Internet of Stuff Lessons Not Learned - Microsoft · –QoS modification attack •QoS values for...

Proprietary and Confidential. Do Not Distribute. © 2015 Optiv Inc. All Rights Reserved.

November 2016

Internet of StuffLessons Not Learned

2


“The Internet of fun and games is over.” – Bruce Schneier

3


Definition Of Terminology

• Internet of Things aka IoT

– Network of physical objects that feature an IP address for Internet connectivity, and the

communication that occurs between these objects and other Internet-enabled devices and

systems

– Gartner Inc. forecasts that 6.4 billion connected “things” will be in use worldwide in 2016, up

30% from 2015, and will reach 20.8 billion by 2020. Gartner estimates that in 2016, 5.5 million

new “things” will get connected each day

– Examples of IoT include, but are not limited to, Wi-Fi surveillance cameras, Wi-Fi baby

monitors, elevators, HVAC, health/medical monitoring devices, smartphones, tablets,

automobiles, trucks, digital video recorders (DVR), thermostats, smoke detectors, refrigerators,

farm equipment, industrial control systems, entertainment systems and TVs

4


Examples Of IoT

5


“The Internet of Things is bringing computerization and

connectivity to many tens of millions of devices worldwide.

We are connecting cars, drones, medical devices, and

home thermostats. What was once benign is now

dangerous.” – Bruce Schneier

6


Commercial DishwasherWhat The Designers Thought

Internet

Customer

Manufacturer

7


Commercial DishwasherAs Implemented• Can be configured and monitored remotely by manufacturer for maintenance, usage, supplies

– Device communicates either by Ethernet or via 802.11b Wi-Fi and the Internet

8


Commercial DishwasherAs Implemented• The wireless networking device and firewall

– Linksys WRT54G

9


Commercial DishwasherFindings• The Linksys wireless router was not securely configured

– Used default access controls

• User identifier for the router is the default – “admin”

• Uses the default password – no password

• 802.11b Wi-Fi used wireless equivalent protection (WEP) for secure communications

• WEP pre-shared key (PSK) is set to “password”

– Provided limited firewall protection between the device and the monitor

• Router does not provide a stateful packet inspection (SPI) firewall

– Anyone that knows the IP address of the Linksys can communicate with it and, by default, the

device

– The bottom line was that there was no actual security in place and that a dishwasher was on the Internet for all to inspect and abuse

10


Petnet

11


Petnet

12


PetnetOutage• On July 29, 2016, Petnet suffered a server outage for 10 hours

• Users of Petnet found out that their feeding systems did not deliver food to their pets during the

outage

• Petnet claims that the feeding schedule is stored in the feeding system and should have operated

without the server, but was unable to explain why those schedules failed to feed the pets

• In one extreme case, a Petnet user claimed that the Petnet Feeder failed to reconnect to the

system while they were on vacation and the pet almost died because it was not fed for over a

week

13


“In a relatively short time we have taken a system built to

resist nuclear weapons and made vulnerable to toasters.” –

Jeff Jarmoc

14


Stuxnet

15


StuxnetWhat Is It?• Malware purported to have been developed by US and Israeli intelligence services to attack IoT

used to control Iranian centrifuges used to create refined fissionable material

• Targets Siemens programmable logic controllers (PLCs), which allow the automation of

electromechanical processes such as those used to control machinery on factory assembly lines,

amusement rides, or centrifuges for separating nuclear material. Exploiting four zero-day flaws,

Stuxnet functions by targeting machines using the Microsoft Windows operating system and

networks, then seeking out Siemens Step7 software.

• Stuxnet has three modules: a worm that executes all routines related to the main payload of the

attack; a link file that automatically executes the propagated copies of the worm; and a rootkit

component responsible for hiding all malicious files and processes, preventing detection of the

presence of Stuxnet.

