IoT Security: How Your TV and Thermostat are...
Transcript of IoT Security: How Your TV and Thermostat are...
IoTSecurity:HowYourTVandThermostatareA9ackingtheInternet
NathanWallace,PhD,CSSADir.ofCyberOperaHons,Cybirical,LLC
Dec.052016
Computer Science
Computer Science
Outline • The Internet of Things (Everything)
Examples of IoT Devices Power Grid (‘Grid of Things’)
• Security Challenges End-Point Security, Global Issues, 0-Days, No Motivation
• The Mirai Botnet Background (DNS) Oct. 21st Summary
• Tinkering Around Experimenting with an IP Cam What is this ‘thing’ really doing
Source: http://www.comsoc.org/blog/infographic-internet-things-iot
By the numbers
By the numbers
Source: http://www.comsoc.org/blog/infographic-internet-things-iot
By the numbers
Source: http://www.comsoc.org/blog/infographic-internet-things-iot
Internet of Things Examples
Video
Video
FEATURES Integrated cleansing. Adjustable spray shape, position, water pressure, temperature, pulsate. Self-cleaning Warm-air drying system with adjustable temperature settings. Automatic deodorization system. Heated seat with adjustable temperature settings. Motion-activated LED lighting illuminates the bowl to serve as a night-light. Touchscreen LCD remote control. Plays Music
Internet of Things Examples
Video
Grid of Things State of Affairs Power Grid
“Our expectations is that the modernized electricity grid will be 100 to 1000 times larger than the Internet” – CISCO VP
Advanced Metering
Electric Vehicles
Distributed Generation
Grid Modernization
Distribution Automation
IoT Security => Safety
ICS-CERT
Wait, so what exactly is IoT?
Wait, so what exactly is IoT?
Source: IoT European Research Cluster, IERC, 2014
IoT Defined... Now Security...
Implementing security with: • No Incentives (or Consequences)
• Do vendors and consumers even care
• World economy, markets, and conflicts • Engineering silos
• Engineering ethical barriers
• Limited understanding of complexity and emergent issues
Miria Botnet
Source: Level 3 Communications
Outage Map October 21 2016
Background
Source: Simon Liu, "Surviving Distributed Denial-of-Service Attacks", IT Professional vol. 11, p. 51-53, September/October, 2009
Background How Domain Name Service Works
‘The Phone Book of the Internet’
(1) Where is Google?
DNS Server
(2) Google is at 108.177.8.113
(3) Searching the Web 108.177.8.113/search?q=IEEE
Summary
Source: http://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/
Dyn’s Key Findings: • ‘The Friday October 21, 2016 attack has been analyzed as a
complex & sophisticated attack, using maliciously targeted, masked TCP and UDP traffic over port 53.’
• Dyn confirms Mirai botnet as primary source of malicious attack traffic.
• Attack generated compounding recursive DNS retry traffic, further exacerbating its impact.
DNS Server
DYN Attack cont. and IoT Security Hearing
‘Level 3 detected approximately 150,000 IoT devices were used to … generate significant amount of bandwidth use that threatens the fabric of the global internet.’
Source: U.S. House of Representatives Joint Hearing “Understanding the Role of Connected Devices in Recent Cyber Attacks” November 16, 2016
‘We believe that in the case of Dyn, the relatively unsophisticated’
Summary
‘The distributed denial-of-service attack that caused the outages, and the vulnerabilities that made the attack possible, was as much a failure of market and policy as it was of technology’
Witness Testimonies
Recon...
the Internet of Things Power Plants, Refrigerators, …, Buildings, Webcams, …
Source: Shodan
Recon...
Source: Shodan
Experimenting IP Camera 3.6mm 4MP Full HD IR Mini Dome PoE Network Camera Built-in Mic
What is this ‘thing’ really doing…?
Inspiration
Source: http://securityaffairs.co/wordpress/53588/malware/mirai-infection-test.html
Experimenting Design 1. No Router Connection
2. Internet Connectivity
3. Port Forwarding (Future)
- Network Monitoring - Port Scan
- Network Monitoring - Port Scan
- Network Monitoring - Port Scan
Experimenting Design 1. No Router Connection
Experimenting Design 1. No Router Connection
Default Open Ports Web
Real Time Streaming
Print Services Interface
Universal Plug and Play
Well Known Ports: 0 through 1023. Registered Ports: 1024 through 49151. Dynamic/Private : 49152 through 65535.
