web based attacks on local iot devices
play

Web-based Attacks on Local IoT Devices Gunes Acar Danny Huang - PowerPoint PPT Presentation

Apr 09, 2023 •377 likes •894 views

Web-based Attacks on Local IoT Devices Gunes Acar Danny Huang Frank Li Arvind Narayanan Nick Feamster 1 2 3 How to reach local IoT devices? Public devices (e.g., port forwarding) Local malware Web attacks ( this paper ) 4 How to

  1. Web-based Attacks on Local IoT Devices Gunes Acar Danny Huang Frank Li Arvind Narayanan Nick Feamster 1

  2. 2

  3. 3

  4. How to reach local IoT devices? Public devices (e.g., port forwarding) Local malware Web attacks ( this paper ) 4

  5. How to reach local IoT devices? Public devices (e.g., port forwarding) Local Network Local malware Web attacks ( this paper ) 5

  6. How to reach local IoT devices? Public devices (e.g., port forwarding) Local Network Local malware Web attacks ( this paper ) 1. Discover certain IoT devices 2. Access & control IoT devices 6

  7. Preparing the Attacks 7

  8. Targeting HTTP Servers 1. Set up a Raspberry Pi as a WiFi AP, connecting 15 IoT devices and an Android phone. 8

  9. Targeting HTTP Servers 1. Set up a Raspberry Pi as a WiFi AP, IoT Devices connecting 15 IoT devices and an Android phone. Amcrest IP Camera D-Link WiFi Camera 2. Interact with devices, taking pcaps at Google Home the RPi. Observed HTTP endpoints Google Chromecast on 7 devices. Samsung SmartCam Samsung Smart TV Belkin Wemo Switch 9

  10. Targeting HTTP Servers 1. Set up a Raspberry Pi as a WiFi AP, IoT Devices connecting 15 IoT devices and an Android phone. Amcrest IP Camera D-Link WiFi Camera 2. Interact with devices, taking pcaps at Google Home the RPi. Observed HTTP endpoints Google Chromecast on 7 devices. Samsung SmartCam Samsung Smart TV 3. Searched for further documentation on HTTP APIs Belkin Wemo Switch a. Total: 35 GET, 8 POST 10

  11. Attack 1: Identify Local IoT Devices 11

  12. Attack Steps 12

  13. Attack Steps 1. Get local IP (via WebRTC SDP) 192.168.6.6 13

  14. Attack Steps 2. Find active local devices. a. Scan local subnet on port 81, sending GET request (via Fetch API) b. Measure response times (TCP RST vs TCP timeout) 192.168.6.88 192.168.6.6 14

  15. Attack Steps 2. Find active local devices. a. Scan local subnet on port 81, sending GET request (via Fetch API) b. Measure response times (TCP RST vs TCP timeout) 192.168.6.88 TCP SYN to port 81 192.168.6.6 TCP RST 15

  16. Attack Steps 2. Find active local devices. a. Scan local subnet on port 81, sending GET request (via Fetch API) b. Measure response times (TCP RST vs TCP timeout) 192.168.6.88 192.168.6.6 TCP SYN to port 81 192.168.6.89 16 ?

  17. Attack Steps 3. Identify IoT devices. a. Send request for our GET endpoints to active IP addresses, using HTML5 <audio> element. b. Use resulting MediaError message to infer resource availability ( new side channel). 192.168.6.88 192.168.6.6 17

  18. Attack Steps 3. Identify IoT devices. a. Send request for our GET endpoints to active IP addresses, using HTML5 <audio> element. b. Use resulting MediaError message to infer resource availability ( new side channel). 192.168.6.88 192.168.6.6 GET /setup.xml 18

  19. Attack Steps 3. Identify IoT devices. a. Send request for our GET endpoints to active IP addresses, using HTML5 <audio> element. b. Use resulting MediaError message to infer resource availability ( new side channel). If Exists: MEDIA_ERR_SRC_NOT_SUPPORTED “DEMUXER_ERROR_COULD_NOT_OPEN: FFmpegDemuxer: open context failed” Else: MEDIA_ELEMENT_ERROR “Format error” 19

