web based attacks on local iot devices
play

Web-based Attacks on Local IoT Devices Gunes Acar Danny Huang - PowerPoint PPT Presentation

Apr 09, 2023 •377 likes •894 views

Web-based Attacks on Local IoT Devices Gunes Acar Danny Huang Frank Li Arvind Narayanan Nick Feamster 1 2 3 How to reach local IoT devices? Public devices (e.g., port forwarding) Local malware Web attacks ( this paper ) 4 How to

  1. Web-based Attacks on Local IoT Devices Gunes Acar Danny Huang Frank Li Arvind Narayanan Nick Feamster 1

  2. 2

  3. 3

  4. How to reach local IoT devices? Public devices (e.g., port forwarding) Local malware Web attacks ( this paper ) 4

  5. How to reach local IoT devices? Public devices (e.g., port forwarding) Local Network Local malware Web attacks ( this paper ) 5

  6. How to reach local IoT devices? Public devices (e.g., port forwarding) Local Network Local malware Web attacks ( this paper ) 1. Discover certain IoT devices 2. Access & control IoT devices 6

  7. Preparing the Attacks 7

  8. Targeting HTTP Servers 1. Set up a Raspberry Pi as a WiFi AP, connecting 15 IoT devices and an Android phone. 8

  9. Targeting HTTP Servers 1. Set up a Raspberry Pi as a WiFi AP, IoT Devices connecting 15 IoT devices and an Android phone. Amcrest IP Camera D-Link WiFi Camera 2. Interact with devices, taking pcaps at Google Home the RPi. Observed HTTP endpoints Google Chromecast on 7 devices. Samsung SmartCam Samsung Smart TV Belkin Wemo Switch 9

  10. Targeting HTTP Servers 1. Set up a Raspberry Pi as a WiFi AP, IoT Devices connecting 15 IoT devices and an Android phone. Amcrest IP Camera D-Link WiFi Camera 2. Interact with devices, taking pcaps at Google Home the RPi. Observed HTTP endpoints Google Chromecast on 7 devices. Samsung SmartCam Samsung Smart TV 3. Searched for further documentation on HTTP APIs Belkin Wemo Switch a. Total: 35 GET, 8 POST 10

  11. Attack 1: Identify Local IoT Devices 11

  12. Attack Steps 12

  13. Attack Steps 1. Get local IP (via WebRTC SDP) 192.168.6.6 13

  14. Attack Steps 2. Find active local devices. a. Scan local subnet on port 81, sending GET request (via Fetch API) b. Measure response times (TCP RST vs TCP timeout) 192.168.6.88 192.168.6.6 14

  15. Attack Steps 2. Find active local devices. a. Scan local subnet on port 81, sending GET request (via Fetch API) b. Measure response times (TCP RST vs TCP timeout) 192.168.6.88 TCP SYN to port 81 192.168.6.6 TCP RST 15

  16. Attack Steps 2. Find active local devices. a. Scan local subnet on port 81, sending GET request (via Fetch API) b. Measure response times (TCP RST vs TCP timeout) 192.168.6.88 192.168.6.6 TCP SYN to port 81 192.168.6.89 16 ?

  17. Attack Steps 3. Identify IoT devices. a. Send request for our GET endpoints to active IP addresses, using HTML5 <audio> element. b. Use resulting MediaError message to infer resource availability ( new side channel). 192.168.6.88 192.168.6.6 17

  18. Attack Steps 3. Identify IoT devices. a. Send request for our GET endpoints to active IP addresses, using HTML5 <audio> element. b. Use resulting MediaError message to infer resource availability ( new side channel). 192.168.6.88 192.168.6.6 GET /setup.xml 18

  19. Attack Steps 3. Identify IoT devices. a. Send request for our GET endpoints to active IP addresses, using HTML5 <audio> element. b. Use resulting MediaError message to infer resource availability ( new side channel). If Exists: MEDIA_ERR_SRC_NOT_SUPPORTED “DEMUXER_ERROR_COULD_NOT_OPEN: FFmpegDemuxer: open context failed” Else: MEDIA_ELEMENT_ERROR “Format error” 19

  20. Attack Steps 3. Identify IoT devices. a. Send request for our GET endpoints to active IP addresses, using HTML5 <audio> element. b. Use resulting MediaError message to infer resource availability ( new side channel). If Exists: MEDIA_ERR_SRC_NOT_SUPPORTED “Failed to init decoder” Else: MEDIA_ELEMENT_ERROR “Message 404: Not Found” 20

