Stu t17 a

Session ID:

Session Classification:

MOBILE AND THE CONNECTED WORLD

Kevin MahaffeyCTO, Lookout

STU-T17A

Intermediate

HOW MANY DEVICES DO YOU MANAGE?

getButter"y http://www."ickr.com/photos/59770877@N05/6317955134/

http://www.flickr.com/photos/59770877@N05/6317955134/

http://www.flickr.com/photos/59770877@N05/6317955134/

THATS IT, RIGHT?

Nmap scan report for 192.168.XXX.XXXHost is up (0.014s latency).Not shown: 65510 closed portsPORT STATE SERVICE80/tcp open http135/tcp open msrpc139/tcp open netbios-ssn445/tcp open microsoft-ds2000/tcp open cisco-sccp5060/tcp open sip7504/tcp open unknown7533/tcp open unknown49152/tcp open unknown49153/tcp open unknown49154/tcp open unknown49159/tcp open unknown49160/tcp open unknown49163/tcp open unknown

Nmap scan report for 192.168.XXX.XXXXHost is up (0.0019s latency).PORT STATE SERVICE80/tcp open http5060/tcp open sip

Nmap scan report for 192.168.XXX.XXXHost is up (0.017s latency).PORT STATE SERVICE21/tcp open ftp80/tcp open http139/tcp open netbios-ssn445/tcp open microsoft-ds515/tcp open printer5358/tcp open unknown9090/tcp open zeus-admin9100/tcp open jetdirect9101/tcp open jetdirect9102/tcp open jetdirect9103/tcp open jetdirect

Nmap scan report for 192.168.XXX.XXXHost is up (0.024s latency).PORT STATE SERVICE21/tcp open ftp80/tcp open http139/tcp open netbios-ssn443/tcp open https445/tcp open microsoft-ds515/tcp open printer5358/tcp open unknown9090/tcp open zeus-admin9091/tcp open xmltec-xmlmail9100/tcp open jetdirect9101/tcp open jetdirect9102/tcp open jetdirect9103/tcp open jetdirect

Nmap scan report for 192.168.XXX.XXXHost is up (0.019s latency).PORT STATE SERVICE80/tcp open http443/tcp open https4352/tcp open unknown5120/tcp open unknown5357/tcp open wsdapi7142/tcp open unknown7145/tcp open unknown7146/tcp open unknown7200/tcp open fodms7201/tcp open dlip41794/tcp open crestron-cip

HOW ABOUT AT HOME?

Nmap scan report for 192.168.1.XXXHost is up (0.0057s latency).Not shown: 65531 closed portsPORT STATE SERVICE80/tcp open http Linksys E4200 WAP http config139/tcp open netbios-ssn Samba smbd 3.X445/tcp open netbios-ssn Samba smbd 3.X51000/tcp open unknownMAC Address: C0:C1:C0:XX:XX:XX (Cisco-Linksys)

Nmap scan report for 192.168.1.XXXHost is up (0.0028s latency).Not shown: 65527 closed portsPORT STATE SERVICE22/tcp open ssh OpenSSH 5.8p1-hpn13v11 (protocol 2.0)80/tcp open http Apache httpd 2.2.22 ((Unix))161/tcp open snmp?515/tcp open printer?548/tcp open afp?631/tcp open ipp CUPS 1.45000/tcp open http Apache httpd 2.2.22 ((Unix))5432/tcp open postgresql PostgreSQL DB 8.3.9 - 8.3.11

MAC Address: 00:11:32:XX:XX:XX (Synology Incorporated)

Nmap scan report for 192.168.1.XXHost is up (0.13s latency).All 65535 scanned ports on 192.168.1.XX are closedMAC Address: 18:B4:30:XX:XX:XX (Nest Labs)