  20. Attack Steps 3. Identify IoT devices. a. Send request for our GET endpoints to active IP addresses, using HTML5 <audio> element. b. Use resulting MediaError message to infer resource availability ( new side channel). If Exists: MEDIA_ERR_SRC_NOT_SUPPORTED “Failed to init decoder” Else: MEDIA_ELEMENT_ERROR “Message 404: Not Found” 20

  21. Attack Steps 3. Identify IoT devices. a. Send request for our GET endpoints to active IP addresses, using HTML5 <audio> element. b. Use resulting MediaError message to infer resource availability ( new side channel). Safari: Fetches timed out Edge: No MediaError error messages (Attack 1 does not work) 21

  22. Implications Side-channel sidestepping SOP (Chrome bug bounty) Attack stepping stone Privacy leaks (e.g., network fingerprinting) 22

  23. Attack 2: Access & Control Local Devices 23

  24. DNS Rebinding Attack fully bypassing SOP (D. Dean, E. Felten, and D. Wallach, IEEE S&P 1996) Requires a web attacker (controls malicious domain + webserver) also controlling domain’s authoritative DNS nameserver 24

  25. Attack Steps 25

  26. Attack Steps 192.168.6.88 26

  27. Attack Steps 1. Victim visits attacker.com , queries malicious nameserver for attacker.com . Return web server IP w/ short TTL. Authoritative Attacker.com DNS Server Web Server GET / HTTP/1.1 6.6.6.6 ANSWER SECTION: 192.168.6.88 Attacker.com 1 IN A 6.6.6.6 HTTP 200 27

  28. Attack Steps 2. Attacker website loads another resource test . Authoritative Attacker.com DNS Server Web Server 6.6.6.6 192.168.6.88 28

  29. Attack Steps 3. If attacker.com ’s DNS record is cached, test is directly retrieved. If so, wait and retry... Authoritative Attacker.com DNS Server Web Server 6.6.6.6 GET /test HTTP/1.1 192.168.6.88 HTTP 200 29

  30. Attack Steps 4. If attacker.com ’s DNS record is not cached, browser queries malicious nameserver again. Now return target IP w/ large TTL. Authoritative Attacker.com DNS Server Web Server 6.6.6.6 ANSWER SECTION: 192.168.6.88 Attacker.com 300 IN A 192.168.6.88 30

  31. Attack Steps 5. This time, retrieving test fails. But attacker.com is now rebound to the target IP, and can make direct requests. Authoritative Attacker.com DNS Server Web Server 6.6.6.6 192.168.6.88 GET /test HTTP/1.1 HTTP 404 31

  32. Attack Steps 5. This time, retrieving test fails. But attacker.com is now rebound to the target IP, and can make direct requests. Authoritative Attacker.com DNS Server Web Server 6.6.6.6 192.168.6.88 GET /setup.xml HTTP/1.1 HTTP 200 32

  33. Attack on Devices 33

  34. Attack on Devices Google Home/Chromecast Potential attacks: ● Play arbitrary Youtube videos on Chromecast ● Reboot Chromecast/Home ● Scan for WiFi networks and return information 34

  35. Attack Demo 35

  36. Implications Attacker control of IoT device actions Exploiting IoT device vulnerabilities for full compromise Privacy leaks (e.g., extensive device fingerprinting or user profiling) 36

  37. ● Low barrier to attacks on local IoT devices via Moving malicious websites. Forward... ● Need defenses that protect against lateral attacks. 37

  38. Thank you https://iot-inspector.princeton.edu/ frankli@cs.berkeley.edu @frankli714 38

  39. Attack 1 Countermeasures Home Users: - Disable getting local IP via WebRTC SDP - Configure DHCP to allocate for a larger subnet (e.g., /16) Browsers: - Limit private IP access for web pages with public domains IoT Vendors: - Respond to all GET request with 200 OK code 39

  40. Attack on Devices 40

  41. Attack on Devices Google Home/Chromecast 41

  42. Attack on Devices Google Home/Chromecast Access: ● Unique device ID ● Build/firmware version ● SSID of connected WiFi network ● Device schedules/alarms (Home) 42

  43. Attack on Devices Google Home/Chromecast Control: ● Reboot device ● Play any video (Chromecast) ● Scan for WiFi networks and return SSIDs detected 43

