class: title, smokescreen, shelf, bottom, no-footer background-image: url(images/Ring_video_doorbell.jpg) # 181U Spring 2020 ## Security Issues <style> h1 { border-bottom: 8px solid rgb(32,67,143); border-radius: 2px; width: 90%; } .smokescreen h1 { border-bottom: none; } .small {font-size: 80%} .smaller {font-size: 70%} .small-code.remark-slide-content.compact code {font-size:1.0rem} .very-small-code.remark-slide-content.compact code {font-size:0.9rem} .line-numbers{ /* Set "line-numbers-counter" to 0 */ counter-reset: line-numbers-counter; } .line-numbers .remark-code-line::before { /* Increment "line-numbers-counter" by 1 */ counter-increment: line-numbers-counter; content: counter(line-numbers-counter); text-align: right; width: 20px; border-right: 1px solid #aaa; display: inline-block; margin-right: 10px; padding: 0 5px; } </style> --- layout: true .footer[ - 181U - See acknowledgements ] --- class: compact # Agenda * The issues * Attack Examples * Attack Vectors --- class: compact # What's different than current Internet Issues * Conventional devices involve humans in the control loop. In IoT, devices are interacting * The lifetime of IoT devices is far longer than simple computers -- the devices are starting to outlive the companies and enterprises responsible for maintaining them -- unreachable or forgotten devices will disrupt the current "penetrate and patch" model * Devices may have "baked-in" cryptography/security protocols persisting for decadess beyond security lifetimes --- class: compact # Zero-days and Forever-days * zero-days -- holes that adversaries know but defenders do not * In 2016 Department of Homeland Security Industrial Control Systems Cyber Emergency Respons Team announced 11 critical zero days - In a wireless networking device used in "commercial facilities, energy, financial srvices, and transport systems" internationally - In an embedded computer used in "Chemical, commerical facilities, critical manufacturing, emergency servcies, energy, food..." - In building and automation systems from two vendors - In power grid components from three vendors used internationally - and others * zero-days become forever-days if they arn't patched. --- class: compact # Application Areas * Cars - random failures - Thailand's finance minister was trapped in his car due to a computer failure - In France and Texas peopled died when they couldn't open their cards - malfeasance - attacks on wireless keys, electronic transmissions, etc - remote attacks * Traffic - Apps like Waze dramatically shift driving patterns * Airplanes - Comercial planes expose their networks to passengers (e.g. through ethernnet) * Trains - In the Netherlands a train left the station with passengers but no driver * Medicine - Insulin pumps and pacemakers are vulnerable to attack --- class: compact # The Internet of Tattletail devices * Privacy spills (accidental leaks) - with IoT there's no reason to believe backend servers will be more secure - Personal information of 5 million parents and 200,000 children exposed through hacking a company selling kids toys and gadgets * Vizio sold more than 15 million "smart tvs" by 2015. The internal software allowed attackers to track everything you watch * Samsung Smart TV sends captured voice data to a remote server unencrypted * Hello Barbie records childrens' conversations and sends them by email to parents --- class: compact # The Internet of Tattletail devices (cont.) * Your devices might be used against you - data from fitbits used in criminal trials - data from car GPS systems * Your devices may talk to the wrong people - GM onstar captures usage data -- they provide an insecure data site that allows others to see your data * Devices for health monitoring expose data to wrong people (do you want your employer tracking your activity ?) --- class: compact # Hacks * [How a fishtank helped hack a casino](https://www.washingtonpost.com/news/innovations/wp/2017/07/21/how-a-fish-tank-helped-hack-a-casino/?noredirect=on) - In 2017 hackers attempted to acquire data from a casino - The fish tank sensors were connected to a PC - By attacking the sensors, the hackers stole 10GB of data * [Dark Web Hackers are Targeting Internet-connected Gas Pumps](https://www.zdnet.com/article/iot-security-now-dark-web-hackers-are-targeting-internet-connected-gas-pumps/) --- class: compact # Other Hacks * [Baby Monitor Hacking](https://nordvpn.com/blog/baby-monitor-iot-hacking/) - a young family from Texas was awakened by a hacker's voice coming from their 4-month-old child's bedroom and threats that their child would be kidnapped. * [Web connected sex toys](https://metro.co.uk/2018/02/01/panty-buster-sex-toys-can-hacked-remotely-pleasure-people-without-consent-researchers-claim-7279177/) - "The database containing all the customer data (explicit images, chat logs, sexual orientation, email addresses, passwords in clear text, etc.) was basically readable for everyone on the internet." * [FDA Confirms that St. Jude's Cardiac Devices Can Be Hacked](https://money.cnn.com/2017/01/09/technology/fda-st-jude-cardiac-hack/) * [Germany Banned Cayla Doll that can spy](https://www.washingtonpost.com/news/worldviews/wp/2017/02/23/this-pretty-blond-doll-could-be-spying-on-your-family/) - According to German officials, Cayla is a prime target for hackers, who can use the toy's technology to spy on families and collect private information. That's because the doll collects and transmits everything it hears to a voice recognition company in the United States. * [The full story of how the