SSL Certificate

Signature Algorithm: sha256WithRSAEncryptionIssuer: C=US, O=Nest Labs, Inc., CN=Nest Private Server Certificate AuthorityValidity Not Before: Aug 14 00:46:40 2012 GMT Not After : Aug 14 00:46:40 2013 GMTSubject: C=US, O=Nest Labs, Inc., CN=devices.nest.comSubject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit)

Nest correctly validates certificate chain :)

SSL Certificate

Signature Algorithm: md5WithRSAEncryptionIssuer: C=CA, ST=Ontario, L=Toronto, O=Ecobee Inc, OU=Development, CN=ecobee.comValidity Not Before: Dec 5 22:06:37 2007 GMT Not After : Dec 2 22:06:37 2017 GMTSubject: C=CA, ST=Ontario, L=Toronto, O=Ecobee Inc, OU=Development, CN=ecobee.comSubject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (512 bit)

Ecobee uses self-signed certificate and 512-bit RSA key :(

Nmap scan report for 192.168.1.XXXHost is up (0.027s latency).All 65535 scanned ports on 192.168.1.XXX are closedMAC Address: 00:1C:BE:XX:XX:XX (Nintendo Co.)

SSL Certificate

Signature Algorithm: sha1WithRSAEncryptionIssuer: C=US, ST=Washington, O=Nintendo of America Inc, OU=NOA, CN=Nintendo CA/[email protected] Not Before: Mar 28 19:07:13 2008 GMT Not After : Mar 26 19:07:13 2018 GMTSubject: C=US, ST=Washington, L=Redmond, O=Nintendo, CN=*.shop.wii.comSubject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit)

mailto:[email protected]


Nintendo Wii correctly validates certificate chain :)

Nmap scan report for 192.168.1.XXXHost is up (0.0065s latency).Not shown: 65530 closed portsPORT STATE SERVICE3689/tcp open daap Apple iTunes DAAP 11.0.1d15000/tcp open rtsp Apple AirTunes rtspd 160.10 7000/tcp open http Apple AirPlay httpd7100/tcp open http Apple AirPlay httpd62078/tcp open tcpwrappedMAC Address: 70:56:81:XX:XX:XX (Unknown)

SSL Certificate

Signature Algorithm: sha1WithRSAEncryptionIssuer: C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=Terms of use at https://www.verisign.com/rpa (c)06, CN=VeriSign Class 3 Extended Validation SSL SGC CAValidity Not Before: Oct 2 00:00:00 2012 GMT Not After : Oct 2 23:59:59 2013 GMTSubject: 1.3.6.1.4.1.311.60.2.1.3=US/1.3.6.1.4.1.311.60.2.1.2=California/businessCategory=Private Organization/serialNumber=C0806592, C=US/postalCode=95014, ST=California, L=Cupertino/street=1 Infinite Loop, O=Apple Inc., OU=iTMS Engineering, CN=p2-buy.itunes.apple.comSubject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit)

https://www.verisign.com/rpa

https://www.verisign.com/rpa

AppleTV correctly validates certificate chain :)

Nmap scan report for 192.168.1.XXXHost is up (0.0031s latency).Not shown: 65525 closed portsPORT STATE SERVICE23/tcp open telnet?80/tcp open http GoAhead-Webs embedded httpd443/tcp open ssl/http GoAhead-Webs httpd1024/tcp open rtsp Apple AirTunes rtspd 103.25000/tcp open upnp?5001/tcp open commplex-link?6666/tcp open tcpwrapped8080/tcp open http-proxy?10100/tcp open unknown15555/tcp open unknownMAC Address: 00:05:CD:XX:XX:XX (Denon)

SSL Certificate

Signature Algorithm: sha1WithRSAEncryptionIssuer: C=JP, ST=Kanagawa, L=Kawasaki-ku,Kawasaki-shi, O=D&M Holding Inc., OU=Denon Brand Company, CN=firmware.denon.jp/[email protected] Not Before: Jan 14 07:37:43 2009 GMT Not After : Jan 9 07:37:43 2029 GMTSubject: C=JP, ST=Kanagawa, L=Kawasaki-ku,Kawasaki-shi, O=D&M Holding Inc., OU=Denon Brand Company, CN=firmware.denon.jp/[email protected] Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (2048 bit)