  44. Attack 2 Countermeasures Home Users: - Enable DNS forwarding with rebind protection Browsers: - Unclear? IoT Vendors: - Filter/validate based on HTTP headers DNS providers: - Filter private IPs from DNS responses 44

  45. HTTP endpoints - examples - DlinkCamera - GET http://IP-ADDRESS:80/common/info.cgi - Response : netmask=255.255.255.0 model=DCS-5020L brand=D-Link gateway=172.24.1.1 wireless=yes version=1.14 build=9 ptz=P,T inputs=0 hw_version=A name=DCS-5020L outputs=0 speaker=no location= macaddr=B0:C5:54:0C:D2:74 videoout=no ipaddr=172.24.1.99

  46. HTTP endpoints - examples Get all WiFi networks on WeMo switch: http://IP-ADDRESS:49154/upnp/control/WiFiSetup1 {"method": "POST", "body": "<?xml version='1.0'?><SOAP-ENV:Envelope xmlns:SOAP-ENV='http://schemas.xmlsoap.org/soap/envelope/' SOAP-ENV:encodingStyle='http://schemas.xmlsoap.org/soap/encoding/'><SOAP-ENV:Body> <m:GetNetworkList xmlns:m='urn:Belkin:service:WiFiSetup:1'> </m:GetNetworkList></SOAP-ENV:Body></SOAP-ENV:Envelope>", "headers": {"Content-Type": "text/xml", "SOAPAction": "\"urn:Belkin:service:WiFiSetup:1#GetNetworkList\""}} Returns all nearby Wifi networks

  47. HTTP endpoints - examples - Play arbitrary videos on Google Chromecast - POST http://IP-ADDRESS:8008/apps/YouTube {"method": "POST", "body": "v=oHg5SJYRHA0", "headers": {"User-Agent": "blah"}} - Reboot Google Home and Chromecast - http://172.24.1.51:8008/setup/reboot {"method": "POST", "body": "{\"params\": \"now\"}", "headers": {"User-Agent": "blah", "Content-Type": "application/json"}}

  48. Results

  49. Attack 2

  50. Attack 2: Which OSes and browsers are vulnerable

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc

Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc

Poisoning Attacks on Federated Le Learning-based In Intrusion Detection System Thien Duc Nguyen, Phillip Rieger, Markus Miettinen, Ahmad-Reza Sadeghi Typical IoT Devices 2 IoT The S stands for Security 3 Mirai: Largest Disruptive

508 views • 33 slides
Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr.

Dealing with cache based attacks in cryptography Speculating on cache attacks Simo Sorce Sr. Principal Software Engineer 2019/02/19 What are cache based attacks ? In cryptography In cryptographic operations, leaking the internal state of a

338 views • 8 slides
Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices to appear in IEEE/ACM

Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices to appear in IEEE/ACM

Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices to appear in IEEE/ACM International Conference Cyber-Physical Systems (ICCPS 2019) Nicola Paoletti Royal Holloway, University of London Joint work with: Scott A Smolka, Shan Lin,

599 views • 46 slides
Sponge-Based Control-Flow Protection for IoT Devices Werner, Unterluggauer, Schaffenrath, Mangard

Sponge-Based Control-Flow Protection for IoT Devices Werner, Unterluggauer, Schaffenrath, Mangard

Sponge-Based Control-Flow Protection for IoT Devices Werner, Unterluggauer, Schaffenrath, Mangard 25th April 2018, London Graz University of Technology Motivation and Context Logical Attacks www.tugraz.at Exploit software and design bugs

616 views • 59 slides
New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs

Introduction New generic attacks HMAC-GOST key-recovery Conclusion New Generic Attacks on Hash-based MACs G. Leurent (Inria) New Generic Attacks on Hash-based MACs Asiacrypt 2013 1 / 22 . . . . . . . . . . . . . . . . . Gatan Leurent,

759 views • 52 slides
Attacks on Cardiac Devices to appear in IEEE/ACM International Conference Cyber-Physical Systems

Attacks on Cardiac Devices to appear in IEEE/ACM International Conference Cyber-Physical Systems

Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices to appear in IEEE/ACM International Conference Cyber-Physical Systems (ICCPS 2019) Nicola Paoletti Royal Holloway, University of London Joint work with: Scott A Smolka, Shan Lin,

406 views • 36 slides
Relay Attacks in EMV Contactless Cards with Android OTS Devices e Vila , Ricardo J. Rodr

Relay Attacks in EMV Contactless Cards with Android OTS Devices e Vila , Ricardo J. Rodr

Relay Attacks in EMV Contactless Cards with Android OTS Devices e Vila , Ricardo J. Rodr guez Jos pvtolkien@gmail.com, rj.rodriguez@unileon.es All wrongs reversed Computer Science and Research Institute of Systems

1.23k views • 57 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
Smart Card Attacks: Enter the Matrix Tiana Razafindralambo Guillaume Bouffard Julien

Smart Card Attacks: Enter the Matrix Tiana Razafindralambo Guillaume Bouffard Julien

Introduction Logical attacks Combined attacks Conclusion Smart Card Attacks: Enter the Matrix Tiana Razafindralambo Guillaume Bouffard Julien Iguchi-Cartigny Jean-Louis Lanet Smart Secure Devices (SSD) Team Xlim Labs Universit e

902 views • 53 slides
A Formal Study of Power Variability Issues and Side-Channel Attacks for Nanoscale Devices

A Formal Study of Power Variability Issues and Side-Channel Attacks for Nanoscale Devices

A Formal Study of Power Variability Issues and Side-Channel Attacks for Nanoscale Devices Mathieu Renauld, Fran cois-Xavier Standaert, Nicolas Veyrat-Charvillon, Dina Kamel, Denis Flandre. May 2011 UCL Crypto Group Cryptopuces - May 2011

579 views • 32 slides
Network Threats &amp; Attacks 1 Internet Structure backbone ISP local network Internet

Network Threats &amp; Attacks 1 Internet Structure backbone ISP local network Internet

CS 134 Winter 2018 Lecture 16 Network Threats &amp; Attacks 1 Internet Structure backbone ISP local network Internet service Autonomous system (AS) is a provider (ISP) collection of IP networks under control local network of a single

769 views • 54 slides
Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices Pavel Lifshits,

Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices Pavel Lifshits,

Power to peep-all: Inference Attacks by Malicious Batteries on Mobile Devices Pavel Lifshits, Roni Forte , Yedid Hoshen, Matt Halpern, Manuel Philipose, Mohit Tiwari, and Mark Silberstein Speaker: Pavel Lifshits SMART BATTERY

739 views • 39 slides
A new categorization system for side-channel attacks on mobile devices &amp; more Veelasha

A new categorization system for side-channel attacks on mobile devices &amp; more Veelasha

A new categorization system for side-channel attacks on mobile devices &amp; more Veelasha Moonsamy Radboud University, The Netherlands 06 February 2017 University of Adelaide, Australia Radboud University, Nijmegen, NL 2 Digital Security

759 views • 55 slides
Fresh Re-Keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices Marcel

Fresh Re-Keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices Marcel

VLSI Institute for Applied Information Processing and Communications (IAIK) VLSI &amp; Security Fresh Re-Keying: Security against Side-Channel and Fault Attacks for Low-Cost Devices Marcel Medwed Franois-Xavier Standaert Johann

814 views • 28 slides
Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices Zachary Gruber Nicola Paoletti

Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices Zachary Gruber Nicola Paoletti

Synthesizing Stealthy Reprogramming Attacks on Cardiac Devices Zachary Gruber Nicola Paoletti Paul D. Schreiber High School Stony Brook University Joint work with: Scott A Smolka, Shan Lin (Stony Brook) Ariful Islam (CMU) Rahul Mangharam,

539 views • 20 slides
Smart Card to Mitigate Logical Attacks Tiana Razafindralambo, Guillaume Bouffard, Bhagyalekshmy N

Smart Card to Mitigate Logical Attacks Tiana Razafindralambo, Guillaume Bouffard, Bhagyalekshmy N

A Dynamic Syntax Interpretation for Java based Smart Card to Mitigate Logical Attacks Tiana Razafindralambo, Guillaume Bouffard, Bhagyalekshmy N Thampi , and Jean-Louis Lanet Smart Secure Devices (SSD) Team, XLIM/ Universit de Limoges, France

