View
238
Download
8
Category
Preview:
Citation preview
SESSION ID:SESSION ID:
#RSAC
Florian Lukavsky
Unveiling Vulnerabilities in IoT Firmware
CMI-R01
DirectorSEC Consult Singapore Pte. Ltd.
#RSAC
2
Internet of Things.what is it exactly?
#RSAC
The Internet of Things (IoT) is the network of dedicated physical objects (things) that contain embedded technology to sense or interact with their internal state or external environment.
The IoT comprises an ecosystem that includes things, communications, applications and data analysis.
Source: Gartner, The Internet of Things and Related Definitions, 23.10.2014
3
#RSAC
Example Enterprise vs. Consumer IoT
Source: Gartner, The Internet of Things and Related Definitions, 23.10.2014
ENTERPRISE CONSUMER
Applications & Analyticsback-end IT systems
predictive maintenance analytics
mobile apps
elderly person monitoring service
Connectivity M2M connectivityhome broadband
standard mobile data
Gateway / Controller processor for monitoring & control of things
smartphone gateway
wireless router
Things
jet engine
ATM
robot
baby monitor
health & fitness wearable
Internet of Things
M2M CommunicationServices
Operational Technology
(can include stand-alone machines outside of the IoT)
4
#RSAC
Asymmetric Encryption Basics
Server generates key pair (e.g. RSA public and private
key)
Server keeps private key private!
Server provides public key to clients
Clients can encrypt information with the public key for
the server
Server can decrypt information with the private key
Client and server establish secure
channel
ENCRYPTDECRYPTHello! Hello!y6uW$I
public key exchange
5
#RSAC
SSH and HTTPS
SSH – Secure Shellcryptographic network protocolfor operating network services securely over an unsecured network
HTTPS – Hypertext Transfer Protocol Secureprotocol for secure communication over a computer network
6
#RSAC
Security for the Internet of ThingsThe Internet of Things is an increasingly attractive early link in attack chains. IoT vendors remain likely to repeat the security mistakes of the past and not embrace modern security, vulnerability management and disclosure practices. […]
Source: Gartner, Predicts 2016: Security for the Internet of Things, 9.12.2015
7
#RSAC
how risky is the key handling in firmware of IoT (embedded) devices in general?
8
#RSAC
We did a large scalesecurity analysis to find out.
internet gateways, routers,modems, IP cameras,
VoIP phones, M2M, etc.
4000 devices 70 vendors
© S
hutte
rsto
ck 4
5735
2956
9
#RSAC
Our Approach
1. establishing a large firmware sample set
2. extraction of firmware
3. efficient analysis of data using plugins data mining
all kinds of certificates, private keys (e.g. for HTTPS, SSH, etc. that are focus of this talk)version informationhardcoded passwordsknown & unknown vulnerabilities, etc.
4. correlation of results and reporting
Internet of Things
M2MCPE etc.
10
#RSAC
Our Approach
11
SEC Consult conducted a long-term studyTo determine the progress of fixing the initial findings
now?2015
House of KeysInitial study
2016
House of KeysReality check
#RSAC
Censys
IoT search engine used to correlate results:
Source: www.technologyreview.com/s/544191/a-search-engine-for-the-internets-dirty-secrets/
12
#RSAC
Key Findings
© shutterstock 431062468
#RSACFinding #1 – Incorrect Asymmetric Encryption Basics
Server Developergenerates key pair
(e.g. RSA public and private key)
Server keeps private key private! Developer embeds the private key in
the firmware image
Server provides public key to clients
Clients can encrypt information with the public key for
the server
Server Everybodycan decrypt
information with the private key
found in the firmware image
Client and server establish secureinsecure channel
14
#RSACFinding #2 – Wrong Configuration & Exposure to the Internet
9% of all HTTPShosts on the web use hardcoded certificates
3.2 million HTTPS hostson the web use
~150 unique key pairs
6% of all SSHhosts on the web use hardcoded certificates
0.9 million SSH hostson the web use
~80 unique key pairs
15
#RSAC
What is the impact of those vulnerabilities?
The private keys are knownso the following attacks are possible:
impersonation of serversman-in-the-middle attackspassive decryption attacks
Attack vectors:from local network easily feasible“global adversary” scans internet traffic
16
#RSAC
Where do static keys originate from?
The curious case of “Daniel” Software Development Kit of US semi-conductor company contains a hardcoded certificate issued to a "Daniel",
email (kiding@broadcom.com).
This certificate was used for a embedded webserver.
8 other companies licensed the webserver code and failed to replace the static certificate.
As a result, more than 480,000 devices are affected.
A similar case involving another semi-conductor company was found as well.
Read the full story on blog.sec-consult.com.