  21. Attack Steps 3. Identify IoT devices. a. Send request for our GET endpoints to active IP addresses, using HTML5 <audio> element. b. Use resulting MediaError message to infer resource availability ( new side channel). Safari: Fetches timed out Edge: No MediaError error messages (Attack 1 does not work) 21

  22. Implications Side-channel sidestepping SOP (Chrome bug bounty) Attack stepping stone Privacy leaks (e.g., network fingerprinting) 22

  23. Attack 2: Access & Control Local Devices 23

  24. DNS Rebinding Attack fully bypassing SOP (D. Dean, E. Felten, and D. Wallach, IEEE S&P 1996) Requires a web attacker (controls malicious domain + webserver) also controlling domain’s authoritative DNS nameserver 24

  25. Attack Steps 25

  26. Attack Steps 192.168.6.88 26

  27. Attack Steps 1. Victim visits attacker.com , queries malicious nameserver for attacker.com . Return web server IP w/ short TTL. Authoritative Attacker.com DNS Server Web Server GET / HTTP/1.1 6.6.6.6 ANSWER SECTION: 192.168.6.88 Attacker.com 1 IN A 6.6.6.6 HTTP 200 27

  28. Attack Steps 2. Attacker website loads another resource test . Authoritative Attacker.com DNS Server Web Server 6.6.6.6 192.168.6.88 28

  29. Attack Steps 3. If attacker.com ’s DNS record is cached, test is directly retrieved. If so, wait and retry... Authoritative Attacker.com DNS Server Web Server 6.6.6.6 GET /test HTTP/1.1 192.168.6.88 HTTP 200 29

  30. Attack Steps 4. If attacker.com ’s DNS record is not cached, browser queries malicious nameserver again. Now return target IP w/ large TTL. Authoritative Attacker.com DNS Server Web Server 6.6.6.6 ANSWER SECTION: 192.168.6.88 Attacker.com 300 IN A 192.168.6.88 30

  31. Attack Steps 5. This time, retrieving test fails. But attacker.com is now rebound to the target IP, and can make direct requests. Authoritative Attacker.com DNS Server Web Server 6.6.6.6 192.168.6.88 GET /test HTTP/1.1 HTTP 404 31

  32. Attack Steps 5. This time, retrieving test fails. But attacker.com is now rebound to the target IP, and can make direct requests. Authoritative Attacker.com DNS Server Web Server 6.6.6.6 192.168.6.88 GET /setup.xml HTTP/1.1 HTTP 200 32

  33. Attack on Devices 33

  34. Attack on Devices Google Home/Chromecast Potential attacks: ● Play arbitrary Youtube videos on Chromecast ● Reboot Chromecast/Home ● Scan for WiFi networks and return information 34

  35. Attack Demo 35

  36. Implications Attacker control of IoT device actions Exploiting IoT device vulnerabilities for full compromise Privacy leaks (e.g., extensive device fingerprinting or user profiling) 36

  37. ● Low barrier to attacks on local IoT devices via Moving malicious websites. Forward... ● Need defenses that protect against lateral attacks. 37

  38. Thank you https://iot-inspector.princeton.edu/ frankli@cs.berkeley.edu @frankli714 38

  39. Attack 1 Countermeasures Home Users: - Disable getting local IP via WebRTC SDP - Configure DHCP to allocate for a larger subnet (e.g., /16) Browsers: - Limit private IP access for web pages with public domains IoT Vendors: - Respond to all GET request with 200 OK code 39

  40. Attack on Devices 40

  41. Attack on Devices Google Home/Chromecast 41

  42. Attack on Devices Google Home/Chromecast Access: ● Unique device ID ● Build/firmware version ● SSID of connected WiFi network ● Device schedules/alarms (Home) 42

  43. Attack on Devices Google Home/Chromecast Control: ● Reboot device ● Play any video (Chromecast) ● Scan for WiFi networks and return SSIDs detected 43

  44. Attack 2 Countermeasures Home Users: - Enable DNS forwarding with rebind protection Browsers: - Unclear? IoT Vendors: - Filter/validate based on HTTP headers DNS providers: - Filter private IPs from DNS responses 44

  45. HTTP endpoints - examples - DlinkCamera - GET http://IP-ADDRESS:80/common/info.cgi - Response : netmask=255.255.255.0 model=DCS-5020L brand=D-Link gateway=172.24.1.1 wireless=yes version=1.14 build=9 ptz=P,T inputs=0 hw_version=A name=DCS-5020L outputs=0 speaker=no location= macaddr=B0:C5:54:0C:D2:74 videoout=no ipaddr=172.24.1.99

