Nadir Izrael CTO & Founder ©2017 Armis Inc. - All Rights Reserved It’s 4 AM… 2 Who is your device talking to? ©2017 Armis Inc. All Rights Reserved. 2 Today’s Workplace ©2017 Armis Inc. All Rights Reserved. 3 Health Care ©2017 Armis Inc. - All Rights Reserved Manufacturing ©2017 Armis Inc. - All Rights Reserved Today’s Reality 40% 46% 280% 2015 2016 2017 Businesses can’t see 40% of 46% of US companies had a breach IoT attacks exploded by 280% the devices in their environment or security issue via IoT devices in the first half of 2017 June 2017 Armis Labs June 2017 IDC Aug 2017 TechRepublic/F5 ©2017 Armis Inc. - All Rights Reserved THE NEW ATTACK LANDSCAPE A New Type of Threat ©2017 Armis Inc. - All Rights Reserved A New Class of Threats – Airborne Internet URL Link Download Pair Device ©2017 Armis Inc. - All Rights Reserved New Attack Vector Identified • 5.3B Devices At Risk • Android, Windows, Linux, and iOS • 8 Vulnerabilities (4 critical) • Most serious Bluetooth vulnerability to date • Enables RCE and MiTM ©2017 Armis Inc. - All Rights Reserved Can Spread From Device To Device ©2017 Armis Inc. - All Rights Reserved What Systems Are Impacted • 1 Info Leak • 1 MiTM • 1 Info Leak • 1 RCE • Pre-iOS 10 • 2 RCE • 1 RCE • Pre- tvOS 9 • 1 MiTM • Google Pixel • Windows Desktops • Samsung Gear S3 • iPhone (Smartwatch) • Samsung Galaxy • Windows Laptops • iPad • Samsung Smart TVs • Samsung Galaxy Tab • iPod • Samsung Family Hub • LG Watch Sport • Apple TV (Smart refrigerator) • Pumpkin Car Audio System ©2017 Armis Inc. - All Rights Reserved How Many Devices At Risk? • 8.2B Devices • 2B Monthly Active Devices 2 Billion • 2B Devices Globally 2 Billion • 1B Active Devices (iOS, tvOS, watch OS) • 1B iOS Devices 130 Million • 130M pre-iOS 10 • Linux Is Unknown 1.2 Billion • 8B “Things” In Use Today (Gartner) Armis Estimate • 5.3B Devices At Risk (largest ever) 5.3 Billion ©2017 Armis Inc. - All Rights Reserved How Many Devices Unpatchable? Android Linux Patchable (240M) Patchable (900M) 20% 55% 45% Gingerbread Nougat Ice Cream Sandwich Marshmallow 80% Jelly Bean KitKat Lollipop Unpatchable (960M) Unpatchable (1.1B) ©2017 Armis Inc. - All Rights Reserved How BlueBorne Works High Privileges ©2017 Armis Inc. - All Rights Reserved How BlueTooth Pairs • Bluetooth is “on” and discoverable Bluetooth • User must find and proactively “pair” to the Speakers device ConnectedConnect • Some authentication or PIN to connect • Devices exchange keys, and auto connect without Device 1 Device 2 discoverable mode (Smart Phone) (Bluetooth Speakers) ©2017 Armis Inc. - All Rights Reserved How BlueBorne Works • Bluetooth is “on” Bluetooth • Attacker gets the MAC Bluetooth address 00:2b:09:6f:2b:01 • Attacker initiates Bluetooth RCE and attacks via using a MiTM BlueBorne vulnerability • No user interaction required • No pairing • No approval Attacker Target • Attacker can take over, create (Laptop) (Smart Phone) MiTM, get encryption keys, etc. ©2017 Armis Inc. - All Rights Reserved A BlueBorne Worm Attacker • Worm-like potential • Deliver ransomware • Spread botnet • Steal credentials • More… ©2017 Armis Inc. - All Rights Reserved Info Leak ©2017 Armis Inc. - All Rights Reserved Info Leak (To Desktop) Attacker Linux PC (Laptop) Target (Keyboard) • User connected to Linux desktop Attacker uses info leak to get encryption keys of the keyboard • Attacker intercepts keystrokes without running code or doing MiTM • Attacker can also inject keystrokes to the targeted device ©2017 Armis Inc. - All Rights Reserved Info Leak (Headset) Android (Smartphone) Attacker (Laptop) Target (Headset) • User connected to Android smartphone • Attacker uses info leak to get encryption keys of the headset • Attacker intercepts headset audio (eavesdropping on calls for instance) ©2017 Armis Inc. - All Rights Reserved Man in the Middle Attack ©2017 Armis Inc. - All Rights Reserved MiTM – WiFi Pineapple Corporate Network Internet IMPORTANT User Interaction Required – Users Select The Network WiFi Pineapple ©2017 Armis Inc. - All Rights Reserved MiTM – Bluetooth Pineapple Corporate Network Internet IMPORTANT No User Interaction Required Bluetooth Pineapple ©2017 Armis Inc. - All Rights Reserved Patches Update ©2017 Armis Inc. - All Rights Reserved A BROKEN SECURITY ARCHITECTURE ©2017 Armis Inc. - All Rights Reserved Traditional Approaches Are Insufficient Network NAC Endpoint Security Agent ©2017 Armis Inc. - All Rights Reserved Traditional Approaches Are Insufficient Visibility and control is the least where unmanaged device density is the greatest. ©2017 Armis Inc. - All Rights Reserved Air Gap Will Not Protect Us ©2017 Armis Inc. - All Rights Reserved A Device-Centric Approach Device Tracking Device Type Behavior Connections Reputation Version Data-at-Rest History ©2017 Armis Inc. - All Rights Reserved A Modern Architecture • Modernize, not rip & replace • Monitor from access layer up • Wired and wirelessly • See device behavior • Detect suspicious or malicious behavior ©2017 Armis Inc. - All Rights Reserved A Modern Architecture • Modernize, not rip & replace • Monitor from access layer up • Wired and wirelessly • See device behavior • Detect suspicious or malicious behavior • Must correlate higher in the network • Integration with existing packet capture or perimeter solutions ©2017 Armis Inc. - All Rights Reserved Key Elements of New Architecture No Device Behavioral Integrated Agent Centric Insights Solution ©2017 Armis Inc. - All Rights Reserved ©2017 Armis Inc. - All Rights Reserved.