|
We've had quite a summer thus far. Here seven quick updates: (cue the Bananarama "Cruel Summer" instrumental) 1. We Released "Devil's Ivy" Click the image above to see some of the coverage. 2. Senrio Was the Exclusive Monitoring Tool of Defcon's IoT Hacking Village! Be sure to check out our photo gallery of the IoT Hacking Village event!
Since we issued our last set of security recommendations for IoT device makers, we went back into the lab and generated a few more we’d like to share with you. We understand that vendors are primarily focused on creating functional devices, but making a device more secure does not need to take that much effort, and the benefits can be dramatic. Every layer of security puts one more roadblock between an attacker and exploiting a device. These recommendations don’t consist of the most heavy duty defenses, but they are five ways to slow down attackers.
Our release notes for Senrio Insight for the month of August 2017 include numerous new and powerful features:
We are always looking for your feedback and welcome all suggestions for how we can make Insight more valuable to you.  This last week a debate flared up between a security company Kryptowire, and a cell phone manufacturer BLU, over the possible inclusion of spyware (ADUPS) in BLU phones. Kryptowire initially made their claim in November, then reiterated it last week with more detailed findings. At one point last week, Amazon halted sales of the BLU phones, then re-listed them after BLU issued a statement saying the ADUPS software was normal and wasn’t capturing any sensitive data. We here at Senrio, didn’t reverse engineer any of the firmware, so I can’t say for sure whether the ADUPS software is sending private information to it’s servers. But, we wanted to show you how you can leverage Senrio Insight to determine if any of the phones in question connected to your network, and if it was communicating to one of the published domains listed in the Kryptowire report. You can ask Senrio questions, and it will give you answers. You can ask it: "Are there any jailbroken phones on my network?" and in seconds, you'll know! Imagine for a moment you have a BYOD enterprise, where you allow your employees to bring any device into the office and use that device for corporate emails, texts, etc. How would you know if an employee had a BLU phone? Senrio Insight can help. The first step is to see what android devices you have on you network. With Senrio, this is easy. Senrio is a "Device Intelligence" platform that you can ask questions. You can ask it if there are any Android phones on your network or even if there are any Jailbroken phones on your network.... For our case, we can simply log in and search for “Android” to view our identification and behavior tags to see all Android devices  Powerful search/filtering based on Senrio proprietary identification "tagging". The Senrio tag system uses many heuristics and other techniques to identify devices, and as you can see we have several devices on the network that match our search term. But in this case, we are looking for a BLU phone, and we have a very easy way to track that down. We can search for the manufacture “BLU”. It turns out we have one matching phone. The Senrio engine detected this automatically and tagged it accordingly, there was no user-input required.  Senrio Tagging at work, identifies our target device. No more searching through logs or actively port scanning your network! Ok - so we do have a BLU phone on the network. I wonder if it’s making connections out to any of the domains in question. The Kryptowire report claims several domains are used for both C&C and data exfiltration. One of the first domains in question is adups.com. Let's see if we can find it. The first thing we do is select the phone and look at the device details. One of the best features in the device details is the “Flow” view. This provides a net-flow like view of all the connections both inbound and outbound for the selected device.  See everything! Complete device behavior visibility! While I could scroll through the list, it’s much easier to look at the “Summaries” which provide an aggregated view of all the connections. I can pull that up and search for adups.com  Want to know if a device on your network has ever communicated with a malware C&C or malicious domain? Search in seconds. Yes, we have a match! That phone is connecting out to one of the domains listed by Kryptowire. Now, you might be a little worried that maybe more devices on our network are inflicted. Let's see if we have any other phones connecting to that domain. Senrio Insight has a search capability that allows us to search for all outbound connections. Lets enter that dns name and see what we find.  Search for more context in seconds! Complete device visibility. Complete device intelligence. PHEW! Thankfully, in our case this phone is the only one connecting to this host. And as you can see from the first line, a decent amount of data was exchanged during one of the initial connections. It appears that this application is programmed to connect out to the "adups" server everyday at around 12:15 pm. Conclusions...Senrio Insight makes it very easy to gain visibility into what’s on your network and what it’s doing. In just a few minutes time we can see the devices Senrio automatically identified as Android devices, and even pick out individual manufacturers. From there we can quickly search through traffic history and identify the network connections in question. With Senrio as our device intelligence platform, in seconds, we have complete device visibility and awareness! Thus alleviating our anxieties.