  46. HTTP endpoints - examples Get all WiFi networks on WeMo switch: http://IP-ADDRESS:49154/upnp/control/WiFiSetup1 {"method": "POST", "body": "<?xml version='1.0'?><SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' SOAP-ENV:encodingStyle='http://schemas.xmlsoap.org/soap/encoding/'><SOAP-ENV:Body> <m:GetNetworkList xmlns:m='urn:Belkin:service:WiFiSetup:1'> </m:GetNetworkList></SOAP-ENV:Body></SOAP-ENV:Envelope>", "headers": {"Content-Type": "text/xml", "SOAPAction": "\"urn:Belkin:service:WiFiSetup:1#GetNetworkList\""}} Returns all nearby Wifi networks

  47. HTTP endpoints - examples - Play arbitrary videos on Google Chromecast - POST http://IP-ADDRESS:8008/apps/YouTube {"method": "POST", "body": "v=oHg5SJYRHA0", "headers": {"User-Agent": "blah"}} - Reboot Google Home and Chromecast - http://172.24.1.51:8008/setup/reboot {"method": "POST", "body": "{\"params\": \"now\"}", "headers": {"User-Agent": "blah", "Content-Type": "application/json"}}

  48. Results

  49. Attack 2

  50. Attack 2: Which OSes and browsers are vulnerable

Recommend

Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc

Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc

Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc Nguyen, Phillip Rieger, Markus Miettinen, Ahmad-Reza Sadeghi Typical IoT Devices 2 IoT The S stands for Security 3 Mirai: Largest Disruptive

508 views • 33 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices to appear in IEEE/ACM

Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices to appear in IEEE/ACM

Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices to appear in IEEE/ACM International Conference Cyber-Physical Systems (ICCPS 2019) Nicola Paoletti Royal Holloway, University of London Joint work with: Scott A Smolka, Shan Lin,

599 views • 46 slides
Sponge-Based Control-Flow Protection for IoT Devices Werner, Unterluggauer, Schaffenrath, Mangard

Sponge-Based Control-Flow Protection for IoT Devices Werner, Unterluggauer, Schaffenrath, Mangard

Sponge-Based Control-Flow Protection for IoT Devices Werner, Unterluggauer, Schaffenrath, Mangard 25th April 2018, London Graz University of Technology Motivation and Context Logical Attacks www.tugraz.at Exploit software and design bugs

616 views • 59 slides
New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

759 views • 52 slides
Attacks on Cardiac Devices to appear in IEEE/ACM International Conference Cyber-Physical Systems

Attacks on Cardiac Devices to appear in IEEE/ACM International Conference Cyber-Physical Systems

Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices to appear in IEEE/ACM International Conference Cyber-Physical Systems (ICCPS 2019) Nicola Paoletti Royal Holloway, University of London Joint work with: Scott A Smolka, Shan Lin,

406 views • 36 slides
Relay Attacks in EMV Contactless Cards with Android OTS Devices e Vila , Ricardo J. Rodr

Relay Attacks in EMV Contactless Cards with Android OTS Devices e Vila , Ricardo J. Rodr

Relay Attacks in EMV Contactless Cards with Android OTS Devices e Vila , Ricardo J. Rodr guez Jos pvtolkien@gmail.com, rj.rodriguez@unileon.es All wrongs reversed Computer Science and Research Institute of Systems

1.23k views • 57 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
Smart Card Attacks: Enter the Matrix Tiana Razafindralambo Guillaume Bouffard Julien

Smart Card Attacks: Enter the Matrix Tiana Razafindralambo Guillaume Bouffard Julien

Introduction Logical attacks Combined attacks Conclusion Smart Card Attacks: Enter the Matrix Tiana Razafindralambo Guillaume Bouffard Julien Iguchi-Cartigny Jean-Louis Lanet Smart Secure Devices (SSD) Team Xlim Labs Universit e

902 views • 53 slides
A Formal Study of Power Variability Issues and Side-Channel Attacks for Nanoscale Devices

A Formal Study of Power Variability Issues and Side-Channel Attacks for Nanoscale Devices

A Formal Study of Power Variability Issues and Side-Channel Attacks for Nanoscale Devices Mathieu Renauld, Fran cois-Xavier Standaert, Nicolas Veyrat-Charvillon, Dina Kamel, Denis Flandre. May 2011 UCL Crypto Group Cryptopuces - May 2011

579 views • 32 slides
Network Threats &amp; Attacks 1 Internet Structure backbone ISP local network Internet

Network Threats &amp; Attacks 1 Internet Structure backbone ISP local network Internet