• Stuxnet is typically introduced to the target environment via an infected USB flash drive. The

worm then propagates across the network, scanning for Siemens Step7 software on computers

controlling a PLC. In the absence of either criterion, Stuxnet becomes dormant inside the

computer. If both the conditions are fulfilled, Stuxnet introduces the infected rootkit onto the PLC

and Step7 software, modifying the codes and giving unexpected commands to the PLC while

returning a loop of normal operations system values feedback to the users.

16


StuxnetZero Days Movie Trailer

17


StuxnetAftermath• Stuxnet was released into the wild

• Once in the wild, it was identified by Symantec and Kapersky malware researchers

– Unbeknownst to them initially was the fact that this was targeted malware

• In the wild, Stuxnet sought out Windows systems and then Siemens controllers

– Stuxnet did infect Siemens controllers outside of Iran but was only looking for controllers with

centrifuges attached to them

• Stuxnet is still roaming around the Internet as it occasionally resurfaces

18


“We are connecting cars, drones, medical devices, and home thermostats.

What was once benign is now dangerous.” – Bruce Schneier

19


Voice over IP

20


Voice over IP

• SIP

Stateful

Stateful

21


VoIP over IP

VoIP

Carrier

Voice

Messaging

Call

Recordings

VoIP Call

Manager

22


Voice over IPThreats• Denial of service

– VoIP is just another set of IP-based protocols

– VoIP ports can be attacked to disrupt service

– TLS connection reset

• Sending the right kind of junk packet and the TLS connection will be reset, interrupting the

signaling channel between the phone and call server

– VoIP packet replay attack

• Captured packets are resent out of sequence

– QoS modification attack

• QoS values for other traffic are changed to values higher than VoIP traffic

– VoIP packet injection

• Sending forged VoIP packets to endpoints, injecting speech or noise or gaps into active calls

– Control packet flood

• Flooding VoIP servers or endpoints with unauthenticated call control packets, (e.g., H.323

GRQ, RRQ, URQ packets sent to UDP/1719)

– Attack support services such as DHCP, DNS, BOOTP, etc.

– Wireless

• Initiating a DoS attack against wireless VoIP endpoints by sending 802.11 or 802.1X frames

that cause network disconnection (e.g., 802.11 Deauthenticate flood, 802.1X EAP-Failure,

WPA MIC attack, radio spectrum jamming)

23


Voice over IPThreats• Denial of service

– Bogus messages

• Sending VoIP servers or endpoints valid-but-forged VoIP protocol packets to cause call

disconnection or busy condition (e.g., RTP SSRC collision, forged RTCP BYE, forged CCMS,

spoofed endpoint button push)

– Invalid packets

• Sending VoIP servers or endpoints invalid packets that exploit device OS and TCP/IP

implementation denial-of-service CVEs

– Immature service attacks

• PDA/handheld softphones and first generation VoIP hardphones are typically vulnerable

because they are/were not as mature or intensely scrutinized as today’s equipment

– Protocol attacks

• Sending VoIP servers or endpoints invalid packets to exploit a VoIP protocol implementation

vulnerability to a DoS attack

– ‘Packet of Death’ attack

• Flooding VoIP servers or endpoints with random TCP, UDP, or ICMP packets or fragments to

exhaust device CPU, bandwidth, TCP sessions, and so on

– IP phone flood

• Sending a very large volume of call data toward a single VoIP endpoint to exhaust that

device’s CPU, bandwidth, TCP sessions, and so on

24


Voice over IPThreats• Rogue IP endpoints

– A rogue IP endpoint contacts VoIP server by leveraging stolen or guessed identities,

credentials, and network access

• Registration hijacking

– Registration hijacking occurs when an attacker impersonates a valid user agent (UA) to a

registrar and replaces the registration with its own address

• Proxy impersonation

– Proxy impersonation occurs when an attacker tricks a SIP UA or proxy into communicating with

a rogue proxy

• Message tampering

– Capture, modify, and relay unauthenticated VoIP packets to/from endpoints

• Toll fraud

– If improperly configured, VoIP systems can be easily used for toll fraud just like their older PBX

cousins

• Call integrity

– Easy to compromise call integrity if message or packet authentication protocols are not

implemented (typically the case)

• Telephone Hijacking

– Use speakerphone and/or camera as spying devices

25


Voice over IPWiretapping is Trivial

26


So Where Does This Get Us?Dyn Attack

27


Dyn Attack

Internet

28


Dyn Attack

• Who is Dyn?

