Iot Threats, Challenges and Secured Integration
Total Page:16
File Type:pdf, Size:1020Kb
IoT Threats, Challenges and Secured Integration Christian Shink, p. eng., CSSLP System Engineer • Why IoT Devices? • Bot Attacks • 3 Botnets fighting over IoT Firepower • Secure IoT integration Why IoT Devices Internet of Things Internet working of physical devices, vehicles, buildings, … Devices embedded with electronics, software, sensors, actuators Network connectivity Any Path Any Service Any Network Anytime Any Business Any context Anyone Machinery Anybody Building energy Anything Management Any Device Healthcare Retail A Rapidly Growing Number of Connected Devices Copyright © 2017 Radware. All rights reserved. IoT is Highly Susceptible to Cyber Attacks IoT devices run an embedded or stripped-down version of the familiar Linux operating system. 1 Malware can easily be compiled for the target architecture, mostly ARM, MIPS, x86 internet-accessible, lots of (I)IoT and ICS/SCADA are deployed without any form of 2 firewall protection Stripped-down operating system and processing power leaves less room for security 3 features, including auditing, and most compromises go unnoticed by the owners To save engineering time, manufacturers re-use portions of hardware and software in different 4 classes of devices resulting in default passwords and vulnerabilities being shared across device classes and manufacturers Internet Security Trend report 2015 by Nexus guard: IoT is becoming a soft target for cyber-attack Copyright © 2017 Radware. All rights reserved. From the News “D-Link failed to take reasonable steps to secure its routers and IP cameras, potentially compromising sensitive consumer information” “The cameras aren’t designed to receive software updates so the zero-day exploits can’t be patched.” “We believe that this backdoor was introduced by Sony developers on purpose” Sources: 1. Cybereason blog 2. Networkworld 3. SEC Consult Botnets – the ultimate weaponry Not directly associated with the attacker 900,000 Automated Geographically distributed 400,000 Ultimately disposable Flexible 25,000 100,000 Wide range of nefarious activities CCTV Dyn attack Jabber Failed DT Growing fire power Botnet campaign: takeover attack DDoS-for-hire attempt Larger botnets and smarter devices = offer more sophisticated attacks Copyright © 2017 Radware. All rights reserved. Bot Attacks The Internet of Bots More than half internet traffic is bots 27% are good bots, help to make internet better 29% of internet traffic are bad bots Bad Bots: Hacker Bot Maleware/ Download Bot Spam Bot Virus Bot What do bots do? Brute Force Web Scraping DDoS Data Exfiltration * https://areyouahuman.com/downloads/GoodBotsvBadBots_FINAL.pdf Copyright © 2017 Radware. All rights reserved. ** http://www.gartner.com/newsroom/id/3165317 Brute Force Mirai, Hajime, BrickerBot all have code for Telnet brute force attack 61 factory default credentials Copyright © 2017 Radware. All rights reserved. Webscraping Attack Bad bots programmed to: • Scrape flights information. • Act as faux buyers—continuously creating but never completing reservations on those tickets • Airline unable to sell the seats to real customer • Pricing information is exposed. Dynamic source IP attacks so security protection Major US Airline could not track cross session activity Chose Radware’s WAF with fingerprinting technology to block dynamic IP attack 12 Copyright © 2017 Radware. All rights reserved. 3 Botnets fighting over IoT firepower Shared Modus Operandi Taking advantage Identify Upload the Remove Scan for Drop the of factory flaws the matching payload other more device binary malware devices to infect Infection vectors: 1. SSH/Telnet brute force 2. TR-069 protocol 3. Manufacturer backdoors Copyright © 2017 Radware. All rights reserved. Mirai Milestones Sept 20, 2016 Sept 21, 2016 Sept 30, 2016 620Gbps attack GRE in ~ 1 Tbps in volume SYN Mirai Source Code Released payload, No amplification, and ACK floods Over Hackforums.com No reflection 140,000 unique IPs Anna-Senpai Oct 21, 2016 Nov 27, 2016 Feb 8, 2017 DNS Water Torture attack DT Router Takeover Attempt Mirai Gets a Windows with other vectors. Some Mirai w/ TR-064 Exploit Trojan to Boost comprised of Mirai 100k 900,000 consumer’s internet Harvesting end-points reported connection affected Copyright © 2017 Radware. All rights reserved. Mirai botnet architecture $$$ Create account Exists? + Assign bots Loader and Bot C2 API ScanListen CnC written in C New vic! 110 ScanListen and CnC service in Go 61 48101 23 factory default passwords Up to Load Svc 500 brute attempts CnC Connect per second Report IP + credentials Load bot Telnet port scans Bot Bot Telnet port scans (infected device) Brute force login (infectednew vicdevice) Telnet port scans Copyright © 2017 Radware. All rights reserved. Original Mirai Attack Vectors Copyright © 2017 Radware. All rights reserved. DNS Water Torture – Architecture 19 Hajime: Friend or foe ? Discovered Oct 16, 2016 by Rapidity Networks • 5 days before the Dyn attacks • 2 weeks after Mirai source code was published Say it comes with the best of intentions Sophisticated, flexible and extensible