CS 134 Winter 2018 Lecture 16 Network Threats &amp; Attacks 1 Internet Structure backbone ISP local network Internet service Autonomous system (AS) is a provider (ISP) collection of IP networks under control local network of a single

769 views • 54 slides
Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices Pavel Lifshits,

Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices Pavel Lifshits,

Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices Pavel Lifshits, Roni Forte , Yedid Hoshen, Matt Halpern, Manuel Philipose, Mohit Tiwari, and Mark Silberstein Speaker: Pavel Lifshits SMART BATTERY

739 views • 39 slides
A new categorization system for side-channel attacks on mobile devices &amp; more Veelasha

A new categorization system for side-channel attacks on mobile devices &amp; more Veelasha

A new categorization system for side-channel attacks on mobile devices &amp; more Veelasha Moonsamy Radboud University, The Netherlands 06 February 2017 University of Adelaide, Australia Radboud University, Nijmegen, NL 2 Digital Security

759 views • 55 slides
Fresh Re-Keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices Marcel

Fresh Re-Keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices Marcel

VLSI Institute for Applied Information Processing and Communications (IAIK) VLSI &amp; Security Fresh Re-Keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices Marcel Medwed Franois-Xavier Standaert Johann

814 views • 28 slides
Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices Zachary Gruber Nicola Paoletti

Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices Zachary Gruber Nicola Paoletti

Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices Zachary Gruber Nicola Paoletti Paul D. Schreiber High School Stony Brook University Joint work with: Scott A Smolka, Shan Lin (Stony Brook) Ariful Islam (CMU) Rahul Mangharam,

539 views • 20 slides
Smart Card to Mitigate Logical Attacks Tiana Razafindralambo, Guillaume Bouffard, Bhagyalekshmy N

Smart Card to Mitigate Logical Attacks Tiana Razafindralambo, Guillaume Bouffard, Bhagyalekshmy N

A Dynamic Syntax Interpretation for Java based Smart Card to Mitigate Logical Attacks Tiana Razafindralambo, Guillaume Bouffard, Bhagyalekshmy N Thampi , and Jean-Louis Lanet Smart Secure Devices (SSD) Team, XLIM/ Universit de Limoges, France

466 views • 17 slides
Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks

Elliptic Curves Side-Channel Countermeasures Conclusion Elliptic Curve Cryptography on Embedded Devices Scalar Multiplication and Side-Channel Attacks Vincent Verneuil 1 , 2 1 Inside Secure 2 Institut de Math ematiques de Bordeaux S

2.22k views • 188 slides
Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet

Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet

Lecture 17 CS 134 Spring 2019 Network/Internet Threats/Attacks 1 Internet Structure backbone ISP local network Internet service Autonomous system (AS) is a provider (ISP) local network collection of IP networks under control of a

643 views • 25 slides
Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications Sibenik,

849 views • 31 slides
Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks?

Introduction Motivations and Contributions Preliminaries Our Main Idea Main Results Revisiting Division Property Based Cube Attacks: Key-Recovery or Distinguishing Attacks? Chen-Dong Ye and Tian Tian . . . . . . Chen-Dong Ye and Tian

734 views • 58 slides
Protecting Mobile Devices from Physical Memory Attacks with Targeted Encryption Le Guan , Chen

Protecting Mobile Devices from Physical Memory Attacks with Targeted Encryption Le Guan , Chen

Protecting Mobile Devices from Physical Memory Attacks with Targeted Encryption Le Guan , Chen Cao, Sencun Zhu, Jingqiang Lin, Peng Liu, Yubin Xia, and Bo Luo Why do Physical-space Threats Concern for SmartPhones? Why do Physical-space Threats

318 views • 31 slides
Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on

Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on

1 Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on attack survey from 2019 BernsteinChuengsatiansup Langevan Vredendaal. Some hard lattice meta-problems: Analyze cost of known attacks.

489 views • 36 slides
Local Network Attacks John Kristoff jtk@depaul.edu +1 312 362-5878 DePaul University Chicago,

Local Network Attacks John Kristoff jtk@depaul.edu +1 312 362-5878 DePaul University Chicago,

Local Network Attacks John Kristoff jtk@depaul.edu +1 312 362-5878 DePaul University Chicago, IL 60604 FIRST TC 2002 John Kristoff - DePaul University 1 Agenda Overview Theoretical and example attacks How to

450 views • 17 slides
pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks

Syndrome Based Collision Resistant Hashing Matthieu Finiasz pq Outline Description of the FSB Hash Function Classic Attacks Recent Attacks Proposed Improvements and Parameters pq 1 Description of the FSB Hash Function pq

286 views • 28 slides

More recommend