Since we issued our last set of security recommendations for IoT device makers, we went back into the lab and generated a few more we’d like to share with you. We understand that vendors are primarily focused on creating functional devices, but making a device more secure does not need to take that much effort, and the benefits can be dramatic. Every layer of security puts one more roadblock between an attacker and exploiting a device. These recommendations don’t consist of the most heavy duty defenses, but they are five ways to slow down attackers.
The Internet of Things Cybersecurity Improvement Act of 2017 was introduced in Congress this week. Like all “cyber” legislation of the past few decades it means well. Unlike many bills that have come before it, it actually has a number of good, practical ideas. Will it actually improve IoT security? We’ll get to that in a minute.
For the sake of brevity, we’re going to summarize key elements of the bill, which deals with government contracts that involve the procurement and use of “Internet-Connected Devices” (henceforth “IoT”):
There are other security conferences, but there is only one Blackhat. Not everybody loves it, but trying to make our way through the sea of humanity that flooded the halls of the Mandalay Bay, it’s hard not to think that everyone was there. The Senrio team did its best to represent during both training and the Con itself.
School is Cool
For the sixth year in a row we delivered our perennially sold-out training courses Practical Android Exploitation and Software Exploitation via Hardware Exploitation. At the risk of tooting our own horn, people seemed to like us:
To see the exploit in action, check out our video on Vimeo. For full technical teardown, click here.
Given the increasingly vital role IoT plays in modern life, we strive to improve the state of IoT security and share the knowledge we gain through our research with IoT manufacturers and users.
Our latest discovery was found in an Axis Communications security camera — the M3004 model. Axis Communications is one of the largest manufacturers of security web cameras globally. In fact, while passing through LAX last week, we saw one of the vulnerable models in use at the airport.
After about a day of analysis, we discovered a stack buffer overflow vulnerability (CVE-2017-9765), which we’re calling Devil’s Ivy*. Devil’s Ivy results in remote code execution, and was found in an open source third-party code library, from gSOAP (more on that later). When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed. Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded.
Axis informed us that Devil’s Ivy is present in 249 distinct camera models, the exception being three of their older cameras. Once we verified Axis’s fix prevented our exploit from working, Axis quickly began releasing patched firmware and prompting partners and customers to upgrade.
THE IMPACT GOES FAR BEYOND AXIS
The impact of Devil’s Ivy goes far beyond Axis. It lies deep in the communication layer, in an open source third-party toolkit called gSOAP (Simple Object Access Protocol). gSOAP is a widely used web services toolkit, and developers around the world use gSOAP as part of a software stack to enable devices of all kinds to talk to the internet. Software or device manufacturers who rely on gSOAP to support their services are affected by Devil’s Ivy, though the extent to which such devices may be exploited cannot be determined at this time. Based on our research, servers are more likely to be exploited. But clients can be vulnerable as well, if they receive a SOAP message from a malicious server.
The Internet of Things has enjoyed a huge surge in growth in recent years, with businesses and consumers alike flocking to get the world around them smarter and more connected. However, it is becoming quickly apparent that as well as offering a number of useful benefits, the Internet of Things could pose a lucrative opportunity for cyber-criminals able to exploit some potentially major flaws. (Beta News)
IoT is not new, it just hasn’t been marketed as well as it has been in the last few years. Every elevator you ride in, the traffic lights you have to deal with on the way to work, the machines that go ‘ping’ in your hospital room; IoT has been a part of our lives for decades. We demand efficiency and utility in IoT - like commodity IT before it - and don’t consider the security implications until it is too late. Yet unlike commodity IT, there is a dearth of resources available to help secure networked embedded devices, so the idea that we can “secure” IoT is probably a pipe dream. Improving awareness of IoT in the enterprise and insight into what those devices are doing is achievable. Knowing - as they say - is half the battle.
