Simple, Fast, Accurate IT & IoT Asset Identification
As security people we’ve always got an eye out for solutions that address very pressing, substantial, dare we say ‘sexy’ problems. But if we’re being honest, you get the greatest return on investment focusing on fundamentals - blocking and tackling - than you do fancy stuff that addresses edge cases. Not that you don’t need the latter, but absent the former you’re wasting time, energy, and money.
Case in point: IT Asset Management. Basically, keeping track of all the things. Easy, right? Well, there is what you bought (because procurement has the invoice to prove it), there is what you see (because some script or scan and says so), there is what you don’t know (because Alice in Logistics has purchase authority up to $10,000 and sometimes she buys IT without telling you)...and so on. What you think you have an what you actually have can be two entirely different things. That’s a problem on several levels.
We all know by now that IoT is vulnerable, and after our survey of vulnerable remote configuration services last year, we began to pursue the actual repercussions of those vulnerabilities. After we published Devil’s Ivy and CVE-2017-9466 last summer, we decided to tackle the problem of “then what?” After an attacker compromises a camera or gains control of a router, what happens next? If a company’s valuable data is in a secure location, does it matter if an attacker compromises its Nest thermostat?
As previously noted, attacks that take over a network, device by device, has remained largely within the sphere of pundits and hypothetical discussions. So we have tended to think about lateral attacks as being solely within the realm of sophisticated attackers, but as we explored this project in more depth, we came to realize that this kind of attack requires very little technical knowledge.
While we are not aware of publicly available exploits for the vulnerabilities we discovered, products like Metasploit allow those with a basic knowledge of networking and the Linux command line to do some damage without writing a single line of code. After exploiting a first device, an attacker can use the additional access to take over the rest of the network, exploiting device after device.
At the annual RSA conference this year, on April 19th, our CTO, Stephen Ridley, and our VP of Research, M Carlton, will take the stage to demonstrate the first ever purely IoT-based lateral attack. We intend to show how it’s possible to daisy chain several compromised IoT devices together -- without touching a traditional computer -- to ultimately get to a company’s “crown jewels”. (Click here to read Wired's coverage of this attack)
Lateral attacks between different types of IoT devices have been referenced but never before publicly demonstrated. Worms that spread from PLC to PLC (programmable logic controller) are a threat to manufacturing, and botnets that spread from camera to camera have had a huge impact in the last few years. However, attacks taking over a network, device by device, has remained largely within the sphere of pundits and hypothetical discussions.
Lateral attacks are known to take place in traditional IT environments, which include employee workstations, networks, servers, etc., and are typically well secured. In these attacks computers and networks are compromised, which then allows a hacker to gain access elsewhere, like a server. Unlike those attacks, we hop from IoT device to IoT device -- no workstations touched -- to gain access to a Networked Attached Storage (NAS) device (yet more IoT) that contains sensitive information.
Our research is an integral part of Senrio culture that informs our approach to addressing IoT security problems. Demonstrating the ability to hopscotch across IoT devices without touching an IT end-point helps us illustrate the very real and persistent risks associated with IoT devices that are in use in a wide range of industries and enterprises today.
Related Post: Medical Device Integrity
“Breaches of private information in hospital records are serious and expensive security events but remediating them can be deadly. That's the conclusion of a study presented last week at the 4A Security and Compliance Conference.”
Breaches at hospitals are not new. Whether it is a hunt for monetizable patient data, or holding medical systems for ransom, hospitals are a target-rich environment. A hacked hospital brings to mind all sorts of worst-case scenarios, because you’re never more vulnerable than when you’re undergoing medical treatment. The more automated medicine becomes, the more likely flaws in medical devices and supporting computer systems pose a threat to life and limb.
Hospitals are unique environments. Security policy for medical devices and systems is often in the hands of doctors, not necessarily (or at least exclusively) the CISO. This is in large part because traditional security protocols (e.g. detect, disconnect, clean, restore) might kill someone if applied to, say, a heart monitor in the middle of surgery. The data processing tasks that take place in a hospital range from the mundane to the highly technical, which means there is no “one policy to rule them all,” nor is there a single model that works for every hospital, clinic, or specialty practice.