Experimenting Design 1. No Router Connection
Multicasting Who has 192.168.1.1? Tell 192.168.1.108
Simple Service Discovery Protocol 192.168.1.108 239.255.255.250 NOTIFY
192.168.1.108 224.0.0.22 IGMPv3 60 Report / Join group 239.255.255.250 for any sources
Experimenting Design
2. Internet Connectivity
-ROUTER_12:6d:81 e0:50:8b:0a:06:d3 192.168.1.254 is at … target 192.168.1.66
-192.168.1.66 192.168.1.254 DNS 81 Standard query 0x016f A www.dahuap2pcloud.com
-192.168.1.254 192.168.1.66 DNS 97 Standard query response 0x016f A www.dahuap2pcloud.com A 121.199.3.195
DHGET /online/p2psrv/2J03977PAA00347 HTTP/1.1CSeq: 1927610396Authorization: WSSE profile="UsernameToken"X-WSSE: UsernameToken Username="2J03977PAA00347", PasswordDigest="NanYJZWK4bKmrYW7ngt2EK50AY80", Nonce="-691305717", Created="2000-01-01T02:52:12Z"
-192.168.1.66 121.199.3.195 UDP 303 58124 � 8800 Len=261
Experimenting Design 2. Internet Connectivity
-192.168.1.254 192.168.1.66 DNS 97 Standard query response 0x0173 A www.dahuap2pcloud.com A 120.26.104.240
-192.168.1.66 192.168.1.254 DNS 81 Standard query 0x0173 A www.dahuap2pcloud.com
-192.168.1.66 120.26.104.240 UDP 310 46071 � 8800
Experimenting Design
2. Internet Connectivity
- 192.168.1.254 192.168.1.66 DNS 92 Standard query response 0x0170 A www.dahuap2p.com A 223.6.252.231
-192.168.1.66 192.168.1.254 DNS 76 Standard query 0x0170 A www.dahuap2p.com
- 192.168.1.66 223.6.252.231 TCP 60 41776 � 12366 [ACK] Seq=1 Ack=1 Win=14608 Len=0
What are you sending?
Experimenting Design
2. Internet Connectivity
What are you sending?
192.168.1.66 -> 223.6.252.231
Experimenting Design
2. Internet Connectivity
-192.168.1.66 192.168.1.254 DNS 74 Standard query 0x0171 A rs.lechange.cn
-192.168.1.254 192.168.1.66 DNS 90 Standard query response 0x0171 A rs.lechange.cn A 114.55.152.165
-192.168.1.66 114.55.152.165 TCP 74 46241 � 9084
What are you sending?
Experimenting Design 2. Internet Connectivity
What are you sending? 192.168.1.66 -> 114.55.152.165
Why would it need to send the local IP address?
Experimenting Design 2. Internet Connectivity
What are you sending? 192.168.1.66 -> 114.55.152.165
Experimenting Design 2. Internet Connectivity
Same story…
Summary:
Time Elapsed: 00:03:50 Packets: 3647 Total External IPs: 7 Total UDP: 3 IPs Total TCP: 4 IPs
Experimenting Wireshark I/O Graph
Interesting looking spike…
Experimenting
Experimenting Trying to determine exactly what ‘jpeg’ images are being sent…
Python Snippet
Network Capture File
Experimenting
THIS IS BAD ‘Plug and Play’? Automatically streams
live feed to remote server.
Resources
http://iot.ieee.org/
http://standards.ieee.org/innovate/iot/
Final Points 1. IoT Security is a Safety/Privacy Issue 2. … 3. Consider the devices you bring into
your home and to work
IEEE Computer Society New Orleans Chapter
Meeting Ideas
Meeting Locations
Take our Survey What are your Interests and Ideas?
Interested in Volunteering?
The scope of the Computer Society shall encompass all aspects of theory, design, practice, and application relating to computer and information
processing science and technology.
http://sites.ieee.org/neworleans/cs-survey/