– From their Web site (http://dyn.com/about/):

“Dyn is a cloud-based Internet Performance Management (IPM) company that provides

unrivaled visibility and control into cloud and public Internet resources. Dyn’s platform

monitors, controls and optimizes applications and infrastructure through Data, Analytics, and

Traffic Steering, ensuring traffic gets delivered faster, safer, and more reliably than ever.”

• Why does this matter to me or my organization?

– Dyn is also one of a handful of primary domain name service (DNS) providers

– Converts IP addresses (nnnn:nnnn:nnnn:nnnn/nnn.nnn.nnn.nnn) to something more

rememberable like www.domainname.com/net/org/tv/etc.

• Why did it affect me or my organization?

– Dyn was just the primary attack vector as other DNS providers were also attacked as well as

having to pick up DNS traffic from Dyn and other providers

– Made some Web sites inaccessible via the Internet

http://dyn.com/about/

http://www.domainname.com/net/org/tv/etc

29


Dyn Attack

• Where does IoT come in?

– Based on the attack, it appears that compromised DVRs, cameras, baby monitors and similar

devices generated the distributed denial of service (DDoS) attack

– These devices were compromised by malware called ‘Mirai’

• What is Mirai?

– Malware designed to infect Linux-based IoT

– Has a competitor ‘Bashlight’ that is similar in function

– Mirai uses infected IoT to create a ‘Botnet’ to attack other systems/networks

– Constantly scans Internet for IoT using default credentials

– Rebooting infected devices clears Mirai but they can be quickly reinfected if default credentials

are not changed

– Mirai is currently believed to infect over a million IoT

30


Dyn AttackAftermath• Twitter, Pinterest, Reddit, PayPal and other East Coast located services suffered outages due to

the attack

• Companies using certain cloud services reported issues accessing their solutions

– In one instance, a company was locked out of systems because their single sign on (SSO)

solution was not accessible

31


Dyn AttackAftermath

32


“Basically, the market has prioritized features and cost over

security. Many of these devices are low-cost, designed and

built offshore, then rebranded and resold. The teams

building these devices don’t have the security expertise

we’ve come to expect from the major computer and

smartphone manufacturers, simply because the market

won’t stand for the additional costs that would require.

Unlike your computer and smartphone, these devices don’t

get security updates, and many don’t even have a way to be

patched. And, unlike our computers and phones, they

stay around. DVRs and cars last a decade.

Refrigerators, twenty-five years. We expect to replace

our home thermostats approximately never.” – Bruce

Schneier

33


Minimizing The Risks And Threats

• In most cases, the IoT consumer is NOT going to be security conscience

• Security can no longer be an afterthought

– MUST be integrated into the product development process

– MUST be integrated into the software development process

– MUST be integrated into the ongoing product support process

• Segregate IoT from other network segments

– Keeps IoT away from other devices

– Makes monitoring easier

– Makes restricting access easier

– Makes controlling access easier

34


Network With IoT

Specific Internet locations for

Nest, Sonos, etc.

The Internet

35


36


This presentation was prepared by:

Jeff Hall, Principal Security Consultant

Optiv Security

O: 651 400 1152

[email protected]

www.optiv.com

Internet of Stuff Lessons Not Learned - Microsoft · –QoS modification attack •QoS values for...

Documents

Transcript of Internet of Stuff Lessons Not Learned - Microsoft · –QoS modification attack •QoS values for...