Symposium on The Future Networked Car
(Geneva, Switzerland, 3 March 2016) IoT Security issues related to the future Networked Car
Koji Nakao Distinguished Researcher, Network Security Research Institute, NICT (Yokohama National University with Prof. Yoshioka) Contents 1) IoT problems – in relation to the networked car • Observing current IoT Attacks • Analyzing IoT Attacks • Understanding Infected IoT devices
2) Key findings and Conclusion Scanning observation by nicter-Atlas Recently, “scanning to Port 23 (telenet)” is getting larger!! •Capturing packets through dark-net in real time basis. •Color indicates the protocol types. ■UDP ■TCP SYN ■TCP SYN/ACK ■TCP Other ■ICMP
Atlas Atlas All view 23 view
3 Telnet (23) attacks on Darknet have rocketed 400,000 70,000,000
# of Unique Hosts 350,000 60,000,000 # of Packets 300,000 50,000,000 250,000 40,000,000 200,000
30,000,000 Host Count Host 150,000 Count Packet 20,000,000 100,000
50,000 10,000,000
0 0
Time Darknet Size -> 270,000 IP Addresses (2015/May) 4 Attacking hosts are IoT devices 150,000 attacking IPs
361 models observed
Devices are inferred fromin their web4 interface months and telnet banners. 5 In the case of Connected Car, More Attack Surfaces can be recognized and many IoT devices will be located in the car!
http://gigaom.com/2013/08/06/ciscos-remedy-for-connected-car-security-treat-the-car-like-an-enterprise/ 6 Why IoT devices?
•24/7 online •No AV •Weak/Default login passwords •with global IP address and open to Internet
7 We would like to know..
Monetization Malware Targets
• What kind of malware? • What IoT devices are targeted? • What the attackers • How many different kinds? do after compromising these devices?
We propose the first honeypot for IoT 8 Our Challenges Honeypot Sandbox: IoTBOX IoT devices listening on Telnet IoT malware of different CPU Architecture
ARM MIPSEL
SUPERH
PPC X86
MIPS
• Emulating diverse IoT devices • Handle to run malware of • Handling to capture malware of different CPU architectures different CPU architectures
9 • Different Banner Emulating different devices (IoTPOT) • Scanning Internet on port 23 to get different NAWS (Negotiate About Window Size) banners • Different User ID/Pass 3-way Device Profile Different • Obtain weak/default handshake Banner Banner Interaction ID/Pass by web search (Options) Interactions Do Echo, Do NAWS, Will Echo • Always accept/reject incoming challenges Welcome message ADSL Router • Accept after several & Login prompt login: challenges ARM Authentication id/pass Different • Different Interactions Authentication root User ID/Pass • Learn from actual 12345 cat /bin/sh devices MIPS Response 2 • System with general Command Interaction Command configuration for cat /bin/sh Different embedded devices Response Responses ...... corresponding responses (E.g., OpenWRT or Debian PPC based embedded OS) 10 IoTPOT results • During 122 days of operations [ April 01 to July 31 - 2015]
250,000 Honeypot is setup with 148 IP addresses 200,000
150,000
100,000
Unique Host Count Unique Host 50,000
0 Visit Login Download Malware 900,394 Malware Download Attempts Malware of 11 different CPU architectures 93% of downloaded binaries are new to Virus Total (2015/09) 11 Analyzing attacks
• Intrusion
• Pattern of User ID/Password challenges
• Infection
• Telnet Command Sequences from Attacker
• Monetization
• Behaviors of second stage malware (i.e. binaries and shell scripts)
12 Example1: DDoS (DNS Water Torture attacks)
No resource 9a3jk.cc.zmr666.com? Delayed reply elirjk.cc.zmr666.com? Cache DNS pujare.cc.zmr666.com? server at ISP oiu4an.cc.zmr666.com? 9a3jk.cc.zmr666.com? elirjk.cc.zmr666.com? Authoritative DNS pujare.cc.zmr666.com? for“zmr666.com” oiu4an.cc.zmr666.com?