Ransomware has become one of the most serious cyber threats plaguing organizations. Today, all of us - from home users to corporations and government organizations - are trying to protect ourselves from encryption viruses. But we are ignoring the beginning of the next wave of ransomware attacks - aimed at encrypting IoT devices. These attacks can be much more dangerous given the omnipresent and extremely diverse nature of the Internet of Things. (Information Management)
One of the rare cases where blending buzzwords makes for an actually more dangerous situation. In this case the danger is not in losing data, but in losing control of devices that are essential for critical infrastructure to operate safely. This is a problem that only gets worse as IoT becomes pervasive, particularly on a personal level (e.g. implantables). Not every individual victim of ransomware is willing to pony up bitcoin; basically everyone will demand power companies and water utilities pay up should they become victims. Installing protections in firmware that detect and prevent abnormal behavior is one way to reduce the likelihood of someone holding a utility for ransom. Ensuring that device operators know when to implement security and safety protocols (awareness and insight) is another.
If you’re wondering why ATMs, shipping companies, hospitals, and point of sale systems are being infected by Petya* ransomware along with PCs, it’s because a lot of the devices you think are purpose-built, limited-function devices - including IoT devices - are really PCs inside.
It is true that devices like a programmable logic controller don’t have a lot of memory, or an operating system, but the IoT is massive in scope and scale, and devices vary widely. That “simple” device might only look simple on the outside; on the inside it may very well be running Windows XP (or CE), and as a consequence just as vulnerable to exploits as any outdated PC would be.
We recently discovered two vulnerabilities in TP-Link’s WR841N V8 router that we exploited to obtain custom code execution on the router. After working closely with the vendor to patch the router’s firmware, we are disclosing the details of our work.
Our team conducts research into networked embedded devices in order to improve our product and spread security knowledge among the embedded device manufacturing and security communities. The WR841N is the same router model we use to teach students about hardware hacking in our classes, and the focus of our JTAG Explained blog post. During the process of our research into this router, we found a logic flaw in a configuration service which allowed us to circumvent its access controls and reset the router’s credentials (CVE-2017-9466). We then used our increased access to gain code execution by exploiting a stack overflow vulnerability available through the configuration service.
In this proximity-based attack, we used a smartphone’s hotspot capability to reset the router’s credentials by taking advantage of a protocol that had been removed from the firmware for newer hardware models. Unfortunately, although older models may no longer be supported, they often remain in critical positions. Fortunately, TP-Link agreed to remove the configuration service from this model once we brought the issue to their attention.
We are sharing the details, step by step, in case our work sparks any ideas or discussion regarding proximity-based attacks, unsupported versions, logic flaws in encryption, or vulnerable configuration services.
Click here to skip to the full technical details, or read on for a high level summary of our work.
Our release notes for Senrio Insight for the month of June 2017 include a number of powerful new features:
We are always looking for your feedback and welcome all suggestions for how we can make Insight more valuable to you.
Medical device security has largely been concerned with attacks that might compromise device safety and effectiveness. An additionally important but under-appreciated issue is device integrity. In situations where devices are expected to provide objective testimony, the integrity of the device and the data it generates is paramount.
You probably don’t know Ross Compton, but last fall the 59-year-old claimed that when he noticed his house was on fire, he hurriedly packed some personal belongings, broke a window with his cane, and rushed out of the house. Police, suspicious of his claims, got a warrant for Compton’s pacemaker data. The data showed that he had not been in a state of activity he described at the time of the fire. That data, plus physical evidence collected by fire investigators, was more than enough to charge Compton with arson and insurance fraud.
Cases like this bring to light the importance of issues related to integrity verification. The value of device logs as an objective record of facts only exists if we can be assured that the ability to generate records, and the records themselves, have not been compromised.
Medical devices like pacemakers and drug infusion pumps keep detailed logs of all activity. Due to these logs value in monitoring patient care, device operation, and incident investigation, there is a risk of data modification attacks through physical or remote access.
Consider a generic infusion pump that primarily dispenses pain medication and writes logs to battery-backed RAM. These logs record the dose of drugs as requested and delivered, any program changes, and when infusion starts and stops. If a patient suffered a medical emergency that could be linked to the pump, or anything went awry, investigators would depend on the device logs to tell them the story. But what if those logs didn’t have the whole story, or an accurate one?
Watch a hardware prep video preview below!
Our trainings sell out pretty quickly (they are popular and unfortunately, there are limited seats) so if you're interested in participating, sign up below to get details before we make them available publicly!