Which brings us back to the findings of the study. It turns out that a breach, no matter how bad, has very little of any impact on patients directly or immediately. What brings about negative results is what happens in the aftermath of the breach, when all sorts of new policies and procedures get put into place. It is all done with the best of intentions, but the impact leads to a significant increase in patient mortality:
“When hospitals respond to a breach, the response tends to have a major impact on their legitimate users...new access and authentication procedures, new protocols, new software after any breach incident is likely to disrupt clinicians…[leading to] an additional 34- to 45 deaths per 1,000 heart attack discharges every year.”
Like the list of side-effects in a drug ad on TV, it seems like you’re better off not taking the cure. All jokes aside, better patient outcomes in the wake of cybersecurity threats starts with establishing a sound, resilient security policy in the context of the institution. Hospitals are not in the cyber security business, so dogmatic adherence to <insert your favorite standards body recommendations here> makes little sense when the primary mission is saving lives.
An ideal approach will balance the competing factors of patient health, privacy, and system and device security. These factors are not equal. Medicine will always place a priority on care, which means increased risks when it comes to the other factors. We don’t know many people who would complain if in the course of saving their life an emergency room team committed a HIPAA violation; if doctors let people die because they were afraid of committing a HIPAA violations, the response would not be the same.
One of the most effective, long-term ways to address this imbalance involves medical device manufacturers. We all know ‘baking in’ security is superior to any after-the-fact approach, though the demand for secure devices is still outpaced by the demand for functional and reliable ones. Actions that help ensure medical device integrity are arguably the most fundamental the industry can take to reduce risks and improve patient outcomes across the board.
Since a ground-up approach to better cyber security isn’t likely in the near term, institutions must make a concerted effort to improve their ability to detect and monitor the devices they deploy in support of patient care. A hospital of modest size can have IoT devices that number in the tens of thousands, yet have no meaningful way of keeping track of them, understanding their behavior, or know when they might be compromised. Traditional asset discovery solutions are often ill-suited for IoT-rich environments, which is an argument for passive, network-based solutions that can baseline device behavior and provide system owners with a comprehensive inventory of what they are trying to protect, and when those devices need attention.
Here are four take-aways from the infographic:
1. 2017 IoT Malware activity more than doubled 2016 numbers!
Does your team use Slack to collaborate? If so, we've released a thing that you might like ;-) A few days ago, we announced a new feature of our web interface that allows you to chat directly with Senrio support engineers.
But today, we are announcing that in addition to existing integrations with Splunk, RSA, SEIMs, all major firewalls, and familiar dashboards, now you can ask Senrio Insight questions about your network directly from Slack! Any question. Don't know what an asset is, and only have a piece of the story? Ask Senrio with the piece you have, and get back the whole story. It's like the asset "search engine" for your network.
Check out the video below to see what we mean.
Related: "Senrio Integrates with Slack!"
If you follow our blog here, you've periodically seen our "Product Release Notes" blogpost category, but instead of bury this latest update in a list of the other awesome other features we've added , we wanted to share this one on its own...
You can now get support for Senrio live (in real-time) via the chat client. To date, only integration partners and OEM customers have been given dedicated chat channels to communicate, fileshare, and collaborate with our team, but now we can offer this to all Senrio users!
Watch below to see how a Senrio user gets support directly from the webui...
And of course, if you aren't a current Senrio customer and you want to try it out. Drop us a line: http://iot.security/signup
Submitted for your approval, our effort to encapsulate a brief history of IoT, the scope of its impact, and the myriad problems facing those who are adopting it.
Where are IoT devices used? When was the first programmable logic controller created? When did IoT and IT first interact? You’ll find it all here along with facts and figures that document:
Is the growth rate of IoT vulnerabilities and threats to devices keeping pace with the overall growth of IoT devices globally? Sadly, yes, as we illustrate here.
You’re welcome to use this in your own efforts to communicate the security issues associated with the Internet of Things, and if there is anything we can do to help, please don’t hesitate to ask.
The ingenuity and audacity of attackers should never be underestimated. In the summer of 2016, hackers used tweets to control malware. This past summer, after Twitter worked to eliminate this capability, hackers switched to posting Instagram comments to send commands to victim systems.
We decided to see if Senrio Insight could detect this “hiding in plain sight” tactic. Without proper context, it can be difficult to separate malicious traffic from ordinary operations. IoT devices may connect to the Internet, but they shouldn’t browse social media.
