THE NEW LANDSCAPE OF AIRBORNE CYBERATTACKS

Size: px

Start display at page:

Download "THE NEW LANDSCAPE OF AIRBORNE CYBERATTACKS"

Rolf Townsend
5 years ago
Views:

1 SESSION ID: MBS-W04 THE NEW LANDSCAPE OF AIRBORNE CYBERATTACKS Nadir Izrael CTO & Co-Founder Armis, Inc. Ben Seri Head of Research Armis, Inc.

2 Placeholder Slide: Image of spread of infection

3 Placeholder Slide: Image of spread of infection

4 THE NEW ATTACK LANDSCAPE The Airborne Attack

5 The Airborne Attack (protocol) (software) (hardware) (hardware) 5

6 No User Interaction Required Internet URL Link Download Pair Device 6

7 Bluetooth s Stagefright Moment 5.5B+ Devices At Risk 2B+ Unpatchable 9 Zero-Day Vulnerabilities (4 critical) Android, Windows, Linux, and ios Most serious Bluetooth vulnerability to date Enables RCE, MiTM, and Info Leaks 7

8 BlueBorne Can Spread From Device To Device

What Systems Are Impacted 1 Info Leak 2 RCE 1 MiTM 1 Info Leak 1 RCE 1 RCE Pre-iOS 10 Pre- tvos 9 1 Info Leak 1 RCE 1 MiTM Google Pixel Samsung Galaxy Samsung Galaxy Tab LG Watch

10 What Systems Are Impacted 1 Info Leak 2 RCE 1 MiTM 1 Info Leak 1 RCE 1 RCE Pre-iOS 10 Pre- tvos 9 1 Info Leak 1 RCE 1 MiTM Google Pixel Samsung Galaxy Samsung Galaxy Tab LG Watch Sport Google Home Windows Desktops Windows Laptops Samsung Gear S3 (Smartwatch) Samsung Smart TVs Samsung Family Hub (Smart refrigerator) iphone ipad ipod Apple TV Amazon Echo 10

11 82% of companies have an Amazon Echo in their environment Located executive offices Brought in by employees 11

12 How BlueBorne Works High Privileges 12

Devices exchange keys, and auto connect without discoverable mode

13 How BlueTooth Pairs Bluetooth is on and discoverable User must find and proactively pair to the device Some authentication or PIN to connect Devices exchange keys, and auto connect without discoverable mode Bluetooth Speakers Connected Device 1 (Smart Phone) Device 2 (Bluetooth Speakers) 13

14 How BlueBorne Works Bluetooth is on Attacker gets the MAC address Bluetooth 00:2b:09:6f:2b:01 Bluetooth Attacker initiates Bluetooth and attacks via using a BlueBorne vulnerability RCE MiTM No user interaction required No pairing No approval Attacker can take over, create MiTM, get encryption keys, etc. Attacker (Laptop) 14 Target (Smart Phone)

15 A BlueBorne Worm Attacker Worm-like potential Deliver ransomware Spread botnet Steal credentials More 15

16 Info Leak 16

17 Info Leak (To Desktop) Attacker (Laptop) Linux PC Target (Keyboard) User connected to Linux desktop Attacker uses info leak to get encryption keys of the keyboard Attacker intercepts keystrokes without running code or doing MiTM Attacker can also inject keystrokes to the targeted device 17

headset Attacker intercepts headset audio

18 Info Leak (Headset) Attacker (Laptop) Android (Smartphone) User connected to Android smartphone Attacker uses info leak to get encryption keys of the headset Attacker intercepts headset audio (eavesdropping on calls for instance) Target (Headset) 18

19 Man in the Middle Attack 19

20 MiTM WiFi Pineapple Corporate Network Internet IMPORTANT User Interaction Required Users Select The Network 20 WiFi Pineapple

21 MiTM Bluetooth Pineapple Corporate Network Internet IMPORTANT No User Interaction Required Bluetooth Pineapple 21

22 A Broken Security Architecture Architecture broken 22

23 The New Attack Landscape C&C Perimeter Firewall Network Core Core Switch Aggregation Layer WLC Controller Aggregation Switches Access Layer Access Point Access Switches Managed & Unmanaged Devices 23

24 Segmentation Will Not Protect Us 24

25 The True RCE Vulnerability Ratio Traditional Desktop Mobile Network Infrastructure IoT 1 per year 2-3 per year 100 per year every year True Remote Code Execution Vulnerabilities 25

26 The Infrastructure: A wide Range of Unmanaged Devices CVE

27 Infrastructure Is Becoming an Easy Target Lack mitigation techniques that are standard in endpoints These are similar to all IoT devices Updates to these systems are almost never automated Public exploits for devices are easy to develop and use 27

28 28

29 DEMONSTRATION BlueBorne Attack

BlueBorne Attack 1 IoT device attacked Amazon Echo taken over via BlueBorne 5 2 Echo controlled via Internet Attacker moves control of Echo to the Internet

the Network Infrastructure Attack breaks segmentation Guest and Corporate are irrelevant 1 4 Confidential data accessed Attacker accesses confidential

30 BlueBorne Attack 1 IoT device attacked Amazon Echo taken over via BlueBorne 5 2 Echo controlled via Internet Attacker moves control of Echo to the Internet Bluetooth no longer used Amazon Echo is used as a relay 3 Network Infrastructure is compromised Internet Infrastructure Via the Echo, attacker compromises the Network Infrastructure Attack breaks segmentation Guest and Corporate are irrelevant 1 4 Confidential data accessed Attacker accesses confidential information Can actively interact with other devices Attacker Laptop Amazon Echo Corporate Server 5 Data passed via Internet Data exfiltrated over the internet connection 30

31 Meet the New Endpoint Designed To Connect No Security Billions of Devices Hard to Update Many Manufacturers Hard to Discover 31

32 IMPLICATIONS AND NEXT STEPS

33 The Implications Item Airborne Attacks IoT Devices Network Infrastructure Implication Devices being attack over the air Out of the traditional kill chain Moving device-to-device Needs to be seen as an endpoint Gateway to your critical data and systems Need to view as unmanaged devices Segmentation is exposed and can be broken 33

34 Recommendations Device and network discovery and visibility are critical. 34

35 Next Steps Immediately Month 1 Month 3 Month 6+ Discovery Discovery Report Cross Team Meeting Cross Functional Meeting (Security, Networking, Operations, Facilities) Identify Program Policies Employee Education Rapid Response Identify Solution Implement Program Implement 35

36 QUESTIONS

PROTECTING THE ENTERPRISE FROM BLUEBORNE

PROTECTING THE ENTERPRISE FROM BLUEBORNE WHITE PAPER 2017 ARMIS OVERVIEW The newly discovered BlueBorne attack vector presents a new set of challenges for enterprises and their security teams. BlueBorne