So how can YOU answer questions about devices on your network? Is it this easy? If not, reach out to learn how we can help. The Internet of Things Cybersecurity Improvement Act of 2017 was introduced in Congress this week. Like all “cyber” legislation of the past few decades it means well. Unlike many bills that have come before it, it actually has a number of good, practical ideas. Will it actually improve IoT security? We’ll get to that in a minute.
For the sake of brevity, we’re going to summarize key elements of the bill, which deals with government contracts that involve the procurement and use of “Internet-Connected Devices” (henceforth “IoT”):
There are other security conferences, but there is only one Blackhat. Not everybody loves it, but trying to make our way through the sea of humanity that flooded the halls of the Mandalay Bay, it’s hard not to think that everyone was there. The Senrio team did its best to represent during both training and the Con itself.
School is Cool For the sixth year in a row we delivered our perennially sold-out training courses Practical Android Exploitation and Software Exploitation via Hardware Exploitation. At the risk of tooting our own horn, people seemed to like us:
 Axis camera deployed at the Los Angeles airport
To see the exploit in action, check out our video on Vimeo. For full technical teardown, click here.
Summary Given the increasingly vital role IoT plays in modern life, we strive to improve the state of IoT security and share the knowledge we gain through our research with IoT manufacturers and users. Our latest discovery was found in an Axis Communications security camera — the M3004 model. Axis Communications is one of the largest manufacturers of security web cameras globally. In fact, while passing through LAX last week, we saw one of the vulnerable models in use at the airport. After about a day of analysis, we discovered a stack buffer overflow vulnerability (CVE-2017-9765), which we’re calling Devil’s Ivy*. Devil’s Ivy results in remote code execution, and was found in an open source third-party code library, from gSOAP (more on that later). When exploited, it allows an attacker to remotely access a video feed or deny the owner access to the feed. Since these cameras are meant to secure something, like a bank lobby, this could lead to collection of sensitive information or prevent a crime from being observed or recorded. Axis informed us that Devil’s Ivy is present in 249 distinct camera models, the exception being three of their older cameras. Once we verified Axis’s fix prevented our exploit from working, Axis quickly began releasing patched firmware and prompting partners and customers to upgrade. THE IMPACT GOES FAR BEYOND AXIS The impact of Devil’s Ivy goes far beyond Axis. It lies deep in the communication layer, in an open source third-party toolkit called gSOAP (Simple Object Access Protocol). gSOAP is a widely used web services toolkit, and developers around the world use gSOAP as part of a software stack to enable devices of all kinds to talk to the internet. Software or device manufacturers who rely on gSOAP to support their services are affected by Devil’s Ivy, though the extent to which such devices may be exploited cannot be determined at this time. Based on our research, servers are more likely to be exploited. But clients can be vulnerable as well, if they receive a SOAP message from a malicious server. The Internet of Things has enjoyed a huge surge in growth in recent years, with businesses and consumers alike flocking to get the world around them smarter and more connected. However, it is becoming quickly apparent that as well as offering a number of useful benefits, the Internet of Things could pose a lucrative opportunity for cyber-criminals able to exploit some potentially major flaws. (Beta News)
IoT is not new, it just hasn’t been marketed as well as it has been in the last few years. Every elevator you ride in, the traffic lights you have to deal with on the way to work, the machines that go ‘ping’ in your hospital room; IoT has been a part of our lives for decades. We demand efficiency and utility in IoT - like commodity IT before it - and don’t consider the security implications until it is too late. Yet unlike commodity IT, there is a dearth of resources available to help secure networked embedded devices, so the idea that we can “secure” IoT is probably a pipe dream. Improving awareness of IoT in the enterprise and insight into what those devices are doing is achievable. Knowing - as they say - is half the battle. Our release notes for Senrio Insight for the month of July 2017 include numerous new and powerful features:
We are always looking for your feedback and welcome all suggestions for how we can make Insight more valuable to you. Ransomware has become one of the most serious cyber threats plaguing organizations. Today, all of us - from home users to corporations and government organizations - are trying to protect ourselves from encryption viruses. But we are ignoring the beginning of the next wave of ransomware attacks - aimed at encrypting IoT devices. These attacks can be much more dangerous given the omnipresent and extremely diverse nature of the Internet of Things. (Information Management)
One of the rare cases where blending buzzwords makes for an actually more dangerous situation. In this case the danger is not in losing data, but in losing control of devices that are essential for critical infrastructure to operate safely. This is a problem that only gets worse as IoT becomes pervasive, particularly on a personal level (e.g. implantables). Not every individual victim of ransomware is willing to pony up bitcoin; basically everyone will demand power companies and water utilities pay up should they become victims. Installing protections in firmware that detect and prevent abnormal behavior is one way to reduce the likelihood of someone holding a utility for ransom. Ensuring that device operators know when to implement security and safety protocols (awareness and insight) is another.  If you’re wondering why ATMs, shipping companies, hospitals, and point of sale systems are being infected by Petya* ransomware along with PCs, it’s because a lot of the devices you think are purpose-built, limited-function devices - including IoT devices - are really PCs inside.
