Date post: | 01-Jul-2015 |
Category: |
Technology |
Upload: | security-weekly |
View: | 959 times |
Download: | 0 times |
The Internet Of Insecure Things: 10 Most Wanted List
Paul Asadoorian Founder & CEO
http://securityweekly.com !
June 2014 Ver 3.0 !
(Formerly “PaulDotCom”)
http://securityweekly.com Copyright 2014
Embedded Hacking 2-Day Course
Read more and sign up for this course here:
!
http://securityweekly.com/iot
!
Instructor: Paul Asadoorian
Hosted By: The SANS Institute
Next class: Oct. 26-27 in Las Vegas
http://securityweekly.com Copyright 2014
Why We [Should] Care
• Who cares if someone hacks my TV, fridge, lights, scale or treadmill or wireless router?
• You will care once attackers put malware on these devices
• Ads will be displayed on your devices without your permission
• AV will be useless
• Privacy concerns:
• I can see you watching TV
• I know what you eat and drink, how often you do laundry, and when you turn your lights/TV on
• I know how long you spend on the toilet
http://securityweekly.com Copyright 2014
Why We [Should] Care
• Attackers will find ways to monetize
• They will use any system to build botnets:
• Mine Bitcoins (as silly as that sounds, essentially printing currency)
• Send SPAM
• Launch DDoS attacks
• Ransomeware schemes
http://securityweekly.com Copyright 2014
Already Happening
• http://www.proofpoint.com/about-us/press-releases/01162014.php
• “More than 750,000 Phishing and SPAM emails Launched from "Thingbots" Including Televisions, Fridge”
• Okay, well one fridge, on purpose? By accident?
• http://thehackernews.com/2014/03/linux-worm-targets-internet-enabled.html
• “A Linux worm named Linux.Darlloz, earlier used to target Internet of Things (IoT) devices, i.e. Home Routers, Set-top boxes, Security Cameras, printers and Industrial control systems; now have been upgraded to mine Crypto Currencies like Bitcoin.”
http://securityweekly.com Copyright 2014
More Already Happening
• https://blog.kaspersky.com/gaming-console-hacks/
• “I also have a bad feeling that the time for gaming malware is now, and I am not totally sure what it will take to protect ourselves.”
• http://www.wired.com/2014/04/hikvision/
• “Hackers Turn Security Camera DVRs Into Worst Bitcoin Miners Ever”
• “The low-powered ARM chip is one of the worst possible processors you could pick for the crypto-heavy calculations that make up bitcoin mining.”
• “The malicious software seems to spread using the default usernames and passwords for the Hikvision devices”
Exploring Embedded Systems: What Are The
Targets?
Briefly look at some major categories...
http://securityweekly.com Copyright 2014
The Wifi Toilet
• “A Japanese company has built a “smart toilet” that uses WiFi, and of course hackers have figured out how to remotely take over the toilet and make it spray you in the butt or flush repeatedly. Who would want a WiFi toilet?”
http://securityweekly.com Copyright 2014
Industrial Control Systems
TextTurck BL67 Tridium Niagara AX
Siemens SCALANCE X-200
Clorius Controls ISC
Magnum MNS-6K
http://www.tenable.com/plugins/index.php?view=all&family=SCADA
http://securityweekly.com Copyright 2014
Corporate
• Building Entry
• Environmental
• Lighting
• Security Cameras
• Hotel Key Cards
• Timeclocks
• Headsets & Phones
• Printers & Multi-Function
http://securityweekly.com Copyright 2014
Medical
• IV Pumps / Drug infusion pumps
• Insulin Pumps (Wearable)
• Surgical and anesthesia devices
• Ventilators
• External defibrillators
• Patient monitors
• Laboratory and analysis equipment
Researchers Billy Rios and Terry McCorkle of Cylance have reported a hard-coded password vulnerability affecting roughly 300 medical devices across approximately 40 vendors. According to their report, the vulnerability could be exploited to potentially change critical settings and/or modify device firmware.
http://arstechnica.com/security/2013/06/vast-array-of-medical-devices-vulnerable-to-serious-hacks-feds-warn/
It’s Nice To Have Goals
I came up with this list...
http://securityweekly.com Copyright 2014
10 Most Wanted List
1. Backdoors inside of firmware
2. Default credentials
3. Insecure Remote management (Defaults & Clear-Text Transmissions)
4. Open-source software and drivers, NOT binary blobs
5. Functions prone to overflow conditions
6. Firmware and configuration encryption
7. Easy-to-use firmware updates (auto-updates)
8. Secure web management interfaces
9. Maintain a CIRT and provide a program for security researchers
10. Implement Protocols Security / Implement Secure Protocols
We’re going to explore one of the most horrific, insecure embedded systems on the planet
But still… Who Cares?
