.pem
-----BEGIN CERTIFICATE-----
MIID+jCCAuKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBrjELMAkGA1UEBhMCVFcx
DzANBgNVBAgTBlRhaXdhbjEPMA0GA1UEBxMGVGFpcGVpMRwwGgYDVQQKExNBbHBo
YSBOZXR3b3JrcyBJbmMuMQwwCgYDVQQLEwNGRDMxJDAiBgNVBAMTG0FscGhhIE5l
dHdvcmtzIERlbW8gUm9vdCBDQTErMCkGCSqGSIb3DQEJARYcU3RhbmxleV9MaUBh
bHBoYW5ldHdvcmtzLmNvbTAeFw0wNTA1MTMwNzQxMjVaFw0xNTA1MTEwNzQxMjVa
<snip>
WY3y9dVFwtZdfOgYcCSqnn1ehDxHN8XsjOylZ53SuapRmPTjuOQR4k+P18XdxZuY
RlBSV1vTRWsLncFEQH326MQNyxlQG5om9tZ/+k+kuVt3iImdwBp+cveMaRcw3wHz
qDfxLwCL9K4icRhPeYk=
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAtkENCho2fHuiaVHofYl87EGYleFFlw9dv9dDeF/2HX9DEQo4
+ctCESsU8uvSIm+iTB2bTN1R1qLGdwXjFWFjveLOkP9UMv33kD/eAvA3WIjK99PH
Rz+Be9bLqtZRehNMXAQV0HFTiLZD3mzo/2gUYtHDUXFAU22HcM/iSVQUpPNytL1/
wE3xtBExLgB51d0CHKL6NXoM0JXEdmpUAhee3QlyGGZU8XpDDizThBnD/QoI2RAN
iBcVm/Frcls2dzZ8Qsg1ipJ1OCdZJ4KmdfQhrCTTNCeZ8xyzvyUBrBUkJ+sb6O2f
J8OoZ2OIRVIjJ4GeAu5T4vFteLh3XRTVkT8JLQIDAQABAoIBAEI5pQlUuRPGwR9Q
GhDz0qbutwlPUEAx3zkEeYnWJNJXGgGpG0b5aspeQ0B6HGNS+UB7SaFGkqRRhZhe
<snip>
vSC/wQKBgDnnrkbsCg5HsnDFHQu9zSlNrMNwtc3H9fD5TMgFOj7nJBJTLGh/JbXM
GaXBOxb1BbVVTmNDvYEMpS+7QPIsA1PVZE3ixYDCI9EuGNSCCd6wwsLkf2mcUH3G
mDUZ/Mdnc5uQWU+NWA0LpnVPt546RMk9l5soHc7W5M8MtmnCwMDD
-----END RSA PRIVATE KEY-----

Let’s Recap
• For your enjoyment, DIR-100 has:
• At least 2 different authentication bypass vulnerabilities
• Information disclosure, leading to PPPOE passwords
• A CSRF vulnerability
• A remote buffer overflow
• A stored XSS vulnerability
• Select models use static keys

0wning D-Link?
• http://suporte.dlink.com.br/suporte/emuladores/DIR/
DIR_100/Status/st_device.htm

These Conditions Can’t
Exist On Other Devices?
• Medical: http://arstechnica.com/security/2013/06/vast-array-of-medical-
devices-vulnerable-to-serious-hacks-feds-warn/
• SCADA: http://seclists.org/fulldisclosure/2012/Apr/277
• Industrial Automation: http://www.ioactive.com/news-events/
ioactive_discovers_backdoor_vulnerabilities_in_turck_industrial_a
utomation_devices.html
• Building Automation: https://www.youtube.com/watch?
v=c4LMrKEO_t0 (BACNet)
• Home Automation: http://www.ioactive.com/news-events/
IOActive_advisory_belkinwemo_2014.html

Even More Attacks
• HD Moore found several flaws in VxWorks, scanned 3.1
billion IP addresses and found 250,000 systems exposed
to the Internet
- http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html
• Craig Heffner discovered a DNS rebinding attack on
several routers allowing attackers to gain control of
administrative interfaces
- http://code.google.com/p/rebind/

Even More Attacks (2)
• Ki-Chan Ahn and Dong-Joo Ha created malware for
Nintendo Wii and DS systems
- http://games.venturebeat.com/2010/07/31/live-demos-of-hacking-the-nintendo-
ds-and-the-wii-to-spread-malware/
• Barnaby Jack remotely attacked two different ATMs and
“made the money come out” (without a card+pin #)
- http://www.youtube.com/watch?v=qwMuMSPW3bU

But Why?
Why are embedded systems left out in the cold when it comes to
security?