466 views • 17 slides
More Than a Query Language: SQL in the 21 st Century @MarkusWinand @ModernSQL

More Than a Query Language: SQL in the 21 st Century @MarkusWinand @ModernSQL

More Than a Query Language: SQL in the 21 st Century @MarkusWinand @ModernSQL http://www.almaden.ibm.com/cs/people/chamberlin/sequel-1974.pdf More Than a Query Language: SQL in the 21 st Century @MarkusWinand @ModernSQL

1.46k views • 145 slides
Unsupervised Discovery of Object Landmarks as Structural Representations Yuting Zhang 1 , Yijie

Unsupervised Discovery of Object Landmarks as Structural Representations Yuting Zhang 1 , Yijie

Unsupervised Discovery of Object Landmarks as Structural Representations Yuting Zhang 1 , Yijie Guo 1 , Yixin Jin 1 , Yijun Luo 1 , Zhiyuan He 1 , Honglak Lee 1,2 1 University of Michigan, Ann Arbor 2 Google Brain Structural representations of

1k views • 71 slides
19 Auto Lecture encoders : Ankur Bambhanoliya Scribes : Donald Hamnett Motivation

19 Auto Lecture encoders : Ankur Bambhanoliya Scribes : Donald Hamnett Motivation

I Variational 19 Auto Lecture encoders : Ankur Bambhanoliya Scribes : Donald Hamnett Motivation Inferring from Images Latent Variables : Dataset MNIST Goh images ; hand of digits written - Goal two variables Infer

673 views • 21 slides
A Tutorial on Deep Probabilistic Generative Models Ryan P. Adams Princeton University Machine

A Tutorial on Deep Probabilistic Generative Models Ryan P. Adams Princeton University Machine

A Tutorial on Deep Probabilistic Generative Models Ryan P. Adams Princeton University Machine Learning Summer School Buenos Aires, Argentina June 2018 lips.cs.princeton.edu @ryan_p_adams Tutorial Outline What is generative modeling?

2.33k views • 156 slides
ADVANCED DATABASE SYSTEMS Server-side Logic Execution @ Andy_Pavlo // 15- 721 // Spring 2019

ADVANCED DATABASE SYSTEMS Server-side Logic Execution @ Andy_Pavlo // 15- 721 // Spring 2019

Lect ure # 16 ADVANCED DATABASE SYSTEMS Server-side Logic Execution @ Andy_Pavlo // 15- 721 // Spring 2019 CMU 15-721 (Spring 2019) 2 Background UDF In-lining Working on Large Software Projects CMU 15-721 (Spring 2019) 3 O BSERVATIO N

936 views • 60 slides
A B A Bett etter Mod er Model f el for or Pen T en Test esting ing Mike Saunders

A B A Bett etter Mod er Model f el for or Pen T en Test esting ing Mike Saunders

Assu Assumed med Br Breac each: h: A B A Bett etter Mod er Model f el for or Pen T en Test esting ing Mike Saunders mike@redsiege.com @hardwaterhacker slides: redsiege.com/abm ABOUT ABOUT Mik Mike Principal Consultant - Red

395 views • 28 slides
List Decoding of Universal Polar Codes Boaz Shuval and Ido Tal 1/15 Overview Universal

List Decoding of Universal Polar Codes Boaz Shuval and Ido Tal 1/15 Overview Universal

List Decoding of Universal Polar Codes Boaz Shuval and Ido Tal 1/15 Overview Universal polarization: memoryless setting: o S as glu &amp; Wang, ISIT 2011 settings with memory: Shuval &amp; Tal, ISIT 2019 Error

689 views • 53 slides
Assessments Streets Reconstruction Unit Assessment 50% of the Actual Project Cost or 2019

Assessments Streets Reconstruction Unit Assessment 50% of the Actual Project Cost or 2019

Assessments Streets Reconstruction Unit Assessment 50% of the Actual Project Cost or 2019 Typical Lot Fee Schedule $5,350.00 per unit Curb and Gutter Replace Unit Assessment 50% of Actual Project Cost or 2019 Typical Lot Fee

294 views • 14 slides

More recommend