Cybersecurity and the Internet of Things Week 9 Frank Chen | - - PowerPoint PPT Presentation

Frank Chen | Spring 2017 Frank Chen | Spring 2017

CS 88S

Cybersecurity and the Internet of Things

Week 9

Many of the appliances that we use today are connected to the Internet

Frank Chen | Spring 2017

Agenda

• Review week 7's material
• Smart Transportation
• Healthcare Devices
• Smart Assistants
• Home Appliances
• MIRAI DDoS Attack

Frank Chen | Spring 2017

Agenda

• Review week 7's material
• Smart Transportation
• Healthcare Devices
• Smart Assistants
• Home Appliances
• MIRAI DDoS Attack

Frank Chen | Spring 2017

Tech Companies or Ad Companies?

"Mobile now makes up 84 % of ad revenue"

Source: http://tcrn.ch/2ktzjFU

"Alphabet's revenue hit $21.5 billion, a 21 percent year-over-year

• increase. Of that revenue, $19.1 billion came from Google's

advertising business"

Source: http://bit.ly/2rf5Boe

Frank Chen | Spring 2017

Make a video Get the Patents Prove then Wait

Amazon Go's 3 Steps

Source: http://bit.ly/2iBsBxh

Frank Chen | Spring 2017

The Invisibility Cloak

Image Source: http://bit.ly/2qZpIKA

Frank Chen | Spring 2017

A Cool Demo from CTF

Frank Chen | Spring 2017

Agenda

• Review week 7's material
• Smart Transportation
• Healthcare Devices
• Smart Assistants
• Home Appliances
• MIRAI DDoS Attack

Frank Chen | Spring 2017

Source: jeep.com

Jeep Cherokee

Frank Chen | Spring 2017

Remote Jeep Hack

For detailed explanation of the hack: http://bit.ly/2rdUL2Q

• Zero-day exploit on Jeep Cherokees
• Attackers obtain wireless control, via

the Internet, to any Jeep Cherokees

Frank Chen | Spring 2017

UConnect

Source: http://bit.ly/1ZcoZgH

Frank Chen | Spring 2017

Hack Outline

Source: http://bit.ly/1ZcoZgH

Exploit UConnect's vulnerability to gain access Send commands through CAN bus to car's physical components (engines, wheel) Rewrite Entertainment Hardware Chip Firmware

Frank Chen | Spring 2017

Steer Fast!

Source: http://bit.ly/2aIa3ae

Frank Chen | Spring 2017

Remote Jeep Hack

Source: http://bit.ly/1ZcoZgH

Chrysler has issued a recall for 1.4 million vehicles as a result of Miller and Valasek’s research.

The Message: Automakers need to be held accountable for their vehicles’ digital security.

Frank Chen | Spring 2017

Agenda

• Review week 7's material
• Smart Transportation
• Healthcare Devices
• Smart Assistants
• Home Appliances
• MIRAI DDoS Attack

Frank Chen | Spring 2017

Source: viastara.com

Frank Chen | Spring 2017

Fitbit Data Dump

Source: http://bit.ly/1nd7QGu

"Cybercrime takes many forms, but one of the more insidious and perhaps less

• bvious manifestations is warranty fraud"
• Brian Krebs

Frank Chen | Spring 2017

Fitbit Hacked

Source: http://bit.ly/2r5xfqq

• 1. Infect Fitbit with malware
• 3. Inject payload into host
• 2. Discover device & sync

Malicious Computer Host Computer

Frank Chen | Spring 2017

Agenda

• Review week 7's material
• Smart Transportation
• Healthcare Devices
• Smart Assistants
• Home Appliances
• MIRAI DDoS Attack

Frank Chen | Spring 2017

Source: qz.com

Frank Chen | Spring 2017

How many are there?