“Inside Joel’s Backdoor”
D-LINK DIR-100
http://securityweekly.com Copyright 2014
Background
• I want to show how an attacker would exploit vulnerabilities on embedded systems for profit
• I found some excellent research published by Craig Heffner, author of binwalk and one of the most talented embedded device security researchers on the planet
- Hak.5 Interview with Craig Heffner on the issues: http://hak5.org/episodes/hak5-1513
http://wiki.securityweekly.com/wiki/index.php/Episode320#Interview:_Craig_Heffner
http://securityweekly.com Copyright 2014
Background
• The other rock star is Zach Cutlip, both work for Tactical Network Solutions and deserve A LOT of praise for their research
• Joel’s Backdoor is one of the most interesting embedded device vulnerabilities I’ve seen in some time
• Combined with several other flaws on the D-Link DIR-100
http://wiki.securityweekly.com/wiki/index.php/Episode342#Tech_Segment:_Zach_Cutlip
For those just reading the slides…
root@embeddedcourse:/home/firmware/TM-G5240# file TM-G5240-4.0.0b28.bix TM-G5240-4.0.0b28.bix: data !root@embeddedcourse:/home/firmware/TM-G5240# binwalk -e TM-G5240-4.0.0b28.bix !DECIMAL HEX DESCRIPTION -------------------------------------------------------------------------------4 0x4 Realtek firmware header (ROME bootloader) image type: RUN, header version: 1, created: 3/7/2007, image size: 2845036 bytes, body checksum: 0xF, header checksum: 0xE0 13014 0x32D6 mcrypt 2.2 encrypted data, algorithm: blowfish-256, mode: CBC, keymode: 8bit 26664 0x6828 7-zip archive data, version 48.107 WARNING: Extractor.execute failed to run '/opt/firmware-mod-kit/trunk/unsquashfs_all.sh 'C0988.squashfs'': [Errno 2] No such file or directory 788872 0xC0988 Squashfs filesystem, big endian, version 2.0, size: 2056186 bytes, 510 inodes, blocksize: 65536 bytes, created: Mon Mar 26 19:33:56 2007 !!
Mini-Demo: Firmware Basics (1)
root@embeddedcourse:/home/firmware/TM-G5240# unsquashfs C0988.squashfs Reading a different endian SQUASHFS filesystem on C0988.squashfs Parallel unsquashfs: Using 2 processors 484 inodes (544 blocks) to write ![=======================================================================|] 544/544 100% created 348 files created 26 directories created 49 symlinks created 87 devices created 0 fifos !!root@embeddedcourse:/home/firmware/TM-G5240# cd squashfs-root/sbin !root@embeddedcourse:/home/firmware/TM-G5240/squashfs-root/sbin# file webs webs: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), dynamically linked (uses shared libs), stripped !root@embeddedcourse:/home/firmware/TM-G5240/squashfs-root/sbin# strings webs | grep strcpy strcpy !
For those just reading the slides…
Mini-Demo: Firmware Basics (2)
http://securityweekly.com Copyright 2014
Exemplify Problem Areas
1.Backdoors inside of firmware
2.Default credentials
3.Functions prone to overflow conditions
4.Secure web management interfaces
http://securityweekly.com Copyright 2014
Joel’s Backdoor
• October 2013 Craig Heffner released details on a backdoor affecting D-Link routers
• Reverse engineering the authentication process, Craig finds a special compare
• Turns out if you set your User-Agent to “xmlset_roodkcableoj28840ybtide” you can access web management
• No password required!
• Who is Joel anyway?
• http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/
edit by 04882 joel backdoor
http://securityweekly.com Copyright 2014
Why Joel Did This?