Its true purpose remains a mystery Copyright © 2017 Radware. All rights reserved. Hajime Modules Extension module (atk) Main (.i) Secures the device by Scans for new victims filtering infection ports (port TCP/23 and TCP/5358:WSDAPI) Opens up for BitTorent Launches exploit using Telnet brute force P2P control network Creates dynamic port forwarding rules in UPnP enabled gateways Communication is encrypted using RC4 and private/public keys Loader stubs are handcrafted assembly programs optimized for each device Downloads updates for Loads service ‘.i’ on random high port itself using uTP (UDP and TCP) Copyright © 2017 Radware. All rights reserved. Estimated at 300,000 compromised devices 18,623 data points from Radware Honeypots Copyright © 2017 Radware. All rights reserved. Introducing BrickerBot First Internet of Things PDOS Botnet Discovered by Radware March 2017 Prevents devices to take part in DDoS botnets Destroys infected IoT Devices Remote execution of destructive sequence No malware binary downloaded or executed on the victim Copyright © 2017 Radware. All rights reserved. Permanent Denial-of-Service A DoS attack that damages a system so badly that it requires replacement or reinstallation of hardware or software (D)DoS – Victim resumes normal service after attack finishes PDoS – leaves victim in an unoperational state after attack, requiring intervention to restore operations Service Available PDoS Attack Service Available End of DDoS Attack Service Available Service unavailable Copyright © 2017 Radware. All rights reserved. BrickerBot Characteristics 1000+ attempts per day SSH and Telnet are brute forced using factory default credentials Runs from the Dark Web, concealed by TOR exit nodes Only attacks devices infected with IoT bots Requires full TCP connect on port 23, 7547, others Attacks the source IP of the poking device Has a “Plan B” in case something goes wrong How BrickerBot Works Attacks infected devices using passive detection Requires full TCP connect on port 23, 7547, others Attacks the source IP of the poking device SSH and Telnet are brute forced using default credentials closes SSH and invokes a brick sequence on the open Telnet session Copyright © 2017 Radware. All rights reserved. Brick Test: BrickerBot.1 vs Sricam AP003 After BrickerBot.1 sequence: cam unreachable from WAN, can still ping on LAN After reboot: unreachable, also from LAN + Factory reset button useless No serial/usb/removable media to restore firmware back to manufacturer Copyright © 2017 Radware. All rights reserved. Sierra Tel DSL internet service provider Eastern Madera and Mariposa, US. Copyright © 2017 Radware. All rights reserved. IoT Summary - Battle of the Bots Mirai – the Bad Hajime – the Good BrickerBot – the Vigilante (at least for now) • Most powerful to date • Holding insecure IoT • Destroys insecure IoT • New level of DDoS devices hostage so devices to prevent a attacks - Potential for • Aggressively scans and malicious takeover multiple Tbps attacks infects • Unsophisticated, easy • Keeps C2 channel open • Only targets devices to expand • Its true purpose is that are compromised unknown by other Bots Fighting for Control of the Internet of Things Copyright © 2017 Radware. All rights reserved. Secure IoT Integration Bottom-line: IoT is Changing Attack Economics High High Volume High PreIn the IoT: IoT as era: high Mobile complexity Volume Attacks Complex Attacks Complexity Attacks attacksphones areand more IoT devices are expensive,not impervious their to volume is DNS ReflectionEncryption WebEncryption Low & Slow lowermalware, (less forming available huge Amplification LowNTP & Slow DNS HTTPHeadless2 Browsers infectedbotnets runningend points high ) Web HTTP2 complexity attacks SSDP Headless Browsers 32 What should I do to protect myself ? Protecting against Radware known IoT botnets When you are infected 1. Upgrade firmware often 1. Cloud DDoS Protection multi- 1. R E B O O T vector attacks in high volumes 2. Block Telnet access 2. Left Column 3. Whitelist access to TR-069 2. DefensePro signatures update 4. Change Factory default credentials for CLI access Copyright © 2017 Radware. All rights reserved. Effective DDoS Protection Essentials Hybrid DDoS Behavioral-Based Detection Real-Time Signature A cyber-security emergency response plan Copyright © 2017 Radware. All rights reserved. Effective Web Application Security Essentials Full OWASP Top-10 application vulnerabilities Low false positive rate Auto Adaptive policy generation Bot protection and device Securing APIs Flexible deployment options Copyright © 2017 Radware. All rights reserved. Copyright © 2017 Radware. All rights reserved. Additional Information Alerts https://security.radware.com/ddos-threats-attacks/hajime-iot-botnet/ https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-permanent-denial-of-service/ https://security.radware.com/ddos-threats-attacks/brickerbot-pdos-back-with-vengeance/ Blogs https://blog.radware.com/security/attack-types-and-vectors/ US Government Warning About BrickerBot for Industrial Controls https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01 Copyright © 2017 Radware. All rights reserved..