17
#RSAC
Why are so many devices exposed to the web?
Insecure defaultconfiguration by vendor
Services exposed on WAN interfaceAutomatic port forwarding using UPnP
Insecure configurationby purchaser
ISP configuration of CPE devices
Top 10 Countries(% of all affected hosts based on IP addresses, HTTPS / SSH)
18
#RSAC
Why are so many devices exposed to the web?
ISPs with a particularly bad track record:Mexican Telco exposes HTTPS remote administration onmore than 1,000,000 of their subscribers devices
US-based ISP exposes HTTPS remote administration on more than 500,000 devices
Telco in Spain exposes SSH remote administration on more than 170,000 devices
Chinese Telco exposes SSH remote administration on more than 100,000 devices
Read the full story on blog.sec-consult.com.
19
#RSAC
20
more than 900 products from 50 vendors are affected.
informing all vendors is a mammoth task…
#RSAC
Affected Products – Coordination
21
More detailed information on www.sec-consult.com and blog.sec-consult.com
SEC Consult teamed up with CERT/CC(Carnegie Mellon University) to contact all affected vendors
(CERT Vulnerability Note VU#566724)
even fewer devices get fixesa few responded fewer made fixes available
#RSACOfficial CERT Vulnerability Note & affected Vendors
22
https://www.kb.cert.org/vuls/id/566724
Vendor Information for VU#566724Embedded devices use non-unique X.509 certificates and SSH host keys
#RSAC
23
All vendors are informed,public advisories are released.
The internet is saved…
#RSAC
…not so much
We revisited our findings in 2016 – key observations:The number of devices on the web using known private keys for HTTPS server certificates has gone up by 40%
Our beloved Broadcom SDK “Daniel” certificate is used by more than 500,000 devices
Botnets are beginning to attack insecure IoT devices at large scale
24
#RSAC
25
and now?
#RSAC
26
-3,000,000 devices
The number of devices on the web using known private keys for HTTPS server certificates dropped by 66%
1,500,000 devices still use known private keys
#RSAC
27
but why?
#RSAC
Insecure IoT devices are attacked at large scale
BASHLITE
— 1 million infected IoT devices mid 2016
Brickerbot
— Causes denial of service of IoT devices
Hajime
— 300,000 infected IoT devices (no rogue activity)
28
#RSAC
Mirai (Malware) is a Linux-based worm that attempts to login to vulnerable IoT devices using a list of default credentials and infect the device turning it into a remotely controlled bot.
29
#RSAC
How Mirai works
30
Scan for new potential targets
Try to login with a list of
default credentials
Once logged in, infect it with Mirai
#RSAC
Mirai’s victims
Krebs on Security:Sept 20st 2016
620 Gbps
24,000 bots
31
#RSAC
Mirai’s victims
OVH:Sept 21st 2016
1.1 Tbps
145,607 bots
32
#RSAC
Mirai’s victims
Dyn:Oct 26th 2016
1.2 Tbps
100,000 bots
major internet sites not reachable (twitter, Amazon, Netflix, Visa, CNN, BCC, etc.)
33
#RSAC
Mirai’s victims
Deutsche Telekom:Nov 27th 2016
TR-069 vulnerability added to Mirai’s arsenal
900,000 (unintentionally) DoSed
34
#RSAC
35
what can be done?
#RSAC
What can be done
Case study high-tech manufacturing: IoT Security StrategyChallenge: New IoT-oriented product portfolio with unclear cyber-threats and new demands on product design, engineering and software development (!) process
IoT-Security strategy
— Busting of “features > performance > security” imbalance
— Security architecture vs. security firefighting
— Not repeating old security mistakes
— Integration in engineering and software development
Security features and requirements integrated in product management
36
#RSAC
What can be done
Case study ISP: IoT Security Analysis for all CPEsChallenge: Wanted to understand security of CPE product firmware but had more than 100+ firmware versions.
Automated IoT Security Analysis:
— Extraction of firmware
— Efficient analysis of data using plugins & data mining, searching for:
all kinds of certificates, private keys version information
hardcoded passwords
known & unknown vulnerabilities…
— Correlation of results and reporting
Vulnerability Management integrated in Vendor Management for CPE vendors
37
#RSAC
38
and what happensif vendors are waiting to long?
#RSAC
Source: FTC 23.2.2016, www.ftc.gov
2036The FTC has already taken action against
a Taiwanese computer hardware company, requiring a substantial security program for 20 years.
39
#RSAC
For any further questions contact your SEC Consult Expert.
Florian Lukavskyf.lukavsky@sec-consult.com
+65 8261 6403
SEC Consult Singapore Pte. Ltd.51 Changi Business Park Central 2#08-05 The SignatureSingapore 486066
www.sec-consult.com
Recommended