[PPT] - IRL: Live Hacking Demos! Rick Ramgattie Omer Farooq Security PowerPoint Presentation

SLIDE 1

SESSION ID: SESSION ID:

#RSAC

Omer Farooq

IRL: Live Hacking Demos!

SBX2-R3

Senior Security Analyst Independent Security Evaluators (ISE) @omerfar23

Rick Ramgattie

Security Analyst Independent Security Evaluators (ISE) @rramgatie

SLIDE 2

#RSAC

About ISE

ISE Proprietary

Analysts

White box

Perspective

Hackers; Cryptographers; RE

Research

Routers; NAS; Healthcare

Customers

Companies with high value assets

Exploits

iPhone; Android; Ford; Exxon; Diebold

SLIDE 3

#RSAC

What is the Internet of Things (IoT)?

3

Non-conventional, network-

connected devices

– Refrigerators – Washing Machines – Surveillance Cameras – Thermostats – Lightbulbs – Door Locks

SLIDE 4

#RSAC

IoT and the Enterprise Environment

4

Potential to improve efficiency

and productivity

– Utilities – Industrial – Health care – Transportation – Agriculture

SLIDE 5

#RSAC

IoT and the Enterprise Environment

5

Potentia ial l to inc increase attack su surf rface of f corp rporate netw tworks

67 67% of executives will adopt IoT despite potential risks1 25 25% of remote workers have at least one IoT device connected to a corporate network1 “[B]y the end of 2017, over 20 20 per ce cent of organizations will have digital security services devoted to protecting business initiatives using devices and services in IoT”2

1 https://www.gartner.com/newsroom/id/2905717 2 https://www.tripwire.com/register/enterprise-of-things-report/

SLIDE 6

#RSAC

What are the Dangers?

6

Corporate bring-your-own-device (BYOD) policies  undetected breaches Similarly, IoT introduces unaudited devices with poor security to the network

Often exempt from compliance with security policies Hard to install updates/patches Lack built-in security (encryption, authentication, hardening, etc.) Default credentials (major infection vector for botnets)

SLIDE 7

#RSAC

What are the Dangers? (cont.)

7

“70% of IoT devices were vulnerable to some sort of attack; 60% 60% of IoT devices with a user interface were vulnerable to issues like cross-site scripting and weak credentials; and 70% of IoT devices used encrypted network services”1 Potential for mass exploitation2

Examples: Mirai (1 1 Tb Tbps DDoS

S, took down Internet DNS), BASHLITE (1

1 milli illion IoT bots), Linux.Darlloz, Remaiten

1 http://fortifyprotect.com/HP_IoT_Research_Study.pdf 2 https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/sshowdown-

exploitation-of-iot-devices-for-launching-mass-scale-attack-campaigns.pdf

SLIDE 8

#RSAC

8

Bypassing Authentication and Authorization Checks Remote Command Injection Stack-Based Buffer Overflows Remote File Inclusion Cross-Site Request Forgery Information Leaks

Types of Vulnerabilities

SLIDE 9

#RSAC

Demo Devices

9

Belkin Router Motorola Focus73 Camera Netgear ReadyNAS RN10400 Network Attached Storage (NAS) ASUS RT-N56U Router

SLIDE 10

#RSAC

Belkin N+ Wireless Router

SLIDE 11

#RSAC

11

Wireless Router Web Interface which connects back to Belkin Running Linux Has Busybox installed Open ports – tcp/53, tcp/80

Belkin N+

SLIDE 12

#RSAC

12

1 Vulnerability

Client-side authentication

Belkin N+

SLIDE 13

#RSAC

13

Belkin N+

SLIDE 14

#RSAC

14

Belkin N+

SLIDE 15

#RSAC

15

Belkin N+

SLIDE 16

#RSAC

16

Belkin N+

SLIDE 17

#RSAC

17

Belkin N+

SLIDE 18

#RSAC

18

Perform server-side authentication and authorization checks. Don’t rely on security through obscurity.

