a quantitative analysis of the insecurity of embedded network devices: results of a wide-area scan
DESCRIPTION
A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan. Ang Cui and Salvatore J. Stolfo Department of Computer Science, Columbia University { ang,sal}@cs.columbia.edu. Motivation. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/1.jpg)
A Quantitative Analysis of the Insecurity of Embedded
Network Devices: Results of a Wide-Area Scan
Ang Cui and Salvatore J. Stolfo
Department of Computer Science, Columbia University
{ang,sal}@cs.columbia.edu
![Page 2: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/2.jpg)
Motivation
Embedded network devices have become an ubiquitous fixture in the modern home, office as well as in the global communication infrastructure
![Page 3: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/3.jpg)
Widely deployed and often misconfigured, embedded network devices constitute highly attractive targets for exploitation
![Page 4: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/4.jpg)
Questions
How have embedded devices been exploited in the past?
How feasible is large scale exploitation of embedded devices?
![Page 5: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/5.jpg)
Questions
How can we quantitatively measure the level of embedded device insecurity on a global scale?
![Page 6: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/6.jpg)
Questions
How can compromised embedded devices be used to benefit malicious attackers?
![Page 7: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/7.jpg)
How many vulnerable embedded devices are there in the world?
What are they?
Where are they?
![Page 8: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/8.jpg)
What are the most efficient methods of securing vulnerable embedded devices?
![Page 9: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/9.jpg)
Technique
Scan the entire internet
First, nmap is used to scan large portions of the internet for open TCP ports 23 and 80. The results of scan is stored in a SQL database.
Identify device type.
![Page 10: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/10.jpg)
Use default passwords to try to log into embedded devices by verification profile
Gain root access
![Page 11: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/11.jpg)
Each scan takes approximately four weeks and involves two or three sweeps of the entire monitored IP space
Increase likelihood of getting connection
Allow for comparison over time
![Page 12: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/12.jpg)
Ethical Concerns
Make sure we are not overloading networks
Make it easy to opt out of research
Have secondary checks (Columbia University NOC)
Rigid security policies for protecting data
![Page 13: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/13.jpg)
Sensitive experimental data is purged from the production database regularly
Transferred to an IronKey [4] USB stick for encrypted offline storage
![Page 14: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/14.jpg)
Results
Identified approximately 1.1 million vulnerable devices. (as of now the paper cites 540,000)
Over 96% of such accessible devices remain vulnerable after a 4-month period
![Page 15: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/15.jpg)
300,000 vulnerable embedded devices within two ISP networks in Asia.
Residential ISPs constitute over 68% of the entire vulnerable population.
![Page 16: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/16.jpg)
![Page 17: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/17.jpg)
![Page 18: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/18.jpg)
![Page 19: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/19.jpg)
![Page 20: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/20.jpg)
![Page 21: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/21.jpg)
3 types of devices are 55% of vulnerable
This could be used for massive DDOS attack
DDOS
![Page 22: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/22.jpg)
HP JetDirect Printer Servers represent 44,000 of vulnerable devices
Located in 2505 unique organizations
This allows hackers to see data and dataflow
Office Espionage
![Page 23: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/23.jpg)
END
![Page 24: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/24.jpg)
SHYAMNATH GOLLAKOTA, HAITHAM HASSANIEH, BENJAMIN RANSFORD, DINA KATABI , AND KEVIN FU
ACM S IGCOMM 2011
They Can Hear Your Heartbeats: Non-Invasive Security for
Implantable Medical Devices
![Page 25: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/25.jpg)
Implantable Medical Devices (IMD)
Cardiac Defibrillators
Neurostimulators
Cochlear Implants
![Page 26: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/26.jpg)
Wireless Interaction in IMD
![Page 27: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/27.jpg)
Pro: Safety and Cost Con: Security and Privacy
Easier communication with implant
Remote monitoringReduces hospital visits by
40% and cost per visit by $1800 [Journal of the American College of Cardiology, 2011]
Passive attack: Eavesdrop on private data
Active attack: Send unauthorized commands
Wireless Interaction in IMD
![Page 28: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/28.jpg)
Possible Security Measurements
Cryptography?Problems
1) In emergencies, patient may be taken to a foreign hospital where doctors do not have the secret key2) Millions of patients already have implants with no crypto; would require surgery to replace
![Page 29: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/29.jpg)
Ideal Solution
Cryptography? => The “Shield”Problems
1) In emergencies, patient may be taken to a foreign hospital where doctors do not have the secret key => can be non-intrusively disable2) Millions of patients already have implants with no crypto; would require surgery to replace => external security module
![Page 30: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/30.jpg)
Traditional System
![Page 31: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/31.jpg)
Doctor configures the shield with a secret key
Shield acts as proxy
Use encryption
Shield encrypts the implant data and forwards it to doctor
Shield: Secure Legal Communication
![Page 32: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/32.jpg)
• Shield jams unauthorized commands
Turn off therapy
Implants can’t decode or react to illegal commands
Implant ID
• Shield listens on medium
Shield: Jam Illegal Communication
![Page 33: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/33.jpg)
Technical Issue
Needs to be able to Tx (jam) and Rx at the same time.