In Case You Missed It (ICYMI)!
History is a funny thing. It tends to repeat itself.
Unique Snowflakes Or Ubiquitous Tech? The Truth Behind The Industrial Internet of Things (IIoT and ICS)
During last week's ICS Cyber Security Conference in Atlanta (the world's oldest Industrial Control security conference), we made an announcement that sounded obvious to us but was surprising to many attendees:
“We are just before the curve on embedded security. There are sparce product and service offerings in this area now simply because of the uncanny valley. We also haven’t yet experienced the big watershed event that will cause the reactionary security industry to shift focus - but that appears imminent.” Stephen Ridley briefing US government and Intelligence Agencies in early 2015
Friday's Internet outages and the DDOS attack on security journalist Brian Krebs are just the tip of the iceberg of the types of damage IoT vulnerabilities could cause.
Imagine you are handed this device and asked to get root on it as quickly as possible. No further information is given. Where would you begin? (If you just want to see the router get rooted, jump down to "Mounting an Attack: Rooting a Home Router" ;-)
Our target: A VERY common/popular consumer Access Point.
Since you have the device in your hands, you might try directly attacking the hardware. However, if you've never done any kind of hardware hacking, getting started can be intimidating. In this post, we are going to talk about the fundamental information you need to know to use JTAG for hacking hardware. We'll also go over a quick example to illustrate the power of direct hardware access.
Why Do Manufacturers Use JTAG?
JTAG is a common hardware interface that provides your computer with a way to communicate directly with the chips on a board. It was originally developed by a consortium, the Joint (European) Test Access Group, in the mid-80s to address the increasing difficulty of testing printed circuit boards (PCBs). JTAG has been in widespread use ever since it was included in the Intel 80486 processor in 1990 and codified as IEEE 1491 that same year. Today JTAG is used for debugging, programming and testing on virtually ALL embedded devices.
In this new world of "Internet of Things" and billions of networked embedded devices, it is crucial for device manufacturers to bake security into their new designs before they leave the factory. Here are five tips from a team of security researchers who make a living reverse engineering (hacking) into IoT devices on behalf of industry clients.
Explosive growth of networked embedded devices and a shifting threat landscape require a new approach to IoT Security. Here is why.
Why is Everything Connected Now?
Not a day goes by without a story of a new “smart” device being launched. A perfect storm of new enabling technologies is driving the adoption of Internet-connected devices: The rise of inexpensive Systems-on-a-chip (SOCs) running full operating systems has effectively eradicated many industry use cases for expensive, custom application-specific integrated circuits (ASICs). Any product developer, hobbyist or high-schooler can use an off-the-shelf low-cost computing device like the Raspberry Pi and launch a functioning product in under three months of development. The commoditization of hardware, coupled with rapidly decreasing cost of bandwidth and processing has lead to an explosion of Internet-connected devices. Most of the buzz has been focused in the consumer space with smart toasters, kettles, and diapers?! The proliferation of useless novelty devices has led to a fatigue with the term “Internet of Things” causing Goldman Sachs to quip in 2014 “you cannot spell idiot without IoT”.
In our last post we talked about a vulnerability discovered in the D-Link DCS-930L Cloud Camera. Since then the Senrio Research Team has been working closely with the D-Link Security Incident Report Team. Below we disclose technical details of our efforts.
In today’s age of constant connectivity the allure of remotely checking on your home and loved ones is appealing and manufacturers of Wifi Cameras promise a “second set of eyes around the home or office.” However, you may not be the only one peeping in. The dangers of unsecured webcams and baby monitors have been reported in 2014 with cautionary tales warning consumers to change their default passwords. So that’s the end of the story, right? Adding a password will protect me from creepy strangers looking into my home. Not so fast. Researchers at Senrio discovered a vulnerability in a popular Wifi camera that lets attackers overwrite the administrator password.
Senrio in the press!
IoT Hacking comic book!
Watch some our IoT security research
Live On Twitch.tv
Upcoming Trainings by our Team!
Practical Android Exploitation
Blackhat, Las Vegas 2017
Software Exploitation Via Hardware Exploitation
Blackhat Las, Vegas 2017
Practical ARM Exploitation