It is true that devices like a programmable logic controller don’t have a lot of memory, or an operating system, but the IoT is massive in scope and scale, and devices vary widely. That “simple” device might only look simple on the outside; on the inside it may very well be running Windows XP (or CE), and as a consequence just as vulnerable to exploits as any outdated PC would be. The adoption of smart power meters in the UK faces a hurdle:
"Concerns over cybersecurity are undermining the nationwide introduction of smart meters, with more than one in five people saying they do not want one. Almost six million homes would reject the devices despite government promises that they would cut energy bills. More than half of those who oppose smart meters said that their principal concern was data protection." A perfectly legitimate concern, given recent events and revelations about what metadata can reveal. Spikes in consumption on certain days or times could not only be used to help regulate supply, but suggest when you’re home, away, or have guests over. Over time this sort of information helps establish a pattern of life, which is useful to multiple entities in myriad ways. Knowing when people are away from home could be useful for the police in crime prevention efforts; or data could be sold to advertisers who would push you ads for home security systems if you’re away a lot, or sales at the grocery store if you host a lot of guests. While it is refreshing to see the general populace expressing concerns about the security of such devices, it does beg the question: do these same people have any idea how prevalent such devices have been in their lives? In a domestic context they are smart devices, but in a factory they’re industrial control and in a power plant, SCADA. This Internet of Things has become a buzz-phrase, but the fact of the matter is that network enabled devices have been a part of our lives years before we started giving them clever names.  TP-Link WR841N We recently discovered two vulnerabilities in TP-Link’s WR841N V8 router that we exploited to obtain custom code execution on the router. After working closely with the vendor to patch the router’s firmware, we are disclosing the details of our work.
Our team conducts research into networked embedded devices in order to improve our product and spread security knowledge among the embedded device manufacturing and security communities. The WR841N is the same router model we use to teach students about hardware hacking in our classes, and the focus of our JTAG Explained blog post. During the process of our research into this router, we found a logic flaw in a configuration service which allowed us to circumvent its access controls and reset the router’s credentials (CVE-2017-9466). We then used our increased access to gain code execution by exploiting a stack overflow vulnerability available through the configuration service. In this proximity-based attack, we used a smartphone’s hotspot capability to reset the router’s credentials by taking advantage of a protocol that had been removed from the firmware for newer hardware models. Unfortunately, although older models may no longer be supported, they often remain in critical positions. Fortunately, TP-Link agreed to remove the configuration service from this model once we brought the issue to their attention. We are sharing the details, step by step, in case our work sparks any ideas or discussion regarding proximity-based attacks, unsupported versions, logic flaws in encryption, or vulnerable configuration services. Click here to skip to the full technical details, or read on for a high level summary of our work. Our release notes for Senrio Insight for the month of June 2017 include a number of powerful new features:
We are always looking for your feedback and welcome all suggestions for how we can make Insight more valuable to you. 
Medical device security has largely been concerned with attacks that might compromise device safety and effectiveness. An additionally important but under-appreciated issue is device integrity. In situations where devices are expected to provide objective testimony, the integrity of the device and the data it generates is paramount.
