IoTSecurity:HowYourTVandThermostatareA9ackingtheInternet

NathanWallace,PhD,CSSADir.ofCyberOperaHons,Cybirical,LLC

Dec.052016

Computer Science

Computer Science

Outline •  The Internet of Things (Everything)

Examples of IoT Devices Power Grid (‘Grid of Things’)

•  Security Challenges End-Point Security, Global Issues, 0-Days, No Motivation

•  The Mirai Botnet Background (DNS) Oct. 21st Summary

•  Tinkering Around Experimenting with an IP Cam What is this ‘thing’ really doing

Source: http://www.comsoc.org/blog/infographic-internet-things-iot

By the numbers

By the numbers

Source: http://www.comsoc.org/blog/infographic-internet-things-iot

By the numbers

Source: http://www.comsoc.org/blog/infographic-internet-things-iot

Internet of Things Examples

Video

Video

FEATURES Integrated cleansing. Adjustable spray shape, position, water pressure, temperature, pulsate. Self-cleaning Warm-air drying system with adjustable temperature settings. Automatic deodorization system. Heated seat with adjustable temperature settings. Motion-activated LED lighting illuminates the bowl to serve as a night-light. Touchscreen LCD remote control. Plays Music

Internet of Things Examples

Video

Grid of Things State of Affairs Power Grid

“Our expectations is that the modernized electricity grid will be 100 to 1000 times larger than the Internet” – CISCO VP

Advanced Metering

Electric Vehicles

Distributed Generation

Grid Modernization

Distribution Automation

IoT Security => Safety

ICS-CERT

Wait, so what exactly is IoT?

Wait, so what exactly is IoT?

Source: IoT European Research Cluster, IERC, 2014

IoT Defined... Now Security...

Implementing security with: •  No Incentives (or Consequences)

•  Do vendors and consumers even care

•  World economy, markets, and conflicts •  Engineering silos

•  Engineering ethical barriers

•  Limited understanding of complexity and emergent issues

Miria Botnet

Source: Level 3 Communications

Outage Map October 21 2016

Background

Source: Simon Liu, "Surviving Distributed Denial-of-Service Attacks", IT Professional vol. 11, p. 51-53, September/October, 2009

Background How Domain Name Service Works

‘The Phone Book of the Internet’

(1) Where is Google?

DNS Server

Google

(2) Google is at 108.177.8.113

(3) Searching the Web 108.177.8.113/search?q=IEEE

Summary

Source: http://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/

Dyn’s Key Findings: •  ‘The Friday October 21, 2016 attack has been analyzed as a

complex & sophisticated attack, using maliciously targeted, masked TCP and UDP traffic over port 53.’

•  Dyn confirms Mirai botnet as primary source of malicious attack traffic.

•  Attack generated compounding recursive DNS retry traffic, further exacerbating its impact.

DNS Server

DYN Attack cont. and IoT Security Hearing

‘Level 3 detected approximately 150,000 IoT devices were used to … generate significant amount of bandwidth use that threatens the fabric of the global internet.’

Source: U.S. House of Representatives Joint Hearing “Understanding the Role of Connected Devices in Recent Cyber Attacks” November 16, 2016

‘We believe that in the case of Dyn, the relatively unsophisticated’

Summary

‘The distributed denial-of-service attack that caused the outages, and the vulnerabilities that made the attack possible, was as much a failure of market and policy as it was of technology’

Witness Testimonies

Recon...

the Internet of Things Power Plants, Refrigerators, …, Buildings, Webcams, …

Source: Shodan

Recon...

Source: Shodan

Experimenting IP Camera 3.6mm 4MP Full HD IR Mini Dome PoE Network Camera Built-in Mic

What is this ‘thing’ really doing…?

