Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in...
Transcript of Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in...
![Page 1: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/1.jpg)
Does Your IoT Expose You?Honeypots, Attacks and Decryption in an Edimax Camera
Simona Musilova
@siimi_m_
Sebastian Garcia
@eldracote
![Page 2: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/2.jpg)
Yes.Questions?
Simona Musilova
@siimi_m_
Sebastian Garcia
@eldracote
![Page 3: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/3.jpg)
Aposemat: IoT Research Lab
ML Detection
Device Vulnerabilities
Malicious Community Research
![Page 4: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/4.jpg)
Lab Infrastructure
- Only opened port 80/TCP
- 12 months
- ~ 2.7 GB of captured data
Edimax Camera IC-7113W
![Page 5: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/5.jpg)
Attacks to the Edimax Camera
- Login.cgi (RCE for D-link)
- GPON
![Page 6: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/6.jpg)
Exploiting Vulnerabilities in Edimax Camera
- phpMyAdmin
- WebDAV service in IIS Windows Server 2003 [CVE-2017-7269]
![Page 7: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/7.jpg)
The “Normal” Traffic of Edimax- DNS requests
A
![Page 8: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/8.jpg)
The “Normal” Traffic of Edimax- DNS requests
- Number of DNS requests per 24 hours~ 4,000 www.myedimax.com
~ 1,000 www.google.com
~ 20 ns.cloud.edimax.com.tw
~ 15 www.yahoo.com
~ 10 www.ibm.com
AA
![Page 9: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/9.jpg)
The “Normal” Traffic of Edimax- TLS connections to port 55443/TCP
![Page 10: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/10.jpg)
The “Normal” Traffic of Edimax
- Encoded UDP Packets
- TLS connections to port 55443/TCP
9765
![Page 11: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/11.jpg)
Traffic Analysis
[1] http://blog.guntram.de/?p=37[2] http://jin.ece.ufl.edu/papers/GlobeCom17-CR.pdf
![Page 12: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/12.jpg)
Traffic Analysis
[1] http://blog.guntram.de/?p=37[2] http://jin.ece.ufl.edu/papers/GlobeCom17-CR.pdf
![Page 13: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/13.jpg)
Traffic Analysis
[1] http://blog.guntram.de/?p=37[2] http://jin.ece.ufl.edu/papers/GlobeCom17-CR.pdf
‘<’ = 0x3c
![Page 14: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/14.jpg)
Traffic Analysis
[1] http://blog.guntram.de/?p=37[2] http://jin.ece.ufl.edu/papers/GlobeCom17-CR.pdf
‘<’ = 0x3c
![Page 15: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/15.jpg)
Traffic Analysis
[1] http://blog.guntram.de/?p=37[2] http://jin.ece.ufl.edu/papers/GlobeCom17-CR.pdf
‘<’ = 0x3c
![Page 16: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/16.jpg)
Traffic Analysis
[1] http://blog.guntram.de/?p=37[2] http://jin.ece.ufl.edu/papers/GlobeCom17-CR.pdf
‘<’ = 0x3c
![Page 17: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/17.jpg)
Traffic Analysis- Registration process
![Page 18: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/18.jpg)
Traffic Analysis- Registration process - Keep-alive
![Page 19: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/19.jpg)
Traffic Analysis
Edimax camera
- New packets
Registration server
![Page 20: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/20.jpg)
Traffic Analysis
660 Bytes
Payload:01 40 00 00 30 31 37 31 34 35 33 31 42 41 41 30 45 35 32 32 42 39 44 34 39 30 43 39 41 42 41 36 33 43 45 30 32 39 30 44 35 41 34 46 31 44 30 36 31 33 ...
Edimax camera
- New packets
Registration server
![Page 21: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/21.jpg)
Traffic Analysis
660 Bytes
228 Bytes
Payload:01 40 00 00 30 31 37 31 34 35 33 31 42 41 41 30 45 35 32 32 42 39 44 34 39 30 43 39 41 42 41 36 33 43 45 30 32 39 30 44 35 41 34 46 31 44 30 36 31 33 ...
Payload:01 40 00 00 9c 44 00 5b 00 00 00 00 00 00 00 00 00 00 00 00 42 39 44 34 39 30 43 39 41 42 41 36 33 43 45 30 32 39 30 44 35 41 34 46 31 44 30 36 31 33 ...
Edimax camera
- New packets
Registration server
![Page 22: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/22.jpg)
Firmware Analysis- HTTP credentials
![Page 23: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/23.jpg)
Firmware Analysis- HTTP credentials
- AES algorithm
![Page 24: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/24.jpg)
New packets
![Page 25: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/25.jpg)
New packets
![Page 26: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/26.jpg)
New packets
![Page 27: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/27.jpg)
Conclusions
Attacks
- Well-known vulnerabilities- A lot of scanning
Camera behavior
- Simple encoding method in payload- Base64 for HTTP credentials- AES-256-CBC
![Page 28: Does Your IoT Expose You? - OWASP · Does Your IoT Expose You? Honeypots, Attacks and Decryption in an Edimax Camera Simona Musilova @siimi_m_ siimi.musilova@gmail.com Sebastian Garcia](https://reader033.fdocuments.in/reader033/viewer/2022052101/603ae3775e567936613716e5/html5/thumbnails/28.jpg)
Does Your IoT Expose You?Honeypots, Attacks and Decryption in an Edimax Camera
Simona Musilova
@siimi_m_
Sebastian Garcia
@eldracote