The Internet of Things may be a proliferation of computers, but the approaches to computer security we are all familiar with are insufficient, indeed incompatible, with the requirements of IoT system operators. Absent an approach to security that takes these differences into account, IoT devices are a double-edged sword against which enterprises have no serious defense.
The preceding decades of hype about all the horrible things that could happen if computers became too ingrained in our lives and were attacked or went haywire is finally, if regrettably, coming to fruition. These are not abstract problems, or readily recoverable ones like the loss of banking credentials or personal information: they are becoming matters of life and death.
This summer we released our findings on a vulnerability we called Devil’s Ivy: a flaw in the gSOAP library that was found while researching a surveillance camera, but whose impact extended far beyond any one device, or any one platform.
This week IoT security company Armis revealed BlueBorne: a set of eight vulnerabilities found in the bluetooth stacks used by a variety of OS vendors. The vulnerabilities impact several billion devices across the Windows, Linux, iOS and Android platforms. Along with a variety of commodity IT devices, any IoT or “smart” devices running any of these OSes are vulnerable.
In both cases the flaws impact, both IoT as well as commodity or ‘ordinary’ computer technology. This doesn’t apply in all cases, but as more research is done, it is highly likely that we’re going to hear more about how the line between problems in IoT and just plain IT is a lot fainter than previously thought
We've had quite a summer thus far. Here seven quick updates:
(cue the Bananarama "Cruel Summer" instrumental)
1. We Released "Devil's Ivy"
2. Senrio Was the Exclusive Monitoring Tool of Defcon's IoT Hacking Village!
Be sure to check out our photo gallery of the IoT Hacking Village event!
Since we issued our last set of security recommendations for IoT device makers, we went back into the lab and generated a few more we’d like to share with you. We understand that vendors are primarily focused on creating functional devices, but making a device more secure does not need to take that much effort, and the benefits can be dramatic. Every layer of security puts one more roadblock between an attacker and exploiting a device. These recommendations don’t consist of the most heavy duty defenses, but they are five ways to slow down attackers.
This last week a debate flared up between a security company Kryptowire, and a cell phone manufacturer BLU, over the possible inclusion of spyware (ADUPS) in BLU phones. Kryptowire initially made their claim in November, then reiterated it last week with more detailed findings. At one point last week, Amazon halted sales of the BLU phones, then re-listed them after BLU issued a statement saying the ADUPS software was normal and wasn’t capturing any sensitive data.
We here at Senrio, didn’t reverse engineer any of the firmware, so I can’t say for sure whether the ADUPS software is sending private information to it’s servers. But, we wanted to show you how you can leverage Senrio Insight to determine if any of the phones in question connected to your network, and if it was communicating to one of the published domains listed in the Kryptowire report.
You can ask Senrio questions, and it will give you answers. You can ask it: "Are there any jailbroken phones on my network?" and in seconds, you'll know!
Imagine for a moment you have a BYOD enterprise, where you allow your employees to bring any device into the office and use that device for corporate emails, texts, etc. How would you know if an employee had a BLU phone? Senrio Insight can help.
The first step is to see what android devices you have on you network. With Senrio, this is easy. Senrio is a "Device Intelligence" platform that you can ask questions. You can ask it if there are any Android phones on your network or even if there are any Jailbroken phones on your network.... For our case, we can simply log in and search for “Android” to view our identification and behavior tags to see all Android devices
The Senrio tag system uses many heuristics and other techniques to identify devices, and as you can see we have several devices on the network that match our search term. But in this case, we are looking for a BLU phone, and we have a very easy way to track that down. We can search for the manufacture “BLU”. It turns out we have one matching phone. The Senrio engine detected this automatically and tagged it accordingly, there was no user-input required.
Ok - so we do have a BLU phone on the network. I wonder if it’s making connections out to any of the domains in question. The Kryptowire report claims several domains are used for both C&C and data exfiltration. One of the first domains in question is adups.com. Let's see if we can find it.
The first thing we do is select the phone and look at the device details. One of the best features in the device details is the “Flow” view. This provides a net-flow like view of all the connections both inbound and outbound for the selected device.
While I could scroll through the list, it’s much easier to look at the “Summaries” which provide an aggregated view of all the connections. I can pull that up and search for adups.com
Yes, we have a match! That phone is connecting out to one of the domains listed by Kryptowire. Now, you might be a little worried that maybe more devices on our network are inflicted. Let's see if we have any other phones connecting to that domain. Senrio Insight has a search capability that allows us to search for all outbound connections. Lets enter that dns name and see what we find.
