Security Issues

class: title, smokescreen, shelf, bottom, no-footer
background-image: url(images/Ring_video_doorbell.jpg)

# 181U Spring 2020
## Security Issues

.smokescreen h1 {
    border-bottom: none;
}
 .small.remark-slide-content.compact {font-size:1.4rem}
  .smaller.remark-slide-content.compact {font-size:1.1rem}
  .small-code.remark-slide-content.compact code {font-size:1.0rem}
  .very-small-code.remark-slide-content.compact code {font-size:0.9rem}

.line-numbers{
  /* Set "line-numbers-counter" to 0 */
  counter-reset: line-numbers-counter;
}

.line-numbers .remark-code-line::before {
  /* Increment "line-numbers-counter" by 1 */
    counter-increment: line-numbers-counter;
    content: counter(line-numbers-counter);
    text-align: right;
    width: 20px;
    border-right: 1px solid #aaa;
    display: inline-block;
    margin-right: 10px;
    padding: 0 5px;
}

</style>

---
layout: true
.footer[
- 181U
- See acknowledgements
]

---
class: compact
# Agenda
<audio controls>
  <source src="audio/attacks_2.mp3" type="audio/mpeg">
Your browser does not support the audio element.
</audio>

* The issues
* Attack Examples
* Attack Vectors

---
class: compact
# What's different than current Internet Issues
<audio controls>
  <source src="audio/attacks_3.mp3" type="audio/mpeg">
Your browser does not support the audio element.
</audio>

* Conventional devices involve humans in the control loop.  In IoT, devices are interacting with other devices.
* The lifetime of IoT devices is far longer than simple computers -- the devices
 are starting to outlive the companies and enterprises responsible for maintaining them -- unreachable or forgotten devices
 will disrupt the current "penetrate and patch" model
* Devices may have "baked-in" cryptography/security protocols persisting for decades beyond security lifetimes

---
class: compact
# Zero-days and Forever-days
<audio controls>
  <source src="audio/attacks_4.mp3" type="audio/mpeg">
Your browser does not support the audio element.
</audio>

* zero-days -- holes that adversaries know but defenders do not
* In 2016 Department of Homeland Security Industrial Control Systems Cyber Emergency Respons Team announced 11 critical zero days
   - In a wireless networking device used in "commercial facilities, energy, financial services, and transport systems" internationally
   - In an embedded computer used in "Chemical, commerical facilities, critical manufacturing, emergency services, energy, food..."
   - In building and automation systems from two vendors
   - In power grid components from three vendors used internationally
   - and others
* zero-days become forever-days if they aren't patched.

---
class: compact,small
# Application Areas
<audio controls>
  <source src="audio/attacks_5.mp3" type="audio/mpeg">
Your browser does not support the audio element.
</audio>

* Cars
  - random failures 
     - Thailand's finance minister was trapped in his car due to a computer failure
     - In France and Texas peopled died when they couldn't open their cars
  - malfeasance
     - attacks on wireless keys, electronic transmissions, etc 
     - remote attacks
* Traffic
  - Apps like Waze dramatically shift driving patterns
* Airplanes
  - Commercial planes expose their networks to passengers (e.g. through ethernet)
* Trains
  - In the Netherlands a train left the station with passengers but no driver
* Medicine
  - Insulin pumps and pacemakers are vulnerable to attack

---
class: compact
# The Internet of Tattletale devices
<audio controls>
  <source src="audio/attacks_6.mp3" type="audio/mpeg">
Your browser does not support the audio element.
</audio>

* Privacy spills (accidental leaks)
  - with IoT there's no reason to believe backend servers will be more secure
  - Personal information of 5 million parents and 200,000 children exposed through hacking a company selling kids toys and gadgets
* Vizio sold more than 15 million "smart tvs" by 2015. The internal software allowed attackers to track everything you watch
* Samsung Smart TV sends captured voice data to a remote server unencrypted
* Hello Barbie records childrens' conversations and sends them by email to parents

---
class: compact
# The Internet of Tattletale devices (cont.)
<audio controls>
  <source src="audio/attacks_7.mp3" type="audio/mpeg">
Your browser does not support the audio element.
</audio>

* Your devices might be used against you
  - data from fitbits used in criminal trials
  - data from car GPS systems
* Your devices may talk to the wrong people
  - GM onstar captures usage data -- they provide an insecure data site that allows others to see your data
* Devices for health monitoring expose data to wrong people (do you want your employer tracking your activity ?)

