In our device security series, we introduce common concepts in security. The last item in our series was a look at the effectiveness of firewalls. In this segment, we discuss DNS: What it is, how secure it is, and what you can do to protect yourself.
DNS is the subject of over a dozen known, common, attacks. Many are straightforward and easy to carry out. Others require prior access to a server or machine. Some prevent a DNS server from doing its job, others use DNS servers to attack specific machines.
In our security series, we introduce common concepts in device security. The last item in our series was an introduction to SSH. In this segment, we discuss firewall security, setup, and maintenance.
Firewalls are a critical component of keeping machines and networks safe. You’ll find them on everything from your laptop to your router. They require maintenance, like any software program, and unfortunately there are problems that interfere with their ability to keep attackers safe.
We’re drawing on our security knowledge to provide a series on the fundamentals of securing devices and networks. The first item in our series was an introduction to how devices keep time, and which best practices ensure the security of this process. In this segment, we focus on why network audits are an essential element of securing a network.
Computers and devices need to be kept updated and maintained throughout their lifecycle. Neglecting software updates and leaving default passwords in place make them easy targets for intruders who can disable, or take over, vulnerable machines.
We’re drawing on our security knowledge to provide a series on the fundamentals of securing devices and networks.
First up is an introduction to how devices keep time, and what best practices ensure the security of this process.
Devices are built with clocks that help them keep time, but those clocks do not remain accurate over long periods of time. Since timing of tasks can be crucial, manufacturers design devices to reach out to time servers, to update their internal clocks to the correct time.
“You’re giving us more things to look at. We’re already ignoring all but the most critical alerts. This is great information, but we can’t handle it.”
A disturbingly high percentage of organizations we demonstrate our capabilities to respond using these or similar words. Defending your enterprise has been likened to trying to find a needle in a haystack. Apparently there is a worse situation: needing to find the worst needle in a stack of very bad needles.
The single software component that contained the vulnerability of the camera, was used by the manufacturer not only in the firmware of the one camera model that we exploited, but also throughout the manufacturer's product line affecting more than just cameras. Furthermore, that same "design" (including the vulnerable component) was repeated by other manufacturers to make devices of all kinds (even desktop software)...all potentially vulnerable to the same bug.
We found a vulnerability in millions of devices....
You’ve managed to get a handle on the connected devices in your environment: congratulations! Now that you know what you’re defending, you need to get a handle on the conversations those devices are having. Who are they talking to? Over what protocols? What is that protocol anyway?
There are connections you want the systems in your enterprise to make, and there are others you’d rather they not. Your ability to distinguish between good, bad, or merely unusual connections gets more difficult the larger and more complex your environment. This is particularly true in situations where the connected devices you’re responsible for protecting aren’t exclusively PCs.
There is an old proverb (are there any other kind?) that goes something along the lines of:
If you wait by the river long enough, you’ll see the bodies of your enemies float by.
The accuracy of the translation may be questionable, but the general idea that you’ll see all sorts of things if you stick around holds true. This is particularly true when it comes to the discussion on which cyber defense methodology should have primacy over the other: network-based defense or endpoint-based defense.
With the spread of the Internet of Things, and the increasing dangers associated with same, the likelihood that we’re going to be faced with a deluge of new “solutions” is high. It will not be long before someone comes out with an “IoT firewall” or “IoT IDS” because the projected IoT security spend is $1.5 Billion this year alone and, well, that money isn’t going to spend itself.
The problem is that you already spend a lot on IT security. At least that’s what the C-suite thinks. You take their money, you complain it's not enough, and then bad things still happen (requiring you to ask for more money). And now you’ve got to go asking for funds to secure the IoT in your enterprise? That’s not going to go over very well.
You have a pretty good idea of what your major personal possessions are. Your house, your car(s), your TV(s), your furniture.
You know what your wardrobe consists of, both the things you wear regularly, as well as your old uniform or letter jacket, and that Christmas sweater you wear as a courtesy to Aunt Mabel who spent all summer in ‘92 knitting it.
Contrast this with your situation at work, in which you know what you bought - servers, PCs, VOIP phones, printers - because you have invoices to prove it. What you don’t have is a comprehensive picture of what’s actually hanging off of your network. Why is that?
But look, you know what you’re responsible for and you’ve taken steps to protect those devices and the data they process. You’ve got endpoint protection, and a network monitoring solution, and all the usual mechanisms in place. Why worry?
According to media reports Amazon.com:
“has contemplated offering home insurance as an offshoot of its development work on robots and other connected devices for the home...The idea is that robots and other smart devices can be used to monitor for threats.”
This is great news in that it would get real, unfiltered, unbiased data, from a large data set, that can be used to build actuarial tables to help quantify risk with more granularity and accuracy than is possible today.
If you are a managed service provider, how do you grow?
There is always another company to sign up, but there are only so many potential customers. No, the real issue around growth is not clients, its devices. Having said that, the footprint of commodity IT devices that will need protection is shrinking over time, while IoT devices are on track for hockey-stick-like growth.