PHEW! Thankfully, in our case this phone is the only one connecting to this host. And as you can see from the first line, a decent amount of data was exchanged during one of the initial connections. It appears that this application is programmed to connect out to the "adups" server everyday at around 12:15 pm.
Senrio Insight makes it very easy to gain visibility into what’s on your network and what it’s doing. In just a few minutes time we can see the devices Senrio automatically identified as Android devices, and even pick out individual manufacturers. From there we can quickly search through traffic history and identify the network connections in question. With Senrio as our device intelligence platform, in seconds, we have complete device visibility and awareness! Thus alleviating our anxieties.
So how can YOU answer questions about devices on your network? Is it this easy? If not, reach out to learn how we can help.
The Internet of Things Cybersecurity Improvement Act of 2017 was introduced in Congress this week. Like all “cyber” legislation of the past few decades it means well. Unlike many bills that have come before it, it actually has a number of good, practical ideas. Will it actually improve IoT security? We’ll get to that in a minute.
For the sake of brevity, we’re going to summarize key elements of the bill, which deals with government contracts that involve the procurement and use of “Internet-Connected Devices” (henceforth “IoT”):
There are other security conferences, but there is only one Blackhat. Not everybody loves it, but trying to make our way through the sea of humanity that flooded the halls of the Mandalay Bay, it’s hard not to think that everyone was there. The Senrio team did its best to represent during both training and the Con itself.
School is Cool
For the sixth year in a row we delivered our perennially sold-out training courses Practical Android Exploitation and Software Exploitation via Hardware Exploitation. At the risk of tooting our own horn, people seemed to like us:
To see the exploit in action, check out our video on Vimeo. For full technical teardown, click here.
Given the increasingly vital role IoT plays in modern life, we strive to improve the state of IoT security and share the knowledge we gain through our research with IoT manufacturers and users.
Our latest discovery was found in an Axis Communications security camera — the M3004 model. Axis Communications is one of the largest manufacturers of security web cameras globally. In fact, while passing through LAX last week, we saw one of the vulnerable models in use at the airport.
After about a day of analysis, we discovered a stack buffer overflow vulnerability (CVE-2017-9765), which we’re calling Devil’s Ivy*. Devil’s Ivy results in remote code execution, and was found in an open source third-party code library, from gSOAP (more on that later). When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed. Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded.
Axis informed us that Devil’s Ivy is present in 249 distinct camera models, the exception being three of their older cameras. Once we verified Axis’s fix prevented our exploit from working, Axis quickly began releasing patched firmware and prompting partners and customers to upgrade.
THE IMPACT GOES FAR BEYOND AXIS
The impact of Devil’s Ivy goes far beyond Axis. It lies deep in the communication layer, in an open source third-party toolkit called gSOAP (Simple Object Access Protocol). gSOAP is a widely used web services toolkit, and developers around the world use gSOAP as part of a software stack to enable devices of all kinds to talk to the internet. Software or device manufacturers who rely on gSOAP to support their services are affected by Devil’s Ivy, though the extent to which such devices may be exploited cannot be determined at this time. Based on our research, servers are more likely to be exploited. But clients can be vulnerable as well, if they receive a SOAP message from a malicious server.
The Internet of Things has enjoyed a huge surge in growth in recent years, with businesses and consumers alike flocking to get the world around them smarter and more connected. However, it is becoming quickly apparent that as well as offering a number of useful benefits, the Internet of Things could pose a lucrative opportunity for cyber-criminals able to exploit some potentially major flaws. (Beta News)
IoT is not new, it just hasn’t been marketed as well as it has been in the last few years. Every elevator you ride in, the traffic lights you have to deal with on the way to work, the machines that go ‘ping’ in your hospital room; IoT has been a part of our lives for decades. We demand efficiency and utility in IoT - like commodity IT before it - and don’t consider the security implications until it is too late. Yet unlike commodity IT, there is a dearth of resources available to help secure networked embedded devices, so the idea that we can “secure” IoT is probably a pipe dream. Improving awareness of IoT in the enterprise and insight into what those devices are doing is achievable. Knowing - as they say - is half the battle.