The number of industrial control system (ICS) components – which run factories, transport, power plants and other facilities – left open to Internet access, is increasing every year. In Germany, for example, researchers from Positive Technologies found 13,242 IP addresses for ICS components, up from 12,542 in 2016. (HelpNet Security)
January 30th – Portland, OR – Senrio, Inc., provider of the leading IoT visibility and security solution has announced an interoperability with the RSA NetWitness® Suite to enable users to detect and respond to threats to IoT devices.
The RSA NetWitness and Senrio Insight interoperability helps ensure that critical data about the status and operation of both IoT devices as well as traditional endpoints and assets is sent to the RSA NetWitness Suite from the Senrio platform, which uses predictive analytics and expert input to determine normal behavior, and trigger alerts when abnormal behavior is detected.
Senrio Founder Stephen Ridley said, “IoT is a blind spot in most enterprises. Most aren’t sure what devices they have, much less if they’re compromised or otherwise pose a risk to people or operations. By integrating Senrio Insight data in the RSA NetWitness Suite, organizations will gain unprecedented visibility into the IoT devices in their enterprise and more effectively deal with safety or security concerns.”
This interoperability allows organizations to quickly identify all connected devices in their enterprise, and build profiles of device behavior. This knowledge enables IT administration and security teams the ability to build trust with devices by understanding typical device behavior, and rapidly respond when atypical patterns of behaviors are detected by Senrio’s self-learning technology.
Senrio Insight was designed specifically for the challenges of an IoT-rich enterprise. Designed to be lightweight, it puts no burden on your network, does not impact data privacy, and is up and running in minutes.
Senrio is an IoT security company that was founded on the belief that, with the right mindset and proper tools, we can bridge the gap between legacy security approaches and the new reality of the IoT. Our mission is to provide the visibility and actionable insights essential to ensuring the security and safety of all connected devices. We envision a world where our trust in the IoT matches the benefits it brings to our lives. Senrio is a trusted partner of global technology companies and government agencies. To see Senrio Insight in action visit: http://iot.security/.
The rate at which the Internet of Things (IoT) is growing speaks to the utility of connecting the previously unconnected, and making things ‘smart.’ But the insecurity of such devices means that we’re racing towards potentially epic self-inflicted wounds.
It's been estimated that by 2020, business-to-business spending on IoT technology and tools will reach $267B, half of IoT-related spending will be driven by needs in manufacturing, logistics, and critical infrastructure, and 34 billion devices will be connected and in use across all sectors and classes of devices.
Keeping pace with the growth of IoT in general is the rate at which vulnerabilities in IoT devices are shown to be vulnerable, often to trivial efforts. From cars to household appliances to surveillance cameras and now airplanes, it is clear that we might be making dumb things smart, but we’re not being smart about how we do it.
The response to this situation are calls to ‘bake in’ security and new laws. But examples like this, from a DHS effort to hack an airliner, show why any action we take now will not have an impact for years to come:
The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing’s 737, it would “bankrupt” them if a cyber vulnerability was specific to systems on board 737s ... legacy aircraft, which make up more than 90% of the commercial planes in the sky, don’t have [cybersecurity] protections.
First: don’t panic.
KRACK requires a skilled attacker to be in close proximity, targeting you specifically. If you’re concerned about an auxiliary corporate WiFi network, it may be wise to take it off-line and rely on ethernet until patches for affected devices become available. And if you are running a hospital WiFi network, you should ensure that the data you send over that network is end-to-end encrypted, because WPA2 will not prevent a skilled attacker from gaining access to a person’s most sensitive data. Yes, this is a hassle but it’s a good precautionary step to take, since getting within WiFi range (~105ft or 32m) may not be difficult for an intruder unless you have strict access controls in place. Beyond this, it will be important to update every device as soon as patches are available.
The Internet of Things may be a proliferation of computers, but the approaches to computer security we are all familiar with are insufficient, indeed incompatible, with the requirements of IoT system operators. Absent an approach to security that takes these differences into account, IoT devices are a double-edged sword against which enterprises have no serious defense.
The preceding decades of hype about all the horrible things that could happen if computers became too ingrained in our lives and were attacked or went haywire is finally, if regrettably, coming to fruition. These are not abstract problems, or readily recoverable ones like the loss of banking credentials or personal information: they are becoming matters of life and death.
This summer we released our findings on a vulnerability we called Devil’s Ivy: a flaw in the gSOAP library that was found while researching a surveillance camera, but whose impact extended far beyond any one device, or any one platform.