Needs to be small enough to be portable.
≈ 40 cm
wavelength
2
![Page 34: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/34.jpg)
Solution
The “Antidote”
w/o antidote: 50% BERw/ antidote: 0.2% packet loss
![Page 35: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/35.jpg)
Implementation
USRP2 (Universal Software Radio Peripheral)Antenna *2FPGAEthernet interfaceSD card reader
![Page 36: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/36.jpg)
Evaluation
• IMD: MedtronicTM cardiac implants
• Legal user: MedtronicTM IMD programmer
• Attacker: USRP2
• Shield: USRP2
• Human body: bacon & beef
![Page 37: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/37.jpg)
30 m
20cm
Test Bed
IMD & Shield fixed in one place20 locations for attacker to test
![Page 38: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/38.jpg)
Phase1: Passive Eavesdrop
Worst case scenarioAttacker is only 20cm away from IMD
0.2 0.4 0.6 0.8 10
0.20.40.60.8
1Attacker
BER
CDF
RandomJammed
0 0.005 0.01 0.015 0.02 0.0250
0.20.40.60.8
1Shield
PLR
CDF
Average loss rate0.2%
![Page 39: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/39.jpg)
Phase2: Active Attack
Simulating two kinds of attackers1) Off-the-shelf IMD programmer2) Self-modified programmer with x100 transmission power
![Page 40: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/40.jpg)
Phase2-1: Off-the-shelf Attacker
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 180
0.2
0.4
0.6
0.8
1
Location ID
Rate
of s
ucce
ss a
ttac
k
w/o Shieldw/ ShieldLess than
14 meters
![Page 41: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/41.jpg)
Any attack successfulNo attack successful
Without the Shield
14 m
![Page 42: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/42.jpg)
Any attack successfulNo attack successful
With the Shield
20 cm
![Page 43: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/43.jpg)
Phase2-2: x100 Power Attacker
Too powerful, cannot jam it due to limited battery power of Shield
However, can warn the wearer by beeping and/or vibration to leave the location
![Page 44: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/44.jpg)
Phase2-2: x100 Power Attacker
![Page 45: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/45.jpg)
Any attack successfulNo attack successful
Without the Shield
27 m
![Page 46: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/46.jpg)
Any attack successfulNo attack successful
With the Shield
![Page 47: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/47.jpg)
Phase2-2: x100 Power Attacker
Cannot totally eliminate the hazard
But,Raise the bar of active attackProvide detection of hazard
![Page 48: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/48.jpg)
Conclusion
First to secure medical implants without modifying them
Other applications in RFIDs, small low-power sensors, legacy devices
Convergence of wireless and medical devices open up new research problems
![Page 49: A Quantitative Analysis of the Insecurity of Embedded Network Devices: Results of a Wide-Area Scan](https://reader035.vdocument.in/reader035/viewer/2022062811/56815fe9550346895dceee4d/html5/thumbnails/49.jpg)
Few Comments (kcir)
Meticulous foot notesKind of verbose/repetitiveDoS -> wears out the batteryTechnical invention in disguise of an
application work, incurs more attention