Inspiration

Source: http://securityaffairs.co/wordpress/53588/malware/mirai-infection-test.html

Experimenting Design 1.  No Router Connection

2.  Internet Connectivity

3.  Port Forwarding (Future)

- Network Monitoring - Port Scan

- Network Monitoring - Port Scan

- Network Monitoring - Port Scan

Experimenting Design 1.  No Router Connection

Experimenting Design 1.  No Router Connection

Default Open Ports Web

Real Time Streaming

Print Services Interface

Universal Plug and Play

Well Known Ports: 0 through 1023. Registered Ports: 1024 through 49151. Dynamic/Private : 49152 through 65535.

Experimenting Design 1.  No Router Connection

Multicasting Who has 192.168.1.1? Tell 192.168.1.108

Simple Service Discovery Protocol 192.168.1.108 239.255.255.250 NOTIFY

192.168.1.108 224.0.0.22 IGMPv3 60 Report / Join group 239.255.255.250 for any sources

Experimenting Design

2. Internet Connectivity

-ROUTER_12:6d:81 e0:50:8b:0a:06:d3 192.168.1.254 is at … target 192.168.1.66

-192.168.1.66 192.168.1.254 DNS 81 Standard query 0x016f A www.dahuap2pcloud.com

-192.168.1.254 192.168.1.66 DNS 97 Standard query response 0x016f A www.dahuap2pcloud.com A 121.199.3.195

DHGET /online/p2psrv/2J03977PAA00347 HTTP/1.1CSeq: 1927610396Authorization: WSSE profile="UsernameToken"X-WSSE: UsernameToken Username="2J03977PAA00347", PasswordDigest="NanYJZWK4bKmrYW7ngt2EK50AY80", Nonce="-691305717", Created="2000-01-01T02:52:12Z"

-192.168.1.66 121.199.3.195 UDP 303 58124 � 8800 Len=261

Experimenting Design 2. Internet Connectivity

-192.168.1.254 192.168.1.66 DNS 97 Standard query response 0x0173 A www.dahuap2pcloud.com A 120.26.104.240

-192.168.1.66 192.168.1.254 DNS 81 Standard query 0x0173 A www.dahuap2pcloud.com

-192.168.1.66 120.26.104.240 UDP 310 46071 � 8800

Experimenting Design

2. Internet Connectivity

- 192.168.1.254 192.168.1.66 DNS 92 Standard query response 0x0170 A www.dahuap2p.com A 223.6.252.231

-192.168.1.66 192.168.1.254 DNS 76 Standard query 0x0170 A www.dahuap2p.com

- 192.168.1.66 223.6.252.231 TCP 60 41776 � 12366 [ACK] Seq=1 Ack=1 Win=14608 Len=0

What are you sending?

Experimenting Design

2. Internet Connectivity

What are you sending?

192.168.1.66 -> 223.6.252.231

Experimenting Design

2. Internet Connectivity

-192.168.1.66 192.168.1.254 DNS 74 Standard query 0x0171 A rs.lechange.cn

-192.168.1.254 192.168.1.66 DNS 90 Standard query response 0x0171 A rs.lechange.cn A 114.55.152.165

-192.168.1.66 114.55.152.165 TCP 74 46241 � 9084

What are you sending?

Experimenting Design 2. Internet Connectivity

What are you sending? 192.168.1.66 -> 114.55.152.165

Why would it need to send the local IP address?

Experimenting Design 2. Internet Connectivity

What are you sending? 192.168.1.66 -> 114.55.152.165

Experimenting Design 2. Internet Connectivity

Same story…

Summary:

Time Elapsed: 00:03:50 Packets: 3647 Total External IPs: 7 Total UDP: 3 IPs Total TCP: 4 IPs

Experimenting Wireshark I/O Graph

Interesting looking spike…

Experimenting

Experimenting Trying to determine exactly what ‘jpeg’ images are being sent…

Python Snippet

Network Capture File

Experimenting

THIS IS BAD ‘Plug and Play’? Automatically streams

live feed to remote server.

Resources

http://iot.ieee.org/

http://standards.ieee.org/innovate/iot/

Final Points 1. IoT Security is a Safety/Privacy Issue 2. … 3. Consider the devices you bring into

your home and to work

Questions?

Nathan Wallace, PhD, CSSA nathanwallace@computer.org

@NathanSWallace

Thoughts?