This week IoT security company Armis revealed BlueBorne: a set of eight vulnerabilities found in the bluetooth stacks used by a variety of OS vendors. The vulnerabilities impact several billion devices across the Windows, Linux, iOS and Android platforms. Along with a variety of commodity IT devices, any IoT or “smart” devices running any of these OSes are vulnerable.
In both cases the flaws impact, both IoT as well as commodity or ‘ordinary’ computer technology. This doesn’t apply in all cases, but as more research is done, it is highly likely that we’re going to hear more about how the line between problems in IoT and just plain IT is a lot fainter than previously thought
We've had quite a summer thus far. Here seven quick updates:
(cue the Bananarama "Cruel Summer" instrumental)
1. We Released "Devil's Ivy"
2. Senrio Was the Exclusive Monitoring Tool of Defcon's IoT Hacking Village!
Be sure to check out our photo gallery of the IoT Hacking Village event!
Since we issued our last set of security recommendations for IoT device makers, we went back into the lab and generated a few more we’d like to share with you. We understand that vendors are primarily focused on creating functional devices, but making a device more secure does not need to take that much effort, and the benefits can be dramatic. Every layer of security puts one more roadblock between an attacker and exploiting a device. These recommendations don’t consist of the most heavy duty defenses, but they are five ways to slow down attackers.
Our release notes for Senrio Insight for the month of August 2017 include numerous new and powerful features:
We are always looking for your feedback and welcome all suggestions for how we can make Insight more valuable to you.
This last week a debate flared up between a security company Kryptowire, and a cell phone manufacturer BLU, over the possible inclusion of spyware (ADUPS) in BLU phones. Kryptowire initially made their claim in November, then reiterated it last week with more detailed findings. At one point last week, Amazon halted sales of the BLU phones, then re-listed them after BLU issued a statement saying the ADUPS software was normal and wasn’t capturing any sensitive data.
We here at Senrio, didn’t reverse engineer any of the firmware, so I can’t say for sure whether the ADUPS software is sending private information to it’s servers. But, we wanted to show you how you can leverage Senrio Insight to determine if any of the phones in question connected to your network, and if it was communicating to one of the published domains listed in the Kryptowire report.
You can ask Senrio questions, and it will give you answers. You can ask it: "Are there any jailbroken phones on my network?" and in seconds, you'll know!
Imagine for a moment you have a BYOD enterprise, where you allow your employees to bring any device into the office and use that device for corporate emails, texts, etc. How would you know if an employee had a BLU phone? Senrio Insight can help.
The first step is to see what android devices you have on you network. With Senrio, this is easy. Senrio is a "Device Intelligence" platform that you can ask questions. You can ask it if there are any Android phones on your network or even if there are any Jailbroken phones on your network.... For our case, we can simply log in and search for “Android” to view our identification and behavior tags to see all Android devices
The Senrio tag system uses many heuristics and other techniques to identify devices, and as you can see we have several devices on the network that match our search term. But in this case, we are looking for a BLU phone, and we have a very easy way to track that down. We can search for the manufacture “BLU”. It turns out we have one matching phone. The Senrio engine detected this automatically and tagged it accordingly, there was no user-input required.
Ok - so we do have a BLU phone on the network. I wonder if it’s making connections out to any of the domains in question. The Kryptowire report claims several domains are used for both C&C and data exfiltration. One of the first domains in question is adups.com. Let's see if we can find it.
The first thing we do is select the phone and look at the device details. One of the best features in the device details is the “Flow” view. This provides a net-flow like view of all the connections both inbound and outbound for the selected device.
While I could scroll through the list, it’s much easier to look at the “Summaries” which provide an aggregated view of all the connections. I can pull that up and search for adups.com
Yes, we have a match! That phone is connecting out to one of the domains listed by Kryptowire. Now, you might be a little worried that maybe more devices on our network are inflicted. Let's see if we have any other phones connecting to that domain. Senrio Insight has a search capability that allows us to search for all outbound connections. Lets enter that dns name and see what we find.
PHEW! Thankfully, in our case this phone is the only one connecting to this host. And as you can see from the first line, a decent amount of data was exchanged during one of the initial connections. It appears that this application is programmed to connect out to the "adups" server everyday at around 12:15 pm.