Amazon Alexa Google Home Siri

Frank Chen | Spring 2017

Source: qz.com

Alexa Demo

Frank Chen | Spring 2017

Incidents

• Dollhouse Incident (http://bit.ly/2iUuaWW)
• Connectivity Issues (http://bit.ly/2fwb2L7)
• Amazon Alexa Murder Case (http://bit.ly/2luUdlK)

Frank Chen | Spring 2017

Preview for next week...

Source: http://bit.ly/2luUdlK

"Do you have to give informed consent to be recorded each time you enter my Alexa-outfitted home?"

Frank Chen | Spring 2017

Preview for next week...

Source: http://bit.ly/2luUdlK

"Google will share your information with companies, organizations, and individuals

• utside of Google if Google has a good-faith belief

that access, use, preservation, or disclosure of the information is reasonably necessary to meet applicable law, regulation, legal process, or enforceable government request."

Frank Chen | Spring 2017

Agenda

• Review week 7's material
• Smart Transportation
• Healthcare Devices
• Smart Assistants
• Home Appliances
• MIRAI DDoS Attack

Frank Chen | Spring 2017

Source: nest.com

Frank Chen | Spring 2017

Appliances

Nest Thermostat Lorex Home Security

Wink, TCP connected lighting system

Samsung Smart Fridge Blossom, smart water sprinkler

August, smart door lock

Frank Chen | Spring 2017

Source: http://bit.ly/2mkgTtn

Secure? Or nah

Frank Chen | Spring 2017

Source: wired.com

Security Issues

• Confidential Information
• Monetary Damage
• Physical Danger

Frank Chen | Spring 2017

Agenda

• Review week 7's material
• Smart Transportation
• Healthcare Devices
• Smart Assistants
• Home Appliances
• MIRAI DDoS Attack

Frank Chen | Spring 2017

Source: wired.com

Frank Chen | Spring 2017

Source: wired.com

Review: DDoS Attack

Frank Chen | Spring 2017

Accessibility

C I A

http://tcrn.ch/2dt8sHy

Frank Chen | Spring 2017

Source: bleepingcomputers.com

Frank Chen | Spring 2017

Timeline of Events

First attack began at 7:00am (EDT) Resolved by 9:20am A second attack was reported at 11:52am and Internet users began reporting difficulties accessing websites A third attack began in the afternoon, after 4:00pm At 6:11pm, Dyn reported that they had resolved the issue

October 21, 2016

Source: krebsonsecurity.com

Frank Chen | Spring 2017

Source: wired.com

Affected Websites

Frank Chen | Spring 2017

Source: http://bit.ly/2dLMyev

The MIRAI Virus

• Call-Home System

○ connects to a command-and-control server (which could be another insecure IoT device) to download details of whom to attack, and how.

• Set of Attack Routines

○ generate a range of legitimate-looking streams of network traffic to eat away at the victim’s network capacity.

• Network Scanner

○ searches on the internet & try to login in various ways to build and report a list of insecure IoT devices for the next wave of attacks.

Frank Chen | Spring 2017

Source: http://bit.ly/2dLMyev

The MIRAI Virus

Open Source: https://github.com/jgamblin/Mirai-Source-Code

Frank Chen | Spring 2017

Source: http://bit.ly/2dLMyev

The MIRAI Virus

Written in Go for Cross-Platform Support

Frank Chen | Spring 2017

Source: http://bit.ly/2dLMyev

The MIRAI Virus

Uses built-in default passwords...

Frank Chen | Spring 2017

Source: http://bit.ly/2dLMyev

Recommendations

• Don't use hardwired passwords
• Don't set default passwords
• Don’t allow unauthenticated or unencrypted protocols for

inbound connections

• Don’t open administrative connections on the outside

interface by default.

Frank Chen | Spring 2017

Sf C T

Do not use default password and username in IoT devices.

Frank Chen | Spring 2017

Image Source: http://bit.ly/2pIoWQW

Next Week...

Project DUE!

Frank Chen | Spring 2017

Next Week...