SESSION ID: MBS-W04 THE NEW LANDSCAPE OF AIRBORNE CYBERATTACKS Nadir Izrael CTO & Co-Founder Armis, Inc. Ben Seri Head of Research Armis, Inc.
Placeholder Slide: Image of spread of infection
Placeholder Slide: Image of spread of infection
THE NEW ATTACK LANDSCAPE The Airborne Attack
The Airborne Attack (protocol) (software) (hardware) (hardware) 5
No User Interaction Required Internet URL Link Download Pair Device 6
Bluetooth s Stagefright Moment 5.5B+ Devices At Risk 2B+ Unpatchable 9 Zero-Day Vulnerabilities (4 critical) Android, Windows, Linux, and ios Most serious Bluetooth vulnerability to date Enables RCE, MiTM, and Info Leaks 7
BlueBorne Can Spread From Device To Device
What Systems Are Impacted 1 Info Leak 2 RCE 1 MiTM 1 Info Leak 1 RCE 1 RCE Pre-iOS 10 Pre- tvos 9 1 Info Leak 1 RCE 1 MiTM Google Pixel Samsung Galaxy Samsung Galaxy Tab LG Watch Sport Google Home Windows Desktops Windows Laptops Samsung Gear S3 (Smartwatch) Samsung Smart TVs Samsung Family Hub (Smart refrigerator) iphone ipad ipod Apple TV Amazon Echo 10
82% of companies have an Amazon Echo in their environment Located executive offices Brought in by employees 11
How BlueBorne Works High Privileges 12
How BlueTooth Pairs Bluetooth is on and discoverable User must find and proactively pair to the device Some authentication or PIN to connect Devices exchange keys, and auto connect without discoverable mode Bluetooth Speakers Connected Device 1 (Smart Phone) Device 2 (Bluetooth Speakers) 13
How BlueBorne Works Bluetooth is on Attacker gets the MAC address Bluetooth 00:2b:09:6f:2b:01 Bluetooth Attacker initiates Bluetooth and attacks via using a BlueBorne vulnerability RCE MiTM No user interaction required No pairing No approval Attacker can take over, create MiTM, get encryption keys, etc. Attacker (Laptop) 14 Target (Smart Phone)
A BlueBorne Worm Attacker Worm-like potential Deliver ransomware Spread botnet Steal credentials More 15
Info Leak 16
Info Leak (To Desktop) Attacker (Laptop) Linux PC Target (Keyboard) User connected to Linux desktop Attacker uses info leak to get encryption keys of the keyboard Attacker intercepts keystrokes without running code or doing MiTM Attacker can also inject keystrokes to the targeted device 17
Info Leak (Headset) Attacker (Laptop) Android (Smartphone) User connected to Android smartphone Attacker uses info leak to get encryption keys of the headset Attacker intercepts headset audio (eavesdropping on calls for instance) Target (Headset) 18
Man in the Middle Attack 19
MiTM WiFi Pineapple Corporate Network Internet IMPORTANT User Interaction Required Users Select The Network 20 WiFi Pineapple
MiTM Bluetooth Pineapple Corporate Network Internet IMPORTANT No User Interaction Required Bluetooth Pineapple 21
A Broken Security Architecture Architecture broken 22
The New Attack Landscape C&C Perimeter Firewall Network Core Core Switch Aggregation Layer WLC Controller Aggregation Switches Access Layer Access Point Access Switches Managed & Unmanaged Devices 23
Segmentation Will Not Protect Us 24
The True RCE Vulnerability Ratio Traditional Desktop Mobile Network Infrastructure IoT 1 per year 2-3 per year 100 per year every year True Remote Code Execution Vulnerabilities 25
The Infrastructure: A wide Range of Unmanaged Devices CVE-2018-0171 26
Infrastructure Is Becoming an Easy Target Lack mitigation techniques that are standard in endpoints These are similar to all IoT devices Updates to these systems are almost never automated Public exploits for devices are easy to develop and use 27
28
DEMONSTRATION BlueBorne Attack
BlueBorne Attack 1 IoT device attacked Amazon Echo taken over via BlueBorne 5 2 Echo controlled via Internet Attacker moves control of Echo to the Internet Bluetooth no longer used Amazon Echo is used as a relay 3 Network Infrastructure is compromised Internet Infrastructure 2 3 4 Via the Echo, attacker compromises the Network Infrastructure Attack breaks segmentation Guest and Corporate are irrelevant 1 4 Confidential data accessed Attacker accesses confidential information Can actively interact with other devices Attacker Laptop Amazon Echo Corporate Server 5 Data passed via Internet Data exfiltrated over the internet connection 30
Meet the New Endpoint Designed To Connect No Security Billions of Devices Hard to Update Many Manufacturers Hard to Discover 31
IMPLICATIONS AND NEXT STEPS
The Implications Item Airborne Attacks IoT Devices Network Infrastructure Implication Devices being attack over the air Out of the traditional kill chain Moving device-to-device Needs to be seen as an endpoint Gateway to your critical data and systems Need to view as unmanaged devices Segmentation is exposed and can be broken 33
Recommendations Device and network discovery and visibility are critical. 34
Next Steps Immediately Month 1 Month 3 Month 6+ Discovery Discovery Report Cross Team Meeting Cross Functional Meeting (Security, Networking, Operations, Facilities) Identify Program Policies Employee Education Rapid Response Identify Solution Implement Program Implement 35
QUESTIONS