We all know by now that IoT is vulnerable, and after our survey of vulnerable remote configuration services last year, we began to pursue the actual repercussions of those vulnerabilities. After we published Devil’s Ivy and CVE-2017-9466 last summer, we decided to tackle the problem of “then what?” After an attacker compromises a camera or gains control of a router, what happens next? If a company’s valuable data is in a secure location, does it matter if an attacker compromises its Nest thermostat?
As previously noted, attacks that take over a network, device by device, has remained largely within the sphere of pundits and hypothetical discussions. So we have tended to think about lateral attacks as being solely within the realm of sophisticated attackers, but as we explored this project in more depth, we came to realize that this kind of attack requires very little technical knowledge.
While we are not aware of publicly available exploits for the vulnerabilities we discovered, products like Metasploit allow those with a basic knowledge of networking and the Linux command line to do some damage without writing a single line of code. After exploiting a first device, an attacker can use the additional access to take over the rest of the network, exploiting device after device.
At the annual RSA conference this year, on April 19th, our CTO, Stephen Ridley, and our VP of Research, M Carlton, will take the stage to demonstrate the first ever purely IoT-based lateral attack. We intend to show how it’s possible to daisy chain several compromised IoT devices together -- without touching a traditional computer -- to ultimately get to a company’s “crown jewels”. (Click here to read Wired's coverage of this attack)
Lateral attacks between different types of IoT devices have been referenced but never before publicly demonstrated. Worms that spread from PLC to PLC (programmable logic controller) are a threat to manufacturing, and botnets that spread from camera to camera have had a huge impact in the last few years. However, attacks taking over a network, device by device, has remained largely within the sphere of pundits and hypothetical discussions.
Lateral attacks are known to take place in traditional IT environments, which include employee workstations, networks, servers, etc., and are typically well secured. In these attacks computers and networks are compromised, which then allows a hacker to gain access elsewhere, like a server. Unlike those attacks, we hop from IoT device to IoT device -- no workstations touched -- to gain access to a Networked Attached Storage (NAS) device (yet more IoT) that contains sensitive information.
Our research is an integral part of Senrio culture that informs our approach to addressing IoT security problems. Demonstrating the ability to hopscotch across IoT devices without touching an IT end-point helps us illustrate the very real and persistent risks associated with IoT devices that are in use in a wide range of industries and enterprises today.
Related Post: Medical Device Integrity
“Breaches of private information in hospital records are serious and expensive security events but remediating them can be deadly. That's the conclusion of a study presented last week at the 4A Security and Compliance Conference.”
Breaches at hospitals are not new. Whether it is a hunt for monetizable patient data, or holding medical systems for ransom, hospitals are a target-rich environment. A hacked hospital brings to mind all sorts of worst-case scenarios, because you’re never more vulnerable than when you’re undergoing medical treatment. The more automated medicine becomes, the more likely flaws in medical devices and supporting computer systems pose a threat to life and limb.
Here are four take-aways from the infographic:
1. 2017 IoT Malware activity more than doubled 2016 numbers!
Submitted for your approval, our effort to encapsulate a brief history of IoT, the scope of its impact, and the myriad problems facing those who are adopting it.
Where are IoT devices used? When was the first programmable logic controller created? When did IoT and IT first interact? You’ll find it all here along with facts and figures that document:
Is the growth rate of IoT vulnerabilities and threats to devices keeping pace with the overall growth of IoT devices globally? Sadly, yes, as we illustrate here.
You’re welcome to use this in your own efforts to communicate the security issues associated with the Internet of Things, and if there is anything we can do to help, please don’t hesitate to ask.
The ingenuity and audacity of attackers should never be underestimated. In the summer of 2016, hackers used tweets to control malware. This past summer, after Twitter worked to eliminate this capability, hackers switched to posting Instagram comments to send commands to victim systems.
We decided to see if Senrio Insight could detect this “hiding in plain sight” tactic. Without proper context, it can be difficult to separate malicious traffic from ordinary operations. IoT devices may connect to the Internet, but they shouldn’t browse social media.
The number of industrial control system (ICS) components – which run factories, transport, power plants and other facilities – left open to Internet access, is increasing every year. In Germany, for example, researchers from Positive Technologies found 13,242 IP addresses for ICS components, up from 12,542 in 2016. (HelpNet Security)
January 30th – Portland, OR – Senrio, Inc., provider of the leading IoT visibility and security solution has announced an interoperability with the RSA NetWitness® Suite to enable users to detect and respond to threats to IoT devices.
The RSA NetWitness and Senrio Insight interoperability helps ensure that critical data about the status and operation of both IoT devices as well as traditional endpoints and assets is sent to the RSA NetWitness Suite from the Senrio platform, which uses predictive analytics and expert input to determine normal behavior, and trigger alerts when abnormal behavior is detected.