Senrio Insight makes it very easy to gain visibility into what’s on your network and what it’s doing. In just a few minutes time we can see the devices Senrio automatically identified as Android devices, and even pick out individual manufacturers. From there we can quickly search through traffic history and identify the network connections in question. With Senrio as our device intelligence platform, in seconds, we have complete device visibility and awareness! Thus alleviating our anxieties.
So how can YOU answer questions about devices on your network? Is it this easy? If not, reach out to learn how we can help.
The Internet of Things Cybersecurity Improvement Act of 2017 was introduced in Congress this week. Like all “cyber” legislation of the past few decades it means well. Unlike many bills that have come before it, it actually has a number of good, practical ideas. Will it actually improve IoT security? We’ll get to that in a minute.
For the sake of brevity, we’re going to summarize key elements of the bill, which deals with government contracts that involve the procurement and use of “Internet-Connected Devices” (henceforth “IoT”):
There are other security conferences, but there is only one Blackhat. Not everybody loves it, but trying to make our way through the sea of humanity that flooded the halls of the Mandalay Bay, it’s hard not to think that everyone was there. The Senrio team did its best to represent during both training and the Con itself.
School is Cool
For the sixth year in a row we delivered our perennially sold-out training courses Practical Android Exploitation and Software Exploitation via Hardware Exploitation. At the risk of tooting our own horn, people seemed to like us:
To see the exploit in action, check out our video on Vimeo. For full technical teardown, click here.
Given the increasingly vital role IoT plays in modern life, we strive to improve the state of IoT security and share the knowledge we gain through our research with IoT manufacturers and users.
Our latest discovery was found in an Axis Communications security camera — the M3004 model. Axis Communications is one of the largest manufacturers of security web cameras globally. In fact, while passing through LAX last week, we saw one of the vulnerable models in use at the airport.
After about a day of analysis, we discovered a stack buffer overflow vulnerability (CVE-2017-9765), which we’re calling Devil’s Ivy*. Devil’s Ivy results in remote code execution, and was found in an open source third-party code library, from gSOAP (more on that later). When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed. Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded.
Axis informed us that Devil’s Ivy is present in 249 distinct camera models, the exception being three of their older cameras. Once we verified Axis’s fix prevented our exploit from working, Axis quickly began releasing patched firmware and prompting partners and customers to upgrade.
THE IMPACT GOES FAR BEYOND AXIS
The impact of Devil’s Ivy goes far beyond Axis. It lies deep in the communication layer, in an open source third-party toolkit called gSOAP (Simple Object Access Protocol). gSOAP is a widely used web services toolkit, and developers around the world use gSOAP as part of a software stack to enable devices of all kinds to talk to the internet. Software or device manufacturers who rely on gSOAP to support their services are affected by Devil’s Ivy, though the extent to which such devices may be exploited cannot be determined at this time. Based on our research, servers are more likely to be exploited. But clients can be vulnerable as well, if they receive a SOAP message from a malicious server.
The Internet of Things has enjoyed a huge surge in growth in recent years, with businesses and consumers alike flocking to get the world around them smarter and more connected. However, it is becoming quickly apparent that as well as offering a number of useful benefits, the Internet of Things could pose a lucrative opportunity for cyber-criminals able to exploit some potentially major flaws. (Beta News)
IoT is not new, it just hasn’t been marketed as well as it has been in the last few years. Every elevator you ride in, the traffic lights you have to deal with on the way to work, the machines that go ‘ping’ in your hospital room; IoT has been a part of our lives for decades. We demand efficiency and utility in IoT - like commodity IT before it - and don’t consider the security implications until it is too late. Yet unlike commodity IT, there is a dearth of resources available to help secure networked embedded devices, so the idea that we can “secure” IoT is probably a pipe dream. Improving awareness of IoT in the enterprise and insight into what those devices are doing is achievable. Knowing - as they say - is half the battle.
Our release notes for Senrio Insight for the month of July 2017 include numerous new and powerful features:
We are always looking for your feedback and welcome all suggestions for how we can make Insight more valuable to you.
Senrio in the press!
IoT Hacking comic book!
Watch some our IoT security research
Live On Twitch.tv
Upcoming Trainings by our Team!
Practical Android Exploitation
Blackhat, Las Vegas 2017
Software Exploitation Via Hardware Exploitation
Blackhat Las, Vegas 2017
Practical ARM Exploitation