Ransomware has become one of the most serious cyber threats plaguing organizations. Today, all of us - from home users to corporations and government organizations - are trying to protect ourselves from encryption viruses. But we are ignoring the beginning of the next wave of ransomware attacks - aimed at encrypting IoT devices. These attacks can be much more dangerous given the omnipresent and extremely diverse nature of the Internet of Things. (Information Management)
One of the rare cases where blending buzzwords makes for an actually more dangerous situation. In this case the danger is not in losing data, but in losing control of devices that are essential for critical infrastructure to operate safely. This is a problem that only gets worse as IoT becomes pervasive, particularly on a personal level (e.g. implantables). Not every individual victim of ransomware is willing to pony up bitcoin; basically everyone will demand power companies and water utilities pay up should they become victims. Installing protections in firmware that detect and prevent abnormal behavior is one way to reduce the likelihood of someone holding a utility for ransom. Ensuring that device operators know when to implement security and safety protocols (awareness and insight) is another.
If you’re wondering why ATMs, shipping companies, hospitals, and point of sale systems are being infected by Petya* ransomware along with PCs, it’s because a lot of the devices you think are purpose-built, limited-function devices - including IoT devices - are really PCs inside.
It is true that devices like a programmable logic controller don’t have a lot of memory, or an operating system, but the IoT is massive in scope and scale, and devices vary widely. That “simple” device might only look simple on the outside; on the inside it may very well be running Windows XP (or CE), and as a consequence just as vulnerable to exploits as any outdated PC would be.
We recently discovered two vulnerabilities in TP-Link’s WR841N V8 router that we exploited to obtain custom code execution on the router. After working closely with the vendor to patch the router’s firmware, we are disclosing the details of our work.
Our team conducts research into networked embedded devices in order to improve our product and spread security knowledge among the embedded device manufacturing and security communities. The WR841N is the same router model we use to teach students about hardware hacking in our classes, and the focus of our JTAG Explained blog post. During the process of our research into this router, we found a logic flaw in a configuration service which allowed us to circumvent its access controls and reset the router’s credentials (CVE-2017-9466). We then used our increased access to gain code execution by exploiting a stack overflow vulnerability available through the configuration service.
In this proximity-based attack, we used a smartphone’s hotspot capability to reset the router’s credentials by taking advantage of a protocol that had been removed from the firmware for newer hardware models. Unfortunately, although older models may no longer be supported, they often remain in critical positions. Fortunately, TP-Link agreed to remove the configuration service from this model once we brought the issue to their attention.
We are sharing the details, step by step, in case our work sparks any ideas or discussion regarding proximity-based attacks, unsupported versions, logic flaws in encryption, or vulnerable configuration services.
Click here to skip to the full technical details, or read on for a high level summary of our work.
Our release notes for Senrio Insight for the month of June 2017 include a number of powerful new features:
We are always looking for your feedback and welcome all suggestions for how we can make Insight more valuable to you.
Medical device security has largely been concerned with attacks that might compromise device safety and effectiveness. An additionally important but under-appreciated issue is device integrity. In situations where devices are expected to provide objective testimony, the integrity of the device and the data it generates is paramount.
You probably don’t know Ross Compton, but last fall the 59-year-old claimed that when he noticed his house was on fire, he hurriedly packed some personal belongings, broke a window with his cane, and rushed out of the house. Police, suspicious of his claims, got a warrant for Compton’s pacemaker data. The data showed that he had not been in a state of activity he described at the time of the fire. That data, plus physical evidence collected by fire investigators, was more than enough to charge Compton with arson and insurance fraud.
Cases like this bring to light the importance of issues related to integrity verification. The value of device logs as an objective record of facts only exists if we can be assured that the ability to generate records, and the records themselves, have not been compromised.
Medical devices like pacemakers and drug infusion pumps keep detailed logs of all activity. Due to these logs value in monitoring patient care, device operation, and incident investigation, there is a risk of data modification attacks through physical or remote access.
Consider a generic infusion pump that primarily dispenses pain medication and writes logs to battery-backed RAM. These logs record the dose of drugs as requested and delivered, any program changes, and when infusion starts and stops. If a patient suffered a medical emergency that could be linked to the pump, or anything went awry, investigators would depend on the device logs to tell them the story. But what if those logs didn’t have the whole story, or an accurate one?
Watch a hardware prep video preview below!