The ever neighborly Travis Goodspeed pointed out that this backdoor is used by the /bin/xmlsetc binary in the D-Link firmware. After some grepping, I found several
binaries that appear to use xmlsetc to automatically re-configure the device’s settings (example: dynamic DNS). My guess is that the developers realized that some programs/services needed to be able to change the device’s settings automatically; realizing that the web server already had all the code to change
these settings, they decided to just send requests to the web server whenever they needed to change something. The only problem was that the web server required a
username and password, which the end user could change. Then, in a eureka moment, Joel jumped up and said, “Don’t worry, for I have a cunning plan!”.
http://pastebin.com/aMz8eYGa
http://securityweekly.com Copyright 2014
Russians Found It First
• Looking to root an ISPs router
• They found the string, and tried it as the TELNET login
• They could have found it and never posted it
• Or they never figured out its the User-Agent string
http://forum.codenet.ru/q58748/%D0%BF%D0%B5%D1%80%D0%B5%D0%B1%D0%BE%D1%80+%D0%BB%D0%BE%D0%B3%D0%B8%D0%BD%D0%BE%D0%B2+-+%D0%B4%D0%B0%D0%B9%D1%82%D0%B5+%D1%81%D0%BE%D0%B2%D0%B5%D1%82
January 24, 2010
http://securityweekly.com Copyright 2014
Exploit Is Simple
DIR-100: !
wget -U ‘xmlset_roodkcableoj28840ybtide’ http://192.168.1.85/Status/Device_Info.shtml
TM-G5240 (Firmware Version:v4.0.0b28) !
wget -U 'xmlset_roodkcableoj28840ybtide' http://192.168.1.87/Status/st_devic.htm
But, No One Exposes Web Management Interfaces To The Internet?
Because no presentation is complete without a Shodan screenshot
http://securityweekly.com Copyright 2014
Canadians & Chinese
thttpd-alphanetworks is a fork of thttpd by a spin-off of
Dlink
http://securityweekly.com Copyright 2014
Remote Exploitation Via Browser
• But wait, what if you could get someone to click on a link?
• Could you send authentication + exploit to the router?
• You need a few things to happen:
• The victim must load a web page with your exploit code
• Your exploit code must be able to modify the User-Agent
• Your have to know the IP address (192.168.0.1) of the device
• Your must run a command through the web interface to do something evil
• Your must bypass the Same Origin policy
http://securityweekly.com Copyright 2014
But, wait...
• In AJAX, you can do this:
!
!
• And then send this request:
xmlhttp.setRequestHeader('User-Agent','xmlset_roodkcableoj28840ybtide');
http://192.168.0.1/cli.cgi?cmd=$sys_remote_enable=1%25;$sys_remote_ip=0.0.0.0%25;$sys
_remote_port=80%25;commit
But Same Origin Policy will trump you (unless you can get around it in Java/Flash, stay tuned..)
http://securityweekly.com Copyright 2014
DIR-100 Buffer Overflow
• But wait, there’s more! Craig also released a buffer overflow vulnerability and exploit code:
• http://pastebin.com/vbiG42VD
• Limited to 200 bytes of shellcode
• Requires admin
• Works on DIR-100
Benefit: Now we can upload and execute code on the device, allowing us to execute commands and/or install software.
!Such as a network sniffer...
http://securityweekly.com Copyright 2014
Multi-Stage Dropper MIPS Shellcode
• Zach Cutlip is awesome, and his shellcode is damn sexy:
• https://github.com/tacnetsol/exploit-tools/tree/master/shellcode/mips/trojan-dropper
• Or callback in 184 bytes:
• https://github.com/tacnetsol/exploit-tools/blob/master/shellcode/mips/connect-back/callback_payload.py
It’s not dead yet...
But wait, there’s even more!
http://securityweekly.com Copyright 2014
Dir-100 XSS & So Much More
• December 2013 researcher Felix Richter exposes several more vulnerabilities affecting DIR-100 routers
• http://packetstormsecurity.com/files/125041/D-Link-DIR-100-CSRF-XSS-Disclosure-Authentication.html
• Retrieve the Administrator password without authentication leading to authentication bypass [CWE-255]
• Retrieve sensitive configuration parameters like the pppoe username and password without authentication [CWE-200]
• Execute privileged Commands without authentication through a race condition leading to weak authentication enforcement [CWE-287]
• Sending formatted request to a victim which then will execute arbitrary commands on the device (CSRF) [CWE-352]
• Store arbitrary javascript code which will be executed when a victim accesses the administrator interface [CWE-79]
http://securityweekly.com Copyright 2014
Let’s Recap
• For your enjoyment, DIR-100 has:
• At least 2 different authentication bypass vulnerabilities
• Information disclosure, leading to PPPOE passwords
• A CSRF vulnerability
• A remote buffer overflow
• A stored XSS vulnerability
http://securityweekly.com Copyright 2014
0wning D-Link Brazil?
