RSA ASIA 2014 - Internet of Things
1 like416 views
The document details a presentation on IoT security, highlighting vulnerabilities in smart devices and the potential for exploitation, particularly in building automation systems. It discusses past incidents, including a notable attack involving over 750,000 malicious emails and compromised medical devices. Key recommendations emphasize the importance of assessing remote management practices, engaging security teams early in device acquisition, and monitoring network traffic to mitigate risks.
RSA ASIA 2014 - Internet of Things
- 1. #RSAC #RSAC Is Your Fridge Conspiring Against You? IoT Attacks and Embedded Defenses Billy Rios Director of Threat Intelligence Qualys @XSSniper SESSION ID: SEC-T08 Wolfgang Kandek CTO Qualys @wkandek
- 2. #RSAC About:Me - Qualys Director of Vulnerability Research and Threat Intelligence SpearPoint Security (Acquired in early 2013) Founder Google Technical Lead and Security for Google Plus 2
- 3. #RSAC About:Me Microsoft Technical Lead and Security for Google Plus Books: Hacking: The Next Generation – O’Reilly Inside Cyber Warfare – O’Reilly The Virtual Battlefield – IOS Press ICS Vulnerability Research: 30 publically credited in ICS-CERT advisories Vendor Assistance Over 1000 individual issues reported to DHS
- 4. #RSAC Let’s Review 2013 and IoT Security
- 5. #RSAC 5
- 6. #RSAC “The large-scale attack, which occurred between Dec. 23, 2013, and Jan. 6, 2014, involved more than 750,000 malicious email communications”
- 7. #RSAC 7
- 8. #RSAC “they woke up at midnight to the sounds of a man yelling at their daughter, Emma, and were surprised to find their Internet-enabled baby monitor moving -- even though they were not the ones moving it.”
- 9. #RSAC 9
- 10. #RSAC 10
- 11. #RSAC 11
- 12. #RSAC 12
- 13. #RSAC 13
- 14. #RSAC “hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors”
- 15. #RSAC 15
- 16. #RSAC
- 17. #RSAC
- 18. #RSAC
- 19. #RSAC
- 23. #RSAC RS485 has three pin and four pin interfaces
- 25. #RSAC
- 26. #RSAC Understanding what processor architecture is important
- 27. #RSAC Common Embedded Architectures Processors X86 ARM Motorola PowerPC Operating Systems Windows CE/Embedded VxWorks BusyBox QNX
- 28. #RSAC
- 29. #RSAC These identifying marks are really important
- 30. #RSAC
- 31. #RSAC
- 32. #RSAC 32
- 33. #RSAC 33
- 34. #RSAC 34
- 35. #RSAC The Enumeration Effort Internet Facing Initially based on Shodan, now running in EC2 50,000+ buildings Stadiums, Hospitals, Police Stations, Prisons, Corporations, Military Installations…etc Costs EC2 time Hardware and software for research All total ~$500
- 36. #RSAC Our Target Based in Silicon Valley Explicitly requested a full scope “Red Team” style assessment No previous knowledge of the organization or the infrastructure Network security teams monitoring and full corporate security assets in play
- 37. #RSAC Our Approach Identify the target in our Building Automation System (BAS) database (no port scanning required against the target) Internet facing BAS is typically found OUTSIDE of the corporate IP space! Setup our exploitation infrastructure and exploited a 0day vulnerability to gain access to the Building Automation System
- 38. #RSAC A Lesson on Integrators Typically, the end organization doesn’t install IoT Typically, a third party (Integrator) is hired to install the HVAC/Conference room/Nest thermostat/sensors When an issue arises, the Integrator is usually called in to assist Traveling to the client site can be expensive and time consuming for Integrators, so they enable remote access
- 39. #RSAC
- 40. #RSAC
- 44. #RSAC Access? Pivot from Automation network to Corporate Network VLAN separates Automation network from CorpNET No AV on any automation systems Cable Modem line allows for bypassing of perimeter ingress and egress monitoring Access to Corpnet with Domain Credentials At this point, the assessment becomes a traditional penetration test Escalation to Domain Admin Access to all workstations (including corporate IP and financial data) Access to CEO’s email
- 45. #RSAC Requested Proof of Concepts Unlock the front door of the Corporate HQ Shut off all IP based surveillance systems Modify the Access Control database (add a badge) Wipe an executives mobile device
- 46. #RSAC Things to Consider BEFORE you accept a device Have a policy! Understand the exposures Insist on understanding how remote management is implemented Know whether the device will be facing the Internet Evaluate the proposed configuration and deployment Get your acquisition folks involved Engage with your facilities and property team so they understand the risks of default acceptance of systems Large capital investments (ex. Buying a building) require security involvement from the beginning!
- 47. #RSAC Things to Consider Dealing with Devices on Your Network Know who your integrators are Ask for spare devices for testing Do assessments against the devices Clear text credentials (if the device talks to your exchange server for calendar updates… it has domain credentials) Backdoor passwords Liability Monitor traffic to and from the devices Consider restricting who can talk to the device Establish a baseline for device operation Known good firmware, files, and processes
- 48. #RSAC Great Resources /Dev/TTYS0 - http://www.devttys0.com/blog/ Travis Goodspeed - http://travisgoodspeed.blogspot.com/ Mikeselectricstuff - http://www.youtube.com/user/mikeselectricstuff?f eature=watch STBUYN - http://dontstuffbeansupyournose.com/ Cyber Pacifists - http://www.cyberpacifists.net/ Reversemode – http://www.reversemode.com/ W00tsec - http://w00tsec.blogspot.com/
- 49. #RSAC Kit Screwdriver set with nut driver, torx and square http://www.amazon.com/s/ref=nb_sb_ss_c_0_14?url=sea rch-alias%3Dindustrial&field-keywords=screwdriver+set Soldering iron with desoldering kit http://www.amazon.com/s/ref=nb_sb_noss_2?url=search -alias%3Daps&field-keywords=soldering Solderless breadboard http://www.adafruit.com/products/758?gclid=CMPMiO- y5bwCFZRsfgodHG0ACw Jumper wires http://www.amazon.com/s/ref=nb_sb_noss_1?url=search -alias%3Dindustrial&field- keywords=jumper+wires+male+to+male
- 50. #RSAC Kit Console Cables http://www.amazon.com/s/ref=nb_sb_noss?url=search- alias%3Daps&field-keywords=console+cable TTL Reader http://www.amazon.com/s/ref=nb_sb_noss?url=search- alias%3Daps&field-keywords=TTL+to+USB JTAG Reader http://blackcatusbjtag.com/ ROM Reader http://www.amazon.com/s/ref=nb_sb_ss_c_0_14?url=sea rch-alias%3Dindustrial&field-keywords=screwdriver+set Logic Analyzer http://www.saleae.com/logic
- 51. #RSAC Kit Disassembler (with appropriate chipset support) https://www.hex-rays.com/products/ida/ Debugger https://www.immunityinc.com/products-immdbg.shtml Terminal Software http://www.hilgraeve.com/hyperterminal/ Virtualization Software http://www.vmware.com/