Our trainings sell out pretty quickly (they are popular and unfortunately, there are limited seats) so if you're interested in participating, sign up below to get details before we make them available publicly!
In Case You Missed It (ICYMI)!
History is a funny thing. It tends to repeat itself.
Unique Snowflakes Or Ubiquitous Tech? The Truth Behind The Industrial Internet of Things (IIoT and ICS)
During last week's ICS Cyber Security Conference in Atlanta (the world's oldest Industrial Control security conference), we made an announcement that sounded obvious to us but was surprising to many attendees:
“We are just before the curve on embedded security. There are sparce product and service offerings in this area now simply because of the uncanny valley. We also haven’t yet experienced the big watershed event that will cause the reactionary security industry to shift focus - but that appears imminent.” Stephen Ridley briefing US government and Intelligence Agencies in early 2015
Friday's Internet outages and the DDOS attack on security journalist Brian Krebs are just the tip of the iceberg of the types of damage IoT vulnerabilities could cause.
Imagine you are handed this device and asked to get root on it as quickly as possible. No further information is given. Where would you begin? (If you just want to see the router get rooted, jump down to "Mounting an Attack: Rooting a Home Router" ;-)
Our target: A VERY common/popular consumer Access Point.
Since you have the device in your hands, you might try directly attacking the hardware. However, if you've never done any kind of hardware hacking, getting started can be intimidating. In this post, we are going to talk about the fundamental information you need to know to use JTAG for hacking hardware. We'll also go over a quick example to illustrate the power of direct hardware access.
Why Do Manufacturers Use JTAG?
JTAG is a common hardware interface that provides your computer with a way to communicate directly with the chips on a board. It was originally developed by a consortium, the Joint (European) Test Access Group, in the mid-80s to address the increasing difficulty of testing printed circuit boards (PCBs). JTAG has been in widespread use ever since it was included in the Intel 80486 processor in 1990 and codified as IEEE 1491 that same year. Today JTAG is used for debugging, programming and testing on virtually ALL embedded devices.
In this new world of "Internet of Things" and billions of networked embedded devices, it is crucial for device manufacturers to bake security into their new designs before they leave the factory. Here are five tips from a team of security researchers who make a living reverse engineering (hacking) into IoT devices on behalf of industry clients.
Explosive growth of networked embedded devices and a shifting threat landscape require a new approach to IoT Security. Here is why.
Why is Everything Connected Now?
Not a day goes by without a story of a new “smart” device being launched. A perfect storm of new enabling technologies is driving the adoption of Internet-connected devices: The rise of inexpensive Systems-on-a-chip (SOCs) running full operating systems has effectively eradicated many industry use cases for expensive, custom application-specific integrated circuits (ASICs). Any product developer, hobbyist or high-schooler can use an off-the-shelf low-cost computing device like the Raspberry Pi and launch a functioning product in under three months of development. The commoditization of hardware, coupled with rapidly decreasing cost of bandwidth and processing has lead to an explosion of Internet-connected devices. Most of the buzz has been focused in the consumer space with smart toasters, kettles, and diapers?! The proliferation of useless novelty devices has led to a fatigue with the term “Internet of Things” causing Goldman Sachs to quip in 2014 “you cannot spell idiot without IoT”.
In our last post we talked about a vulnerability discovered in the D-Link DCS-930L Cloud Camera. Since then the Senrio Research Team has been working closely with the D-Link Security Incident Report Team. Below we disclose technical details of our efforts.
In today’s age of constant connectivity the allure of remotely checking on your home and loved ones is appealing and manufacturers of Wifi Cameras promise a “second set of eyes around the home or office.” However, you may not be the only one peeping in. The dangers of unsecured webcams and baby monitors have been reported in 2014 with cautionary tales warning consumers to change their default passwords. So that’s the end of the story, right? Adding a password will protect me from creepy strangers looking into my home. Not so fast. Researchers at Senrio discovered a vulnerability in a popular Wifi camera that lets attackers overwrite the administrator password.
Senrio in the press!
IoT Hacking comic book!
Watch some our IoT security research
Live On Twitch.tv
Upcoming Trainings by our Team!
Practical Android Exploitation
Black Hat 2018
Las Vegas, NV
13-16 November 2018
Software Exploitation Via Hardware Exploitation
Black Hat 2018
Las Vegas, NV
6-9 November 2018