Why?
• Embedded systems, across all major categories are
designed with two things in mind:
• Usability - Does the system work as intended for the user? (e.g. my TV
turns on, allows me to change the channel, displays an image)
• Reliability - Does the system catch fire, break, fall over, or cease
functioning under certain conditions? (e.g. does my TV catch fire if left on
or melt due to temperature being too high?)
!
• What are they not designing for?

Why?
• What happens if an external user takes control of the
system and makes it to “bad things”?
• Think of it like a hammer:
• I make sure it can pound stuff (usability)
• I make sure the head doesn’t come flying off and kill someone (reliability)
• I don’t design it so someone doesn’t try to use it to smash someone’s face
Credit:
http://wiki.securityweekly.com/wiki/
index.php/
Episode_386#Interview:_Mike_Murray

These are no ordinary
hammers
• The hammers, embedded systems, we speak of have
connectivity!
• Ethernet
• Wifi
• Bluetooth
• ZigBee
• RFID
• NFC

What Do We Do About It?
10 Most Wanted List: A Guide For Embedded Device
Manufacturer and Software Developers

10 Most Wanted List
1. Backdoors inside of firmware
2. Default credentials
3. Insecure Remote management (Defaults & Clear-Text Transmissions)
4. Open-source software and drivers, NOT binary blobs
5. Functions prone to overflow conditions
6. Firmware and configuration encryption
7. Easy-to-use firmware updates (auto-updates)
8. Secure web management interfaces
9. Maintain a CIRT and provide a program for security researchers
10. Implement Protocols Security / Implement Secure Protocols

1. Firmware Backdoors
• A “secret” account (or access) created by the vendor that
allows remote management
• Excuse is this is done for support reasons (password
resets)
• The problem is: its not so secret

Backdoor password was...
Derived from the MAC address....

2. Default Credentials
• A known set of credentials used out-of-the-box
• Typically found via Google or in documentation
• The problems: Anyone can discover this value and users/
administrators don’t change it
• Also: Firmware updates sometimes reset it to the default
value

3. Insecure Remote
Management
• HTTP & TELNET - Its 2014, why are we still using these
protocols to manage systems?
• HTTPS - Yes, there is a cost for a certificate. And yes,
sometimes vendors will use the same one for every device
• SSH - Same thing here, but easier to enable by default
• Oh, and weak passwords

4. Open-Source drivers
• Interoperability is nice, but also begs the security question
• How do I keep my software and hardware up-to-date if
you don’t provide me with a new driver!
• Open-source drivers allow for more eyes, and typically are
patched more quickly

5. Functions prone to
overflow
• Wait, we know strcpy() is bad, right?
• Why do we still use it?
• And yes, programmers still use it
• In fact, if you take it out, they will just put it back
!
• https://community.rapid7.com/community/metasploit/blog/2013/11/06/
supermicro-ipmi-firmware-vulnerabilities

The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014

Funny Thing About
Encryption

6. Firmware Encryption
• Signing firmware updates makes it harder to backdoor
existing firmware
• Encrypting firmware makes it tougher to reverse engineer
(though don’t let that replace real security)
• Also, XOR is NOT encryption
!
• http://www.darkreading.com/vulnerabilities---threats/hacking-firmware-and-
detecting-backdoors/d/d-id/1139859?

7. User Friendly Firmware
Updates
• Take a page right from Microsoft’s playbook (I can’t believe
I just wrote that, but...)
• Step back, most are unaware devices need to be updated
for security, amazed that it actually works
• Even the term “update firmware” is too geeky, we need to
change this
• Smartphones are a great example

8. Secure Web Frameworks
• The code behind the web management interface is typically
poorly implemented
• Java, Ruby, Python, .NET - all too “heavy” to implement on
small systems
• Developers typically write their own, similar results to
“Well, I’ll just implement my own encryption algorithm”

9. Maintain a CIRT
• Look, this FREE help!
• D-Link has fixed the problems we covered earlier
• Some vulnerabilities never get fixed
• Researchers get frustrated and just post the exploits to
pastebin
• Prezi got hacked, paid the researcher money, and wrote a
nice blog post about it and linked to the researcher’s
presentation (not in Prezi)
• It pays to work and collaborate with security researchers

10. Secure Protocols
• UPnP, IPMI, HNLP, DLNA are common protocols on
consumer devices
• Modbus is popular on SCADA devices
• The problem is they offer great functionality
• But security is often left out entirely
• IPMI and HNLP have had huge problems, leading to major
issues and even the “Linksys Router Worm”
• The protocols desperately need security...

http://www.blackhillsinfosec.com
For Slides Join Our Mailing List: http://securityweekly.com/insider
!
Podcasts/Blogs/Videos: http://securityweekly.com
!
Contact Me: paul@securityweekly.com

The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014

More Related Content

What's hot (20)

Viewers also liked (18)

Similar to The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014 (20)

Recently uploaded (20)

The Internet Of Insecure Things: 10 Most Wanted List - Derbycon 2014