#RSAC SESSION ID: SESSION ID: SBX2-R3 IRL: Live Hacking Demos! Rick Ramgattie Omer Farooq Security Analyst Senior Security Analyst Independent Security Evaluators (ISE) Independent Security Evaluators (ISE) @rramgatie @omerfar23
#RSAC About ISE Perspective • White box Analysts • Hackers; Cryptographers; RE Exploits • iPhone; Android; Ford; Exxon; Diebold Research • Routers; NAS; Healthcare Customers • Companies with high value assets ISE Proprietary
#RSAC What is the Internet of Things (IoT)? • Non-conventional, network- connected devices – Refrigerators – Washing Machines – Surveillance Cameras – Thermostats – Lightbulbs – Door Locks 3
#RSAC IoT and the Enterprise Environment • Potential to improve efficiency and productivity – Utilities – Industrial – Health care – Transportation – Agriculture 4
#RSAC IoT and the Enterprise Environment Potentia ial l to inc increase attack su surf rface of f corp rporate netw tworks 67% of executives will adopt IoT despite potential risks 1 67 25 25% of remote workers have at least one IoT device connected to a corporate network 1 “[B]y the end of 2017, over 20 20 per ce cent of organizations will have digital security services devoted to protecting business initiatives using devices and services in IoT” 2 1 https://www.gartner.com/newsroom/id/2905717 2 https://www.tripwire.com/register/enterprise-of-things-report/ 5
#RSAC What are the Dangers? Corporate bring-your-own-device (BYOD) policies undetected breaches Similarly, IoT introduces unaudited devices with poor security to the network Often exempt from compliance with security policies Hard to install updates/patches Lack built-in security (encryption, authentication, hardening, etc.) Default credentials (major infection vector for botnets) 6
#RSAC What are the Dangers? (cont.) “ 70% of IoT devices were vulnerable to some sort of attack; 60% 60% of IoT devices with a user interface were vulnerable to issues like cross-site scripting and weak credentials; and 70% of IoT devices used encrypted network services” 1 Potential for mass exploitation 2 Examples: Mirai (1 1 Tb Tbps DDoS oS, took down Internet DNS), BASHLITE (1 1 milli illion IoT bots), Linux.Darlloz, Remaiten 1 http://fortifyprotect.com/HP_IoT_Research_Study.pdf 2 https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/sshowdown- exploitation-of-iot-devices-for-launching-mass-scale-attack-campaigns.pdf 7
#RSAC Types of Vulnerabilities Bypassing Authentication and Authorization Checks Remote Command Injection Stack-Based Buffer Overflows Remote File Inclusion Cross-Site Request Forgery Information Leaks 8
#RSAC Demo Devices Belkin Router Motorola Focus73 Camera Netgear ReadyNAS RN10400 Network Attached Storage (NAS) ASUS RT-N56U Router 9
#RSAC Belkin N+ Wireless Router
#RSAC Belkin N+ Wireless Router Web Interface which connects back to Belkin Running Linux Has Busybox installed Open ports – tcp/53, tcp/80 11
#RSAC Belkin N+ 1 Vulnerability Client-side authentication 12
#RSAC Belkin N+ 13
#RSAC Belkin N+ 14
#RSAC Belkin N+ 15
#RSAC Belkin N+ 16
#RSAC Belkin N+ 17
#RSAC Belkin N+: Countermeasures Perform server-side authentication and authorization checks. Don’t rely on security through obscurity. 18
#RSAC Belkin N+: Recap Client-side authentication Leads to admin access Countermeasures 19
#RSAC Motorola Focus73
#RSAC Motorola Focus73 IP Camera Connects to your network either via Ethernet or WiFi Intended to be controlled via Motorola’s mobile applications (iOS and Android) Running Linux Has nc installed Open Ports - tcp/80, tcp/8080 21
#RSAC Motorola Focus73 3 vulnerabilities Lack of Authentication and Authorization Mechanisms in Nuvoton Web Server Command Injection Remote File Inclusion 22
#RSAC Motorola Focus73 23
#RSAC Motorola Focus73 Uploaded file does not need to be a real firmware file /fwupgrade.html calls a CGI script This script is vulnerable to both command injection and remote file upload 24
#RSAC Motorola Focus73 25
#RSAC Motorola Focus73 26
#RSAC Motorola Focus73: Countermeasures Missing Function Level Access Controls: Perform server-side authentication and authorization checks. Remote File Inclusion: Try not to use user input in file system calls Perform path canonicalization (symlinks, . & .. are resolved) Properly configure services Command Injection Avoid calling shell commands when possible If an API does not exist, sanitize user input before passing it to a function that executes system commands. 27
#RSAC Motorola Focus73: Recap IP Camera vulnerable to lack of auth checks and command injection Missing Function Level Access Control and Directory Traversal Countermeasures Command Injection Countermeasures Quick look at the fix for command injection 28
#RSAC Netgear ReadyNAS RN10400
#RSAC Netgear ReadyNAS RN10400 Network Attached Storage Web Interface which connects back to Netgear Running Linux Has Busybox installed Open ports – tcp/22, tcp/80 30
#RSAC Netgear ReadyNAS RN10400 2 Vulnerabilities Lack of CSRF Protection Arbitrary Command Injection 31
#RSAC Netgear ReadyNAS RN10400 32
#RSAC Netgear ReadyNAS RN10400: Countermeasures Cross Site Request Forgery: Implement Anti-CSRF tokens AND HTTP referrer checking Feeling ambitious? Require the user to authenticate before performing a state change Command Injection: Avoid calling shell commands when possible If an API does not exist, sanitize user input before passing it to a function that executes system commands. 33
#RSAC Netgear ReadyNAS RN10400: Recap NAS device Vulnerable to both CSRF and Command Injection Leads to full device control (shell access) CSRF Countermeasures Command Injection Countermeasures 34
#RSAC ASUS RT-N56U
#RSAC ASUS RT-N56U Wireless Router Running Linux Has Busybox installed Open ports – tcp/53, tcp/80, tcp/515, tcp/18017 36
#RSAC ASUS RT-N56U 2 vulnerabilities Client-side credential disclosure Web server stack-based buffer overflow 37
#RSAC ASUS RT-N56U 38
#RSAC ASUS RT-N56U: Countermeasures Don’t use unsafe functions Perform bounds checking Compile/Link with overflow prevention techniques Canary/Stack Cookie — gcc – fstack-protector ASLR — gcc – fPIE || ld – pie DEP/NX — gcc marks the stack non-executable by default 39
#RSAC ASUS RT-N56U: Recap SOHO Router vulnerable to stack-based buffer overflow Review of MIPS Shellcode Execution of exploit Buffer Overflow Countermeasures 40
#RSAC What Can Be Done? Revamped IT infrastructure Scaling up ability to monitor and analyze greater volume of data – increased bandwidth and storage requirements Distributed network architecture 1 Netflow analysis, watch for anomalous traffic patterns from similar classes of devices Updated security and IT policies Mandated patching of IoT/embedded devices Credential management and commissioning process Inventory process IPv6 – Start planning and be aware of security implications Supply chain of trust: vetting your device vendors 1 http://internetofthingsagenda.techtarget.com/feature/Plan-an- Internet-of-Things-architecture-in-the-data-center 41
#RSAC Questions
#RSAC What are the Dangers? (cont.) 43
Recommend
More recommend