Nadir Izrael CTO & Founder
©2017 Armis Inc. - All Rights Reserved It’s 4 AM…
2
Who is your device talking to?
©2017 Armis Inc. All Rights Reserved. 2 Today’s Workplace
©2017 Armis Inc. All Rights Reserved. 3 Health Care
©2017 Armis Inc. - All Rights Reserved Manufacturing
©2017 Armis Inc. - All Rights Reserved Today’s Reality
40% 46% 280%
2015 2016 2017 Businesses can’t see 40% of 46% of US companies had a breach IoT attacks exploded by 280% the devices in their environment or security issue via IoT devices in the first half of 2017
June 2017 Armis Labs June 2017 IDC Aug 2017 TechRepublic/F5
©2017 Armis Inc. - All Rights Reserved THE NEW ATTACK LANDSCAPE A New Type of Threat
©2017 Armis Inc. - All Rights Reserved A New Class of Threats – Airborne
Internet URL Link Download Pair Device
©2017 Armis Inc. - All Rights Reserved New Attack Vector Identified
• 5.3B Devices At Risk • Android, Windows, Linux, and iOS • 8 Vulnerabilities (4 critical) • Most serious Bluetooth vulnerability to date • Enables RCE and MiTM
©2017 Armis Inc. - All Rights Reserved Can Spread From Device To Device
©2017 Armis Inc. - All Rights Reserved What Systems Are Impacted
• 1 Info Leak • 1 MiTM • 1 Info Leak • 1 RCE • Pre-iOS 10 • 2 RCE • 1 RCE • Pre- tvOS 9 • 1 MiTM
• Google Pixel • Windows Desktops • Samsung Gear S3 • iPhone (Smartwatch) • Samsung Galaxy • Windows Laptops • iPad • Samsung Smart TVs • Samsung Galaxy Tab • iPod • Samsung Family Hub • LG Watch Sport • Apple TV (Smart refrigerator) • Pumpkin Car Audio System
©2017 Armis Inc. - All Rights Reserved How Many Devices At Risk?
• 8.2B Devices
• 2B Monthly Active Devices 2 Billion
• 2B Devices Globally 2 Billion • 1B Active Devices (iOS, tvOS, watch OS) • 1B iOS Devices 130 Million • 130M pre-iOS 10 • Linux Is Unknown 1.2 Billion • 8B “Things” In Use Today (Gartner) Armis Estimate • 5.3B Devices At Risk (largest ever) 5.3 Billion
©2017 Armis Inc. - All Rights Reserved How Many Devices Unpatchable?
Android Linux Patchable (240M) Patchable (900M) 20%
55% 45% Gingerbread Nougat Ice Cream Sandwich Marshmallow 80% Jelly Bean KitKat Lollipop
Unpatchable (960M) Unpatchable (1.1B)
©2017 Armis Inc. - All Rights Reserved How BlueBorne Works
High Privileges
©2017 Armis Inc. - All Rights Reserved How BlueTooth Pairs
• Bluetooth is “on” and discoverable Bluetooth • User must find and proactively “pair” to the Speakers device ConnectedConnect • Some authentication or PIN to connect • Devices exchange keys, and auto connect without Device 1 Device 2 discoverable mode (Smart Phone) (Bluetooth Speakers)
©2017 Armis Inc. - All Rights Reserved How BlueBorne Works
• Bluetooth is “on”
Bluetooth • Attacker gets the MAC Bluetooth
address 00:2b:09:6f:2b:01 • Attacker initiates Bluetooth RCE and attacks via using a MiTM BlueBorne vulnerability • No user interaction required • No pairing • No approval Attacker Target • Attacker can take over, create (Laptop) (Smart Phone) MiTM, get encryption keys, etc.
©2017 Armis Inc. - All Rights Reserved A BlueBorne Worm
Attacker
• Worm-like potential • Deliver ransomware • Spread botnet • Steal credentials • More…
©2017 Armis Inc. - All Rights Reserved Info Leak
©2017 Armis Inc. - All Rights Reserved Info Leak (To Desktop)
Attacker Linux PC (Laptop)
Target (Keyboard) • User connected to Linux desktop Attacker uses info leak to get encryption keys of the keyboard • Attacker intercepts keystrokes without running code or doing MiTM • Attacker can also inject keystrokes to the targeted device
©2017 Armis Inc. - All Rights Reserved Info Leak (Headset) Android (Smartphone) Attacker (Laptop)
Target (Headset) • User connected to Android smartphone • Attacker uses info leak to get encryption keys of the headset • Attacker intercepts headset audio (eavesdropping on calls for instance)
©2017 Armis Inc. - All Rights Reserved Man in the Middle Attack
©2017 Armis Inc. - All Rights Reserved MiTM – WiFi Pineapple
Corporate Network Internet
IMPORTANT User Interaction Required – Users Select The Network
WiFi Pineapple
©2017 Armis Inc. - All Rights Reserved MiTM – Bluetooth Pineapple
Corporate Network Internet
IMPORTANT No User Interaction Required
Bluetooth Pineapple
©2017 Armis Inc. - All Rights Reserved Patches Update
©2017 Armis Inc. - All Rights Reserved A BROKEN SECURITY ARCHITECTURE
©2017 Armis Inc. - All Rights Reserved Traditional Approaches Are Insufficient
Network NAC Endpoint Security Agent
©2017 Armis Inc. - All Rights Reserved Traditional Approaches Are Insufficient
Visibility and control is the least where unmanaged device density is the greatest.
©2017 Armis Inc. - All Rights Reserved Air Gap Will Not Protect Us
©2017 Armis Inc. - All Rights Reserved A Device-Centric Approach
Device Tracking Device Type Behavior Connections Reputation Version Data-at-Rest History
©2017 Armis Inc. - All Rights Reserved A Modern Architecture
• Modernize, not rip & replace • Monitor from access layer up • Wired and wirelessly • See device behavior • Detect suspicious or malicious behavior
©2017 Armis Inc. - All Rights Reserved A Modern Architecture
• Modernize, not rip & replace • Monitor from access layer up • Wired and wirelessly • See device behavior • Detect suspicious or malicious behavior • Must correlate higher in the network • Integration with existing packet capture or perimeter solutions
©2017 Armis Inc. - All Rights Reserved Key Elements of New Architecture
No Device Behavioral Integrated Agent Centric Insights Solution
©2017 Armis Inc. - All Rights Reserved ©2017 Armis Inc. - All Rights Reserved