• http://suporte.dlink.com.br/suporte/emuladores/DIR/DIR_100/Status/st_device.htm
http://securityweekly.com Copyright 2014
These Conditions Can’t Exist On Other Devices?
• Medical: http://arstechnica.com/security/2013/06/vast-array-of-medical-devices-vulnerable-to-serious-hacks-feds-warn/
• SCADA: http://seclists.org/fulldisclosure/2012/Apr/277
• Industrial Automation: http://www.ioactive.com/news-events/ioactive_discovers_backdoor_vulnerabilities_in_turck_industrial_automation_devices.html
• Building Automation: https://www.youtube.com/watch?v=c4LMrKEO_t0 (BACNet)
• Home Automation: http://www.ioactive.com/news-events/IOActive_advisory_belkinwemo_2014.html
What Do We Do About It?
10 Most Wanted List: A Guide For Embedded Device Manufacturer and Software Developers
http://securityweekly.com Copyright 2014
1. Firmware Backdoors
• A “secret” account (or access) created by the vendor that allows remote management
• Excuse is this is done for support reasons (password resets)
• The problem is: its not so secret
Backdoor password was...
Derived from the MAC address....
http://securityweekly.com Copyright 2014
2. Default Credentials
• A known set of credentials used out-of-the-box
• Typically found via Google or in documentation
• The problems: Anyone can discover this value and users/administrators don’t change it
• Also: Firmware updates sometimes reset it to the default value
http://securityweekly.com Copyright 2014
3. Insecure Remote Management
• HTTP & TELNET - Its 2014, why are we still using these protocols to manage systems?
• HTTPS - Yes, there is a cost for a certificate. And yes, sometimes vendors will use the same one for every device
• SSH - Same thing here, but easier to enable by default
• Oh, and weak passwords
http://securityweekly.com Copyright 2014
4. Open-Source drivers
• Interoperability is nice, but also begs the security question
• How do I keep my software and hardware up-to-date if you don’t provide me with a new driver!
• Open-source drivers allow for more eyes, and typically are patched more quickly
http://securityweekly.com Copyright 2014
5. Functions prone to overflow
• Wait, we know strcpy() is bad, right?
• Why do we still use it?
• And yes, programmers still use it
• In fact, if you take it out, they will just put it back
!
• https://community.rapid7.com/community/metasploit/blog/2013/11/06/supermicro-ipmi-firmware-vulnerabilities
http://securityweekly.com Copyright 2014
6. Firmware Encryption
• Signing firmware updates makes it harder to backdoor existing firmware
• Encrypting firmware makes it tougher to reverse engineer (though don’t let that replace real security)
• Also, XOR is NOT encryption
!
• http://www.darkreading.com/vulnerabilities---threats/hacking-firmware-and-detecting-backdoors/d/d-id/1139859?
http://securityweekly.com Copyright 2014
7. User Friendly Firmware Updates
• Take a page right from Microsoft’s playbook (I can’t believe I just wrote that, but...)
• Step back, most are unaware devices need to be updated for security, amazed that it actually works
• Even the term “update firmware” is too geeky, we need to change this
• Smartphones are a great example
http://securityweekly.com Copyright 2014
8. Secure Web Frameworks
• The code behind the web management interface is typically poorly implemented
• Java, Ruby, Python, .NET - all too “heavy” to implement on small systems
• Developers typically write their own, similar results to “Well, I’ll just implement my own encryption algorithm”
http://securityweekly.com Copyright 2014
9. Maintain a CIRT
• Look, this FREE help!
• D-Link has fixed the problems we covered earlier
• Some vulnerabilities never get fixed
• Researchers get frustrated and just post the exploits to pastebin
• Prezi got hacked, paid the researcher money, and wrote a nice blog post about it and linked to the researcher’s presentation (not in Prezi)
• It pays to work and collaborate with security researchers
http://securityweekly.com Copyright 2014
10. Secure Protocols
• UPnP, IPMI, HNLP, DLNA are common protocols on consumer devices
• Modbus is popular on SCADA devices
• The problem is they offer great functionality
• But security is often left out entirely
• IPMI and HNLP have had huge problems, leading to major issues and even the “Linksys Router Worm”
• The protocols desperately need security...
http://securityweekly.com Copyright 2014
Embedded Hacking 2-Day Course
Read more and sign up for this course here:
!
http://securityweekly.com/iot
!
Instructor: Paul Asadoorian
Hosted By: The SANS Institute
Next class: Oct. 26-27 in Las Vegas