Jeep was hacked](https://www.kaspersky.com/blog/blackhat-jeep-cherokee-hack-explained/9493/) - multimedia system of the Jeep hacked through its wifi. --- class:compact # Fly-by attack on zigbee smart lightbulbs ![](images/hue-system.png# w-40pct fr) <iframe width="560" height="315" src="https://www.youtube.com/embed/Ed1OjAuRARU" frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe> https://eprint.iacr.org/2016/1047.pdf * Creates a self-spreading ZigBee worm targeting the Philips Hue light system --- class: compact # Overview of Hue Atack * Exploits a bug in Atmel's implementation of the Zigbee Light Link (ZLL) protocol as used in Hue bulbs * This allows two separate attacks 1. Attack agains the AES-CCM encryption mode used to encrypt and verify firmware updates allowing attacker to encrypt, sign, and upload malicious over-the-air (OTA) updates to infect lamps. 2. A takeover attack allowing full control over lamps from 70-400 meters. --- class: compact # Overview of Hue Attack (cont.) * Attack does not require prior knowledge about attacked lamps * Attack does not require knowledge of the ZLL secret key * All lamps of the same type use the same global key, so side channel attacks used to deduce key * By flying a drone in a zig-zag pattern over a city an attacker can disable all the Philips smart bulbs in a city center in a few minutes --- class: compact # Stuxnet ![](images/Iran.jpg# w-40pct fr) * World's first digital weapon * In 2010 Iranian's noticed the uranium enrichment centrifuges were failing at a high rate * Sutxnet attacked Siemens PLC (programmable logic controlers) https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/ --- class: compact # Mirai Botnet * In 2016 infect numerous IoT devices (routers and IP cameras) and used them to flood DNS provider with a DDoS attack * Took down Etsy, GitHub, Netflix,Twitter, and others * Crashed 900,000 routers from Deutsche Telekom * Root cause was embedded Linux - many devices doen't have enouhgh space to perform an update - old kernels have known vulerabilities --- class: compact # Bricker Bot * Brute-force attack o telnet * Targets Linux-based IoT devices running Busybox toolkit * Deletes internal memory and disables TCP timestamps * Updates firewall and NAT rules --- class: compact # Major Vulerabilities * Lack of updates -- with 30 Billion devices, this is a huge issue * Unencrypted communication * Default passwords * Compromised devices sending spam emails * Compromised devices used as botnets --- class: compact # Growth of Insecure CoaP and MQTT Devices ![](images/space.png# w-20pct) ![](images/insecure-deployments.png# w-60pct) --- class: compact # Vulnerabilities in MQTT Protocol * Payload Remaining Length (think buffer overrun) ![](images/payloadremaininglength.png) --- class: compact # Vulnerabilities in MQTT * Unicode handling in Topc streams -- standard does specify how illegal strings are handled ![](images/space.png# w-20pct) ![](images/unicode.png# w-60pct) --- class: compact # Malicious Client Uses Message Retain ![](images/space.png# w-20pct) ![](images/maliciousclient.png# w-50pct fr) --- class: compact # Vulnerabilities in MQTT (URI with Wild card) ![](images/illegaltopics.png# w-50pct fr) Parsing a URI is only apparently simple, and the most straightforward way is to use regular expressions when developing a broker. This creates a perfect stage to score another renowned attack technique, regular expression denial of service (ReDoS),16 which was first spotted in web applications, due to their URL-based nature. MQTT topics are nothing but strings separated by slashes, pretty much like URLs. More recently, the most popular JavaScript libraries have been systematically scrutinized for ReDoS vulnerabilities, with alarming findings that could impact virtually any software based on such libraries. --- class: compact # MQTT Payload Remaining Length Bug in Implementation * Nick O’Leary’s pubsubclient library19 is the most popular open-source MQTT client library for embedded systems such as Arduino-compatible boards (e.g., ESP8266) or the Intel Galileo. This library20 is used extensively by commercial platforms such as Losant21 and other IoT platforms. * Bug can be exploited by sending two packets in a row to a client enabling the execution of arbitrary code. --- class: compact # MQTT Unicode Handling bug in the field * Mosquitto version up to 1.4.15 have this bug: ![](images/space.png# w-3-12th) ![](images/mosquittobug.png# w-50pct) --- class: compact # CoAP Amplification * IP Address Spoofing on UDP -- CoAP is inherently susceptible * Use target as a reflector -- send request and reflect response to spoofed target address --- class: compact # References * [IoT Security foundation](https://www.iotsecurityfoundation.org/) - [Best Practices](https://www.iotsecurityfoundation.org/wp-content/uploads/2019/11/Best-Practice-Guides-Release-2.pdf) * [Hacking Lightbulbs Nitesh Dhanjani](https://www.dhanjani.com/docs/Hacking%20Lighbulbs%20Hue%20Dhanjani%202013.pdf) * Cover photo By Ring - <a rel="nofollow" class="external free" href="https://ring.com/press">https://ring.com/press</a>, <a href="https://creativecommons.org/licenses/by-sa/4.0" title="Creative Commons Attribution-Share Alike 4.0">CC BY-SA 4.0</a>, <a href="https://commons.wikimedia.org/w/index.php?curid=58940160">Link</a> * Several figures from https://documents.trendmicro.com/assets/white_papers/wp-the-fragility-of-industrial-IoTs-data-backbone.pdf * Material drawn from "The Internet of Risky Things: Trusting the devices that surround us", Sean Smith