Belkin N+: Countermeasures

SLIDE 19

#RSAC

19

Client-side authentication

Leads to admin access

Countermeasures

Belkin N+: Recap

SLIDE 20

#RSAC

Motorola Focus73

SLIDE 21

#RSAC

21

IP Camera Connects to your network either via Ethernet or WiFi Intended to be controlled via Motorola’s mobile applications (iOS and Android) Running Linux Has nc installed Open Ports - tcp/80, tcp/8080

Motorola Focus73

SLIDE 22

#RSAC

22

3 vulnerabilities

Lack of Authentication and Authorization Mechanisms in Nuvoton Web Server Command Injection Remote File Inclusion

Motorola Focus73

SLIDE 23

#RSAC

23

Motorola Focus73

SLIDE 24

#RSAC

24

Uploaded file does not need to be a real firmware file /fwupgrade.html calls a CGI script This script is vulnerable to both command injection and remote file upload

Motorola Focus73

SLIDE 25

#RSAC

Motorola Focus73

25

SLIDE 26

#RSAC

Motorola Focus73

26

SLIDE 27

#RSAC

27

Missing Function Level Access Controls:

Perform server-side authentication and authorization checks.

Remote File Inclusion:

Try not to use user input in file system calls Perform path canonicalization (symlinks, . & .. are resolved) Properly configure services

Command Injection

Avoid calling shell commands when possible If an API does not exist, sanitize user input before passing it to a function that executes system commands.

Motorola Focus73: Countermeasures

SLIDE 28

#RSAC

28

IP Camera vulnerable to lack of auth checks and command injection Missing Function Level Access Control and Directory Traversal Countermeasures Command Injection Countermeasures Quick look at the fix for command injection

Motorola Focus73: Recap

SLIDE 29

#RSAC

Netgear ReadyNAS RN10400

SLIDE 30

#RSAC

Netgear ReadyNAS RN10400

30

Network Attached Storage Web Interface which connects back to Netgear Running Linux Has Busybox installed Open ports – tcp/22, tcp/80

SLIDE 31

#RSAC

Netgear ReadyNAS RN10400

31

2 Vulnerabilities

Lack of CSRF Protection Arbitrary Command Injection

SLIDE 32

#RSAC

Netgear ReadyNAS RN10400

32

SLIDE 33

#RSAC

Netgear ReadyNAS RN10400: Countermeasures

33

Cross Site Request Forgery:

Implement Anti-CSRF tokens AND HTTP referrer checking Feeling ambitious? Require the user to authenticate before performing a state change

Command Injection:

Avoid calling shell commands when possible If an API does not exist, sanitize user input before passing it to a function that executes system commands.

SLIDE 34

#RSAC

Netgear ReadyNAS RN10400: Recap

34

NAS device Vulnerable to both CSRF and Command Injection

Leads to full device control (shell access)

CSRF Countermeasures Command Injection Countermeasures

SLIDE 35

#RSAC

ASUS RT-N56U

SLIDE 36

#RSAC

ASUS RT-N56U

36

Wireless Router Running Linux Has Busybox installed Open ports – tcp/53, tcp/80, tcp/515, tcp/18017

SLIDE 37

#RSAC

ASUS RT-N56U

37

2 vulnerabilities

Client-side credential disclosure Web server stack-based buffer overflow

SLIDE 38

#RSAC

ASUS RT-N56U

38

SLIDE 39

#RSAC

ASUS RT-N56U: Countermeasures

39

Don’t use unsafe functions Perform bounds checking Compile/Link with overflow prevention techniques

Canary/Stack Cookie

— gcc –fstack-protector

ASLR

— gcc –fPIE || ld –pie

DEP/NX

—gcc marks the stack non-executable by default

SLIDE 40

#RSAC

ASUS RT-N56U: Recap

40

SOHO Router vulnerable to stack-based buffer overflow Review of MIPS Shellcode Execution of exploit Buffer Overflow Countermeasures

SLIDE 41

#RSAC

What Can Be Done?

41

Revamped IT infrastructure

Scaling up ability to monitor and analyze greater volume of data – increased bandwidth and storage requirements Distributed network architecture1 Netflow analysis, watch for anomalous traffic patterns from similar classes of devices

Updated security and IT policies

Mandated patching of IoT/embedded devices Credential management and commissioning process Inventory process

IPv6 – Start planning and be aware of security implications Supply chain of trust: vetting your device vendors

1 http://internetofthingsagenda.techtarget.com/feature/Plan-an-

Internet-of-Things-architecture-in-the-data-center

SLIDE 42

#RSAC

Questions

SLIDE 43

#RSAC

What are the Dangers? (cont.)

43