IoT Security: How Your TV and Thermostat are Attacking the Internet
-
Upload
nathan-wallace-phd-cssa -
Category
Engineering
-
view
344 -
download
5
Transcript of IoT Security: How Your TV and Thermostat are Attacking the Internet
![Page 1: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/1.jpg)
IoTSecurity:HowYourTVandThermostatareA9ackingtheInternet
NathanWallace,PhD,CSSADir.ofCyberOperaHons,Cybirical,LLC
Dec.052016
Computer Science
Computer Science
![Page 2: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/2.jpg)
Outline • The Internet of Things (Everything)
Examples of IoT Devices Power Grid (‘Grid of Things’)
• Security Challenges End-Point Security, Global Issues, 0-Days, No Motivation
• The Mirai Botnet Background (DNS) Oct. 21st Summary
• Tinkering Around Experimenting with an IP Cam What is this ‘thing’ really doing
![Page 3: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/3.jpg)
Source: http://www.comsoc.org/blog/infographic-internet-things-iot
By the numbers
![Page 4: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/4.jpg)
By the numbers
Source: http://www.comsoc.org/blog/infographic-internet-things-iot
![Page 5: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/5.jpg)
By the numbers
Source: http://www.comsoc.org/blog/infographic-internet-things-iot
![Page 6: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/6.jpg)
Internet of Things Examples
Video
Video
![Page 7: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/7.jpg)
FEATURES Integrated cleansing. Adjustable spray shape, position, water pressure, temperature, pulsate. Self-cleaning Warm-air drying system with adjustable temperature settings. Automatic deodorization system. Heated seat with adjustable temperature settings. Motion-activated LED lighting illuminates the bowl to serve as a night-light. Touchscreen LCD remote control. Plays Music
Internet of Things Examples
Video
![Page 8: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/8.jpg)
Grid of Things State of Affairs Power Grid
“Our expectations is that the modernized electricity grid will be 100 to 1000 times larger than the Internet” – CISCO VP
Advanced Metering
Electric Vehicles
Distributed Generation
Grid Modernization
Distribution Automation
![Page 9: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/9.jpg)
IoT Security => Safety
ICS-CERT
![Page 10: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/10.jpg)
Wait, so what exactly is IoT?
![Page 11: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/11.jpg)
Wait, so what exactly is IoT?
Source: IoT European Research Cluster, IERC, 2014
![Page 12: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/12.jpg)
IoT Defined... Now Security...
Implementing security with: • No Incentives (or Consequences)
• Do vendors and consumers even care
• World economy, markets, and conflicts • Engineering silos
• Engineering ethical barriers
• Limited understanding of complexity and emergent issues
![Page 13: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/13.jpg)
Miria Botnet
Source: Level 3 Communications
Outage Map October 21 2016
![Page 14: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/14.jpg)
Background
Source: Simon Liu, "Surviving Distributed Denial-of-Service Attacks", IT Professional vol. 11, p. 51-53, September/October, 2009
![Page 15: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/15.jpg)
Background How Domain Name Service Works
‘The Phone Book of the Internet’
(1) Where is Google?
DNS Server
(2) Google is at 108.177.8.113
(3) Searching the Web 108.177.8.113/search?q=IEEE
![Page 16: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/16.jpg)
Summary
Source: http://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/
Dyn’s Key Findings: • ‘The Friday October 21, 2016 attack has been analyzed as a
complex & sophisticated attack, using maliciously targeted, masked TCP and UDP traffic over port 53.’
• Dyn confirms Mirai botnet as primary source of malicious attack traffic.
• Attack generated compounding recursive DNS retry traffic, further exacerbating its impact.
DNS Server
![Page 17: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/17.jpg)
DYN Attack cont. and IoT Security Hearing
‘Level 3 detected approximately 150,000 IoT devices were used to … generate significant amount of bandwidth use that threatens the fabric of the global internet.’
Source: U.S. House of Representatives Joint Hearing “Understanding the Role of Connected Devices in Recent Cyber Attacks” November 16, 2016
‘We believe that in the case of Dyn, the relatively unsophisticated’
Summary
‘The distributed denial-of-service attack that caused the outages, and the vulnerabilities that made the attack possible, was as much a failure of market and policy as it was of technology’
Witness Testimonies
![Page 18: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/18.jpg)
Recon...
the Internet of Things Power Plants, Refrigerators, …, Buildings, Webcams, …
Source: Shodan
![Page 19: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/19.jpg)
Recon...
Source: Shodan
![Page 20: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/20.jpg)
Experimenting IP Camera 3.6mm 4MP Full HD IR Mini Dome PoE Network Camera Built-in Mic
What is this ‘thing’ really doing…?
