Post on 16-Jan-2017
$HOME Sweet $HOME
SANSFIRE 2016 - Xavier Mertens
$ cat ~/whoami.xml<profile> <real_name>Xavier Mertens</real_name> <day_job>Freelance Security Guy</day_job> <night_job>Hacker, Blogger</night_job> <![CDATA[ www.truesec.be blog.rootshell.be isc.sans.edu www.brucon.org ]]></profile>
$ cat ~/.profile
• I like (your) data
• Playing “Active Defense”
• I prefer t-shirts than ties
• Geek and gadgets over!
$ cat ~/disclaimer.txt
“The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.”
$HOME Sweet $HOME
$HOME Sweet $HOME
Agenda
• A Revolution Entered Our Homes
• Internet of Nightmares
• Mitigations
• Conclusions
Fidonet: 2:291/715.9
Aminet: 39:120/201.9
BBS Fidonet UUCP IP (SLIP) “Broadband” Mobile
What’s next?
Today?
• More bandwidth at home that when I started to work for ISP’s (1996)
• SLA @ home (Kids complaint when offline)
Today?
Today?
$DATA
• Family pictures
• Administrative docs (taxes, insurances, invoices)
• Medias (MP3, movies, books)
• $YOU
Before:
Internet LAN
Fire
wal
l
Ingress Traffic
Today:
Internet LAN
Fire
wal
l
Egress Traffic
IoT Botnet
IoT Botnet
Source: https://www.emaze.com/@AIFFFTIO/IoT-Health-ppt
Google Too!
More info: https://developers.google.com/brillo/
Agenda
• A Revolution Entered Our Homes
• Internet of Terrors
• Mitigations
• Conclusions
Resistance is Futile!
Growing Attack Surface
“Smart”?
“having or showing a quick-witted intelligence”
TrueSec 30
Smart Devices? Really?
Smart-ization…
Adding a communication module to an objectdoesn’t make it “smart”…
TrueSec 32
TrueSec 33
What is the differencebetween…
Sensors Software Connectivity Bigdata
VulnerabilityExploit MitM PrivacyAbuse
OWASP
• Insecure Web Interface
• Insufficient Authentication/Authorization
• Insecure Network Services
• Lack of Transport Encryption
• Privacy Concerns
• Insecure Cloud Interface
• Insecure Mobile Interface
• Insufficient Security Configurability
• Insecure Software/Firmware
• Poor Physical Security
Developers…
We already fail to patch regular computers…
… what about IoT devices?
TrueSec 44
SecurityFeatures
Ease of Use
TrueSec
Agenda
• A Revolution Entered Our Homes
• Internet of Terrors
• Mitigations
• Conclusions
45
<warning> This section focuses on devices connected
to your IP home network </warning>
Rule #0
• Think twice: “Do you really need this device?”
• Agreed… very difficult for the most of us!
• What is the MAC address of the device?
• What are the network requirement? (DNS, NTP, SNMP, Syslog)
• What are the open ports required? To which IP address(es)?
• Can the device be upgraded?
• Are firmwares signed?
• Can we backup/restore the config?
Rule #1
Rule #2
• Assign a fixed DHCP lease to known devices
host myflattv { hardware ethernet aa:bb:cc:dd:ee:ff; fixed-address 192.168.1.100; option routers 192.168.1.1; default-lease-time 3600; }
Rule #3
• Implement an egress filter
• Any:Any to Any:Any, Drop & Log
• Allow only required traffic (see rule #1)
Rule #4
• Segmentation
Rule #5
• Use a local resolvers (DNS queries) and log
Rule #6
• Disable unsafe protocols like SSDP/UPnP
• Risk of DDoS (amplification attack)
Rule #7
• Capture the traffic from unknown devices(http://blog.rootshell.be/2015/03/17/the-lack-of-network-documentation/)
Rule #8
• Be offensive!
• Know your enemy
Hardware
Hardware
TrueSec
Topology
59
Ethernet Switch
Router
Server
Device1 Device2
Firewall
Software Shopping
Commercial $olution$
PA200, Sophos UTM Home Edition, <insert your preferred $VENDOR>
TrueSec
Virtualize!
62
KVM (“Kernel-based Virtual Machine”), VirtualBox,ESX, XenServer, …
Security Onion
Security Onion is a Linux distro for intrusiondetection, network security monitoring, and log
management. Core components are: Snort,Suricata, Bro, OSSEC, Sguil,
Squert, Snorby, ELSA, Xplico, NetworkMiner, andmany other security tools.
Security Onion
Security Onion
Security Onion
pfSense
The pfSense project is a free networkfirewall distribution, based on the FreeBSDoperating system with a custom kernel and
including third party free software packages foradditional functionality.
pfSense software, with the help of the packagesystem, is able to provide the same functionality
or more of common commercial firewalls
pfSense
Keep an Eye on ARP
• arpwatch is a nice tool to track new/changing MAC addresses
Apr 17 11:36:03 shiva arpwatch: new station 10.90.14.85 34:a3:95:c5:d2:e5 eth0
Keep an Eye on ARP
Next Level…
Detecting Suspicious Devices On-The-Fly!
(https://isc.sans.edu/forums/diary/Guest+diary+Detecting+Suspicious+Devices+OnTheFly/18993)
Next Level…
• Inspect HTTP(S) traffic for suspicious data, vulnerabilities (who said “hacking”?)
• MitM, ettercap, sslstrip, BurpSuite
Agenda
• A Revolution Entered Our Homes
• Internet of Terrors
• Mitigations
• Conclusions
5 Tips to Keep in Mind
• IoT is there and will(is) invade(ing) our homes
• Think “IoT” == “Computers” (same issues)
• Smart != Safe
• Tools exists to control them
• Ask yourself: “Do I need it?”
Thank you!
@xme
xavier@rootshell.be
xmertens@isc.sans.edu