Infected devices Example 2: Click fraud
Infected devices imitates user clicks to advertising web sites
Infected Devices Example 3: Stealing credential from PPV (Pay Per View)
crede Particular set top boxes are being ntial targeted (such as dreambox) For Understanding Infected IoT devices, looking back on devices visiting IoTPOT 12000 10734 10000 More than 60 different types (361 models) of 8000 devices visit IoTPOT 6000 4856 4000
1391 Number of IP Addresses IP of Number 2000 787 430 411 337 206 206 174 60 20 19 15 11 10 10 9 6 6 0
Figure shows only top-20 devices Device Types • We scan back on port 23/TCP and 80/TCP • More than 60 type of devices visit us 16 Web interfaces of devices attacking us
17 AS with more than 1,000 infected Devices
France Colombia Germany Libya Ukraine Britain Spain Thailand Italy Israel Phillipine Argen na Malaysia Mexico Taiwan China Vietnum Hong Kong
Brasil
USA
India Turkey Korea
Russia
18 Categorizing device types • Surveillance Group • Industrial Control System • IP Camera – Solid State Recorder • DVR (Digital Video Recorder) – Internet Communication Module – Data Acquisition Server • Networking Related Devices – BACnet I/O Module • Router • Personal • Gateway – Web Camera • Modem – Personal Video Recorder • Bridge – Home Automation Gateway • Security Appliance • Broadcasting Facility • Telephone System – Digital Video Broadcaster • VoIP Gateway – Digital Video Scaler • IP Phone – Video Encoder/Decoder • GSM Router – Set Top Box • Analog Phone Adapter • Other – Heat Pump • Infrastructure – Fire Alarm System • Parking Management System – Disk Recording System • LED display control system – Optical Imaging Facility – Fingerprint Scanner 19 Devices are inferred from their web interface and telnet banners. Attacks observed in IoTPOT from the following data source last year (2015).
Time Stamp visiting IoTPOT: 2015-03-09 and 2015-03-14 Country (IP) from Italy HTTP Title : Web2Park -Amministrazione Web2Park® I believe this Web2Park has already been patched and no more scan attacks were observed in our IoT POT since last year. Smart+Connected City Infrastructure Management: IoT Use Cases
Smart+Connected City Smart+Connected City Smart+Connected City Smart+Connected City Smart+Connected City Parking Traffic Safety & Security Location Services Lighting
Give citizens live Monitor and Automatically Provide view of Manage street parking availability manage traffic detect security people flow data to lighting to reduce information to incidents to incidents, shorten aid planning and energy and reduce circling and reduce congestion response time, leverage location maintenance costs congestion and improve and analyze data data for contextual livability to reduce crime content and advertising
Presentation in ITU-T by Mr. Mikhail Kader For Example
City Parking Improve Traffic and Reduce Congestion
Presentation in ITU-T by Mr. Mikhail Kader Smart+Connected City Parking: How It Works
Solution Components Data Flow 1 Sensors on parking spots 1 Sensors detect parking events City 2 New generation of parking Foundational meters 2 Correlation of sensor and Network 3 Video camera with analytics meter events to generate meter violations Video Camera 3 Cameras detect no-parking Sensor and loading zone violation Gateway events STREET CABINET
Parking Ruggedized Switch POWER Sensor No Parking Zone Parking Sensor Parking Sensor
Street Smart+Connected Parking: High-level Architecture 1 Streetline sensor gateway 2 Cisco IP Camera Sensor and video-enabled parking management for cities 3 Cisco Wireless Mesh Network for connectivity 4 Streetline parking data and analytics 4 ParkSight™ parking data and 7 Guided Enforcement™ application 5 Video analytics analytics application application 5 Video analytics for violation detection 6 Parker™ by Streetline app 6 Streetline citizen application to find real-time parking 3 City Wi-Fi availability and payments 7 Streetline enforcement 1 Sensor gateway Streetline vehicle sensors 2 Cisco IP Camera application for parking enforcement officer © 2014. Portions Cisco and portions Streetline. Parker™, ParkSight™, and Guided Enforcement™ are registered trademarks of Streetline. All rights reserved Key findings and Conclusion
Functionality of Head Unit ! Status check of ECUs ! Log collection ! In-car diagnosis function
Functionality of Server Communication protocol Diagnosis of on-board devices ! Stored Data Definition ! Between Car and ! Status check of ECUs Auth info Manufacturer / Garage ! Log collection Log Audit ! Encryption ! Verification of update module ! Authentication With considerations of privacy concerns
Aftermarket Communication Device
Update Server and Log Repository Embedded Information Device at Car Manufacturer / Garage center Power Management Control ECU ...... Seat Belt Control ECU . Secure Communication Driving Support ECU
Parking Assist ECU
Communication Head Unit Skid Control ECU
etc., 27 Example: data flow of remote update
...... Communication Head Unit ECU . Update Server and Log Repository at Car Manufacturer / Garage center
digest 1. ECU generates a digest of its SW with its own secret key and sends it to the head unit 2. Head unit verifies the digest
3. Head unit merges collected digest and resigns it with its digest / own secret key, then sends it to the manufacturer center update 4. The center determines an update program, signs it with own secret key, sends it to the head unit. update 5. Head unit verifies the update program and transmits it to ECU 6. ECU applies the update program by itself digest 7. Again, ECU generates a digest, sign it and sends it to the head unit for verification 8. Head unit verifies the digest digest 9. Head unit resigns the digest with own secret key, and sends it to the center 10. The center determines whether SW update process is successful or not. After the process has done successfully, the center stores the update log into own 28 DB. Contact: Koji Nakao ([email protected])