IRL: Live Hacking Demos!

Transcription

1 SESSION ID: SBX2-R3 IRL: Live Hacking Demos! Omer Farooq Senior Software Engineer Independent Security Evaluators Rick Ramgattie Security Analyst Independent Security Evaluators

2 What is the Internet of Things (IoT)? Non-conventional, network-connected devices Higher computational power than previous generations Examples: smart phones, routers, appliances (refrigerators, washing machines, etc.), surveillance cameras, watches, home automation systems, jet engines, vending machines, self-driving vehicles 25 billion connected devices by

3 IoT and the Enterprise Environment Potential to improve efficiency and productivity Industries: utilities, industrial, health care, manufacturing, transportation, agriculture Potential to increase attack surface of corporate networks [B]y the end of 2017, over 20 per cent of organizations will have digital security services devoted to protecting business initiatives using devices and services in IoT 1 67% of executives will adopt IoT despite potential risks 2 25% of remote workers have at least one IoT device connected to a corporate network

4 What are the Dangers? Corporate bring-your-own-device (BYOD) policies undetected breaches Similarly, IoT introduces unaudited devices with poor security to the network Often exempt from compliance with security policies Hard to install updates/patches Lack built-in security (encryption, authentication, hardening, etc.) Default credentials (major infection vector for botnets) 4

5 What are the Dangers? (cont.) 70% of IoT devices were vulnerable to some sort of attack; 60% of IoT devices with a user interface were vulnerable to issues like cross-site scripting and weak credentials; and 70% of IoT devices used encrypted network services 1 Potential for mass exploitation 2 Examples: Mirai (1 Tbps DDoS, took down Internet DNS), BASHLITE (1 million IoT bots), Linux.Darlloz, Remaiten

6 What are the Dangers? (cont.) 6

7 Demo Devices Netgear ReadyNAS RN10400 Network Attached Storage (NAS) ASUS RT-N56U Router Motorola Focus73 Camera Belkin N900 Router 7

8 Netgear ReadyNAS RN10400

9 Netgear ReadyNAS RN10400 Network Attached Storage Web Interface which connects back to Netgear Running Linux Has Busybox installed Open ports tcp/22, tcp/80 9

10 Netgear ReadyNAS RN Vulnerabilities Lack of CSRF Protection Arbitrary Command Injection 10

11 Netgear ReadyNAS RN

12 Netgear ReadyNAS RN10400 TODO: screenshot of reverse shell 12

13 Belkin N900

14 Belkin N900 Wireless Router Web Interface which connects back to Belkin Running Linux (TODO) Has Busybox installed (TODO) Open ports tcp/53, tcp/80 14

15 Belkin N900 2 Vulnerabilities Client-side authentication Missing authorization checks 15

16 Belkin N900 16

17 Belkin N900 17

18 Belkin N900 18

19 Belkin N900 19

20 Motorola Focus73

21 Motorola Focus73 3 vulnerabilities Lack of Authentication and Authorization Mechanisms in Nuvoton Web Server Command Injection Remote File Inclusion 21

22 Motorola Focus73 22

23 Motorola Focus73 Uploaded file does not need to be a real firmware file /fwupgrade.html calls a CGI script This script is vulnerable to both command injection and remote file upload 23

24 Motorola Focus73 24

25 Motorola Focus73 25

26 Motorola Focus73 TODO: screenshot of Burp request with actual exploit payload in filename field 26

27 ASUS RT-N56U

28 ASUS RT-N56U Wireless Router Running Linux (TODO) Has Busybox installed (TODO) Open ports tcp/53, tcp/80, tcp/515, tcp/

29 ASUS RT-N56U 2 vulnerabilities Client-side credential disclosure Web server stack-based buffer overflow 29

30 ASUS RT-N56U 30

31 What Can Be Done? Revamped IT infrastructure Scaling up ability to monitor and analyze greater volume of data increased bandwidth and storage requirements Distributed network architecture 1 Netflow analysis, watch for anomalous traffic patterns from similar classes of devices Updated security and IT policies Mandated patching of IoT/embedded devices Credential management and commissioning process Inventory process IPv6 Start planning and be aware of security implications Supply chain of trust: vetting your device vendors 1 Internet-of-Things-architecture-in-the-data-center 31