Senrio Founder Stephen Ridley said, “IoT is a blind spot in most enterprises. Most aren’t sure what devices they have, much less if they’re compromised or otherwise pose a risk to people or operations. By integrating Senrio Insight data in the RSA NetWitness Suite, organizations will gain unprecedented visibility into the IoT devices in their enterprise and more effectively deal with safety or security concerns.”
This interoperability allows organizations to quickly identify all connected devices in their enterprise, and build profiles of device behavior. This knowledge enables IT administration and security teams the ability to build trust with devices by understanding typical device behavior, and rapidly respond when atypical patterns of behaviors are detected by Senrio’s self-learning technology.
Senrio Insight was designed specifically for the challenges of an IoT-rich enterprise. Designed to be lightweight, it puts no burden on your network, does not impact data privacy, and is up and running in minutes.
Senrio is an IoT security company that was founded on the belief that, with the right mindset and proper tools, we can bridge the gap between legacy security approaches and the new reality of the IoT. Our mission is to provide the visibility and actionable insights essential to ensuring the security and safety of all connected devices. We envision a world where our trust in the IoT matches the benefits it brings to our lives. Senrio is a trusted partner of global technology companies and government agencies. To see Senrio Insight in action visit: http://iot.security/.
The rate at which the Internet of Things (IoT) is growing speaks to the utility of connecting the previously unconnected, and making things ‘smart.’ But the insecurity of such devices means that we’re racing towards potentially epic self-inflicted wounds.
It's been estimated that by 2020, business-to-business spending on IoT technology and tools will reach $267B, half of IoT-related spending will be driven by needs in manufacturing, logistics, and critical infrastructure, and 34 billion devices will be connected and in use across all sectors and classes of devices.
Keeping pace with the growth of IoT in general is the rate at which vulnerabilities in IoT devices are shown to be vulnerable, often to trivial efforts. From cars to household appliances to surveillance cameras and now airplanes, it is clear that we might be making dumb things smart, but we’re not being smart about how we do it.
The response to this situation are calls to ‘bake in’ security and new laws. But examples like this, from a DHS effort to hack an airliner, show why any action we take now will not have an impact for years to come:
The cost to change one line of code on a piece of avionics equipment is $1 million, and it takes a year to implement. For Southwest Airlines, whose fleet is based on Boeing’s 737, it would “bankrupt” them if a cyber vulnerability was specific to systems on board 737s ... legacy aircraft, which make up more than 90% of the commercial planes in the sky, don’t have [cybersecurity] protections.
First: don’t panic.
KRACK requires a skilled attacker to be in close proximity, targeting you specifically. If you’re concerned about an auxiliary corporate WiFi network, it may be wise to take it off-line and rely on ethernet until patches for affected devices become available. And if you are running a hospital WiFi network, you should ensure that the data you send over that network is end-to-end encrypted, because WPA2 will not prevent a skilled attacker from gaining access to a person’s most sensitive data. Yes, this is a hassle but it’s a good precautionary step to take, since getting within WiFi range (~105ft or 32m) may not be difficult for an intruder unless you have strict access controls in place. Beyond this, it will be important to update every device as soon as patches are available.
The Internet of Things may be a proliferation of computers, but the approaches to computer security we are all familiar with are insufficient, indeed incompatible, with the requirements of IoT system operators. Absent an approach to security that takes these differences into account, IoT devices are a double-edged sword against which enterprises have no serious defense.
The preceding decades of hype about all the horrible things that could happen if computers became too ingrained in our lives and were attacked or went haywire is finally, if regrettably, coming to fruition. These are not abstract problems, or readily recoverable ones like the loss of banking credentials or personal information: they are becoming matters of life and death.
This summer we released our findings on a vulnerability we called Devil’s Ivy: a flaw in the gSOAP library that was found while researching a surveillance camera, but whose impact extended far beyond any one device, or any one platform.
This week IoT security company Armis revealed BlueBorne: a set of eight vulnerabilities found in the bluetooth stacks used by a variety of OS vendors. The vulnerabilities impact several billion devices across the Windows, Linux, iOS and Android platforms. Along with a variety of commodity IT devices, any IoT or “smart” devices running any of these OSes are vulnerable.
In both cases the flaws impact, both IoT as well as commodity or ‘ordinary’ computer technology. This doesn’t apply in all cases, but as more research is done, it is highly likely that we’re going to hear more about how the line between problems in IoT and just plain IT is a lot fainter than previously thought
We've had quite a summer thus far. Here seven quick updates:
(cue the Bananarama "Cruel Summer" instrumental)
1. We Released "Devil's Ivy"
2. Senrio Was the Exclusive Monitoring Tool of Defcon's IoT Hacking Village!
Be sure to check out our photo gallery of the IoT Hacking Village event!
Senrio in the press!
IoT Hacking comic book!
Watch some our IoT security research
Live On Twitch.tv
Upcoming Trainings by our Team!
Practical Android Exploitation
Black Hat 2018
Las Vegas, NV
13-16 November 2018
Software Exploitation Via Hardware Exploitation
Black Hat 2018
Las Vegas, NV
6-9 November 2018