Denon AVR-2312CI does not validate certificate chain :(

POST /firminfo.php HTTP/1.1Host: firmware.denon.jp:443Content-Type: multipart/form-data; boundary=---------------------------16068598951Authorization: Basic XXXXXXXXXXXXXXXXX

-----------------------------16068598951Content-Disposition: form-data; name="FILE"; filename="RequestFirmInfo.xml"Content-Type: text/xml

<firminfo_request><req_option>1</req_option><device_id>0005CD25XXXX</device_id><id>0</id><divisionnum>0</divisionnum><req_pkgver></req_pkgver><req_item></req_item></firminfo_request>-----------------------------16068598951

Nmap scan report for 192.168.1.XXXHost is up (0.0024s latency).All 65535 scanned ports on 192.168.1.XXX are closedMAC Address: 00:1D:BA:XX:XX:XX (Sony)

Sony BDP-S350 does not use SSL :(

GET /support/blu-ray/BDP-S300_USA/BDP-S300_USA.frf HTTP/1.1User-Agent: ORION_FRF_UA_START(00:1d:ba:XX:XX:XX BDP-S300_USA 07.0.010 M)END_ORION_FRF_UAHost: blu-ray.update.sony.netAccept: */*Connection: Close

HTTP/1.1 200 OKServer: ApacheLast-Modified: Thu, 21 Jun 2012 06:43:16 GMTAccept-Ranges: bytesContent-Length: 368Content-Type: text/plainDate: Mon, 25 Feb 2013 00:03:00 GMTConnection: close

<BINARY DATA>

ANYTHING ELSE?

DRAG + DROPIMAGE HERE


http://xtra.simplexnet.com/a_e/FA/4100-0055.pdf




http://w3.usa.siemens.com/buildingtechnologies/us/en/integrated-solutions/command-and-control/Pages/command-and-control.aspx

http://w3.usa.siemens.com/buildingtechnologies/us/en/integrated-solutions/command-and-control/Pages/command-and-control.aspx#w2gImgRC-/buildingtechnologies/us/en/integrated-solutions/system-integration/PublishingImages/siveillance-els-vantage-critical-infrastructure-content-big.jpg

http://w3.usa.siemens.com/buildingtechnologies/us/en/integrated-solutions/command-and-control/Pages/command-and-control.aspx#w2gImgRC-/buildingtechnologies/us/en/integrated-solutions/system-integration/PublishingImages/siveillance-els-vantage-critical-infrastructure-content-big.jpg

WHAT CAN YOU DO?

BIG PROBLEMS WITH CONNECTED DEVICES

Lots of exposed servicesPwnable !rmware update mechanismsLow end-user visibility that something is !shy

How will you know if a device gets hacked?

Manufacturer abandonmentHow long will manufacturer keep device current?

MOVE TO ALASKA?

Into the Wild, 2007

ADMINISTRATORS

Apply patches to all connected devicesSome devices need a manual <click>

Segment your networkSIP phones don’t need to talk to your source code management server

Monitor internal net"owsPerimeter defenses are helpfulMake sure you trust your Internet connection

DEVELOPERS

Use SSLValidate certi!cate chaining to a trusted rootUse modern crypto

Digitally sign !rmwarePenetration-test your devicesHarden your update servers

Apache/2.2.3 (Red Hat) DAV/2 mod_auth_pgsql/2.0.3 mod_python/3.2.8 Python/2.4.3 mod_ssl/2.2.3 OpenSSL/0.9.8e-!ps-rhel5 SVN/1.6.11 mod_perl/2.0.4 Perl/v5.8.8

HOW MANY DEVICES DO YOU MANAGE?

SECURITY IS EVERYWHERE.

Thank you.

Stu t17 a

Documents

Transcript of Stu t17 a