You probably don’t know Ross Compton, but last fall the 59-year-old claimed that when he noticed his house was on fire, he hurriedly packed some personal belongings, broke a window with his cane, and rushed out of the house. Police, suspicious of his claims, got a warrant for Compton’s pacemaker data. The data showed that he had not been in a state of activity he described at the time of the fire. That data, plus physical evidence collected by fire investigators, was more than enough to charge Compton with arson and insurance fraud. Cases like this bring to light the importance of issues related to integrity verification. The value of device logs as an objective record of facts only exists if we can be assured that the ability to generate records, and the records themselves, have not been compromised.
Overview
Medical devices like pacemakers and drug infusion pumps keep detailed logs of all activity. Due to these logs value in monitoring patient care, device operation, and incident investigation, there is a risk of data modification attacks through physical or remote access. Consider a generic infusion pump that primarily dispenses pain medication and writes logs to battery-backed RAM. These logs record the dose of drugs as requested and delivered, any program changes, and when infusion starts and stops. If a patient suffered a medical emergency that could be linked to the pump, or anything went awry, investigators would depend on the device logs to tell them the story. But what if those logs didn’t have the whole story, or an accurate one?
Not many people actually realize how much the IoT truly affects them. We are surrounded by devices that we don’t realize are actually driven by tiny computers connected to networks. IoT makes life extremely convenient, but it is a very fragile system. Recognizing just how fragile things are, Michael wanted to be apart of a company that was addressing the problem in a meaningful way. He and Senrio CEO and founder, Stephen Ridley both come from the same special group at a large defense contractor that supported U.S Law Enforcement and Intelligence communities on offensive and defensive cybersecurity. Recognizing that Stephen and his team were addressing IoT security problems in a truly meaningful way, when the opportunity to join Senrio came up, joining the team was an easy decision. --Rachel Michel, Senrio Marketing Associate 
Watch a hardware prep video preview below!
IoT Webcam Serial Prep from Senrio Labs on Vimeo.
Our trainings sell out pretty quickly (they are popular and unfortunately, there are limited seats) so if you're interested in participating, sign up below to get details before we make them available publicly!
In Case You Missed It (ICYMI)!
History is a funny thing. It tends to repeat itself.
Investing in a company, whether that investment is time, money, or reputation, starts with people. You invest in people that inspire, and Stephen Ridley, Founder of Senrio, is one of those people. He blends incredible enthusiasm with world-class expertise. I saw this first hand when we worked together on bleeding-edge projects for the Intelligence Community 10 years ago. But the team is more than Stephen. The Senrio family he is assembling (and has already assembled), has that ideal mix of hunger and experience. That passion and capacity continues to scale as the employee count grows, and success for Senrio has not hurt their humility. This group will continue to attract like-minded individuals.
During last week's ICS Cyber Security Conference in Atlanta (the world's oldest Industrial Control security conference), we made an announcement that sounded obvious to us but was surprising to many attendees: 
“We are just before the curve on embedded security. There are sparce product and service offerings in this area now simply because of the uncanny valley. We also haven’t yet experienced the big watershed event that will cause the reactionary security industry to shift focus - but that appears imminent.” Stephen Ridley briefing US government and Intelligence Agencies in early 2015
Friday's Internet outages and the DDOS attack on security journalist Brian Krebs are just the tip of the iceberg of the types of damage IoT vulnerabilities could cause.
Jamison's "big picture" approach to understanding Infosec solutions comes from years spent learning (and presenting) the details beyond the technicalities of a hack. Instead he delves into the workings of the criminal industry; how and why malware is written, how criminals monetize attacks, and how understanding attacker motivations helps protect networks against malicious forces. Armed with this knowledge, Jamison has built teams to help deploy custom solutions to meet customer need. Jamison is a contributor to ITSP magazine and has blogged on various cyber security topics.
|
Read about
Senrio in the press! Trending:Recent Posts:
IoT Hacking comic book!
Read a Free "Hardware Hacking" Online Comic!
Watch!Watch some our IoT security research
Live On Twitch.tv 
Upcoming Trainings by our Team!Practical Android Exploitation
Black Hat 2018 Las Vegas, NV SOLD OUT 13-16 November 2018 Manhattan, NY SIGN UP! Software Exploitation Via Hardware Exploitation Black Hat 2018 Las Vegas, NV SOLD OUT 6-9 November 2018 Manhattan, NY SIGN UP! Blog Subjects
All
|
RSS Feed