![Page 21: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/21.jpg)
Inspiration
Source: http://securityaffairs.co/wordpress/53588/malware/mirai-infection-test.html
![Page 22: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/22.jpg)
Experimenting Design 1. No Router Connection
2. Internet Connectivity
3. Port Forwarding (Future)
- Network Monitoring - Port Scan
- Network Monitoring - Port Scan
- Network Monitoring - Port Scan
![Page 23: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/23.jpg)
Experimenting Design 1. No Router Connection
![Page 24: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/24.jpg)
Experimenting Design 1. No Router Connection
Default Open Ports Web
Real Time Streaming
Print Services Interface
Universal Plug and Play
Well Known Ports: 0 through 1023. Registered Ports: 1024 through 49151. Dynamic/Private : 49152 through 65535.
![Page 25: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/25.jpg)
Experimenting Design 1. No Router Connection
Multicasting Who has 192.168.1.1? Tell 192.168.1.108
Simple Service Discovery Protocol 192.168.1.108 239.255.255.250 NOTIFY
192.168.1.108 224.0.0.22 IGMPv3 60 Report / Join group 239.255.255.250 for any sources
![Page 26: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/26.jpg)
Experimenting Design
2. Internet Connectivity
-ROUTER_12:6d:81 e0:50:8b:0a:06:d3 192.168.1.254 is at … target 192.168.1.66
-192.168.1.66 192.168.1.254 DNS 81 Standard query 0x016f A www.dahuap2pcloud.com
-192.168.1.254 192.168.1.66 DNS 97 Standard query response 0x016f A www.dahuap2pcloud.com A 121.199.3.195
DHGET /online/p2psrv/2J03977PAA00347 HTTP/1.1CSeq: 1927610396Authorization: WSSE profile="UsernameToken"X-WSSE: UsernameToken Username="2J03977PAA00347", PasswordDigest="NanYJZWK4bKmrYW7ngt2EK50AY80", Nonce="-691305717", Created="2000-01-01T02:52:12Z"
-192.168.1.66 121.199.3.195 UDP 303 58124 � 8800 Len=261
![Page 27: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/27.jpg)
Experimenting Design 2. Internet Connectivity
-192.168.1.254 192.168.1.66 DNS 97 Standard query response 0x0173 A www.dahuap2pcloud.com A 120.26.104.240
-192.168.1.66 192.168.1.254 DNS 81 Standard query 0x0173 A www.dahuap2pcloud.com
-192.168.1.66 120.26.104.240 UDP 310 46071 � 8800
![Page 28: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/28.jpg)
Experimenting Design
2. Internet Connectivity
- 192.168.1.254 192.168.1.66 DNS 92 Standard query response 0x0170 A www.dahuap2p.com A 223.6.252.231
-192.168.1.66 192.168.1.254 DNS 76 Standard query 0x0170 A www.dahuap2p.com
- 192.168.1.66 223.6.252.231 TCP 60 41776 � 12366 [ACK] Seq=1 Ack=1 Win=14608 Len=0
What are you sending?
![Page 29: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/29.jpg)
Experimenting Design
2. Internet Connectivity
What are you sending?
192.168.1.66 -> 223.6.252.231
![Page 30: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/30.jpg)
Experimenting Design
2. Internet Connectivity
-192.168.1.66 192.168.1.254 DNS 74 Standard query 0x0171 A rs.lechange.cn
-192.168.1.254 192.168.1.66 DNS 90 Standard query response 0x0171 A rs.lechange.cn A 114.55.152.165
-192.168.1.66 114.55.152.165 TCP 74 46241 � 9084
What are you sending?
![Page 31: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/31.jpg)
Experimenting Design 2. Internet Connectivity
What are you sending? 192.168.1.66 -> 114.55.152.165
Why would it need to send the local IP address?
![Page 32: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/32.jpg)
Experimenting Design 2. Internet Connectivity
What are you sending? 192.168.1.66 -> 114.55.152.165
![Page 33: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/33.jpg)
Experimenting Design 2. Internet Connectivity
Same story…
Summary:
Time Elapsed: 00:03:50 Packets: 3647 Total External IPs: 7 Total UDP: 3 IPs Total TCP: 4 IPs
![Page 34: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/34.jpg)
Experimenting Wireshark I/O Graph
Interesting looking spike…
![Page 35: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/35.jpg)
Experimenting
![Page 36: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/36.jpg)
Experimenting Trying to determine exactly what ‘jpeg’ images are being sent…
Python Snippet
Network Capture File
![Page 37: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/37.jpg)
Experimenting
THIS IS BAD ‘Plug and Play’? Automatically streams
live feed to remote server.
![Page 38: IoT Security: How Your TV and Thermostat are Attacking the Internet](https://reader034.fdocuments.in/reader034/viewer/2022052606/589a1e7b1a28ab2a678b626b/html5/thumbnails/38.jpg)
Resources
http://iot.ieee.org/
http://standards.ieee.org/innovate/iot/
Final Points 1. IoT Security is a Safety/Privacy Issue 2. … 3. Consider the devices you bring into
your home and to work