---
class: compact
# Hacks
<audio controls>
  <source src="audio/attacks_8.mp3" type="audio/mpeg">
Your browser does not support the audio element.
</audio>

* [How a fishtank helped hack a casino](https://www.washingtonpost.com/news/innovations/wp/2017/07/21/how-a-fish-tank-helped-hack-a-casino/?noredirect=on)
  - In 2017 hackers attempted to acquire data from a casino
  - The fish tank sensors were connected to a PC
  - By attacking the sensors, the hackers stole 10GB of data
* [Dark Web Hackers are Targeting Internet-connected Gas Pumps](https://www.zdnet.com/article/iot-security-now-dark-web-hackers-are-targeting-internet-connected-gas-pumps/)

---
class: compact,small
# Other Hacks
<audio controls>
  <source src="audio/attacks_9.mp3" type="audio/mpeg">
Your browser does not support the audio element.
</audio>
 
* [Baby Monitor Hacking](https://nordvpn.com/blog/baby-monitor-iot-hacking/)
   - a young family from Texas was awakened by a hacker's voice coming from their 4-month-old child's bedroom and threats that their child would be kidnapped. 
* [Web connected sex toys](https://metro.co.uk/2018/02/01/panty-buster-sex-toys-can-hacked-remotely-pleasure-people-without-consent-researchers-claim-7279177/)
   - "The database containing all the customer data (explicit images, chat logs, sexual orientation, email addresses, passwords in clear text, etc.) was basically readable for everyone on the internet."
* [FDA Confirms that St. Jude's Cardiac Devices Can Be Hacked](https://money.cnn.com/2017/01/09/technology/fda-st-jude-cardiac-hack/)
* [Germany Banned Cayla Doll that can spy](https://www.washingtonpost.com/news/worldviews/wp/2017/02/23/this-pretty-blond-doll-could-be-spying-on-your-family/)
   - According to German officials, Cayla is a prime target for hackers, who can use the toy's technology to spy on families and collect private information. That's because the doll collects and transmits everything it hears to a voice recognition company in the United States. 
* [The full story of how the Jeep was hacked](https://www.kaspersky.com/blog/blackhat-jeep-cherokee-hack-explained/9493/)
   - multimedia system of the Jeep hacked through its wifi.
---
class:compact,small
# Fly-by attack on zigbee smart lightbulbs
<audio controls>
  <source src="audio/attacks_10.mp3" type="audio/mpeg">
Your browser does not support the audio element.
</audio>
 
![](images/hue-system.png# w-40pct fr)

* Creates a self-spreading ZigBee worm targeting the Philips Hue light system

---
class:  compact
# Overview of Hue Attack
<audio controls>
  <source src="audio/attacks_11.mp3" type="audio/mpeg">
Your browser does not support the audio element.
</audio>

* Exploits a bug in Atmel's implementation of the Zigbee Light Link (ZLL) protocol as used in Hue bulbs
* This allows two separate attacks

1. Attack agains the AES-CCM encryption mode used to encrypt and verify firmware updates allowing attacker to encrypt, sign, and upload malicious over-the-air (OTA) updates to infect lamps.
2. A takeover attack allowing full control over lamps from 70-400 meters.

---
class: compact
# Overview of Hue Attack (cont.)
<audio controls>
  <source src="audio/attacks_12.mp3" type="audio/mpeg">
Your browser does not support the audio element.
</audio>

* Attack does not require prior knowledge about attacked lamps
* Attack does not require knowledge of the ZLL secret key
* All lamps of the same type use the same global key, so side channel attacks used to deduce key

* By flying a drone in a zig-zag pattern over a city an attacker can disable all the Philips smart bulbs in a city center in a few minutes

---
class: compact
# Stuxnet

![](images/Iran.jpg# w-40pct fr)

<audio controls>
  <source src="audio/attacks_13.mp3" type="audio/mpeg">
Your browser does not support the audio element.
</audio>

* World's first digital weapon
* In 2010 Iranian's noticed the uranium enrichment centrifuges were failing at a high rate
* Sutxnet attacked Siemens PLC (programmable logic controlers)

https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/

---
class: compact
# Mirai Botnet
<audio controls>
  <source src="audio/attacks_14.mp3" type="audio/mpeg">
Your browser does not support the audio element.
</audio>

* In 2016 infect numerous IoT devices (routers and IP cameras) and used them to flood DNS provider with a DDoS attack
* Took down Etsy, GitHub, Netflix,Twitter, and others
* Crashed 900,000 routers from Deutsche Telekom
* Root cause was embedded Linux
  - many devices doen't have enough space to perform an update
  - old kernels have known vulerabilities

---
class: compact
# Bricker Bot
<audio controls>
  <source src="audio/attacks_15.mp3" type="audio/mpeg">
Your browser does not support the audio element.
</audio>

* Brute-force attack on telnet
* Targets Linux-based IoT devices running Busybox toolkit
* Deletes internal memory and disables TCP timestamps
* Updates firewall and NAT rules

---
class: compact
# Major Vulerabilities
<audio controls>
  <source src="audio/attacks_16.mp3" type="audio/mpeg">
Your browser does not support the audio element.
</audio>

* Lack of updates -- with 30 Billion devices, this is a huge issue
* Unencrypted communication
* Default passwords

* Compromised devices sending spam emails
* Compromised devices used as botnets

---
class: compact
# Growth of Insecure CoaP and MQTT Devices
<audio controls>
  <source src="audio/attacks_17.mp3" type="audio/mpeg">
Your browser does not support the audio element.
</audio>

![](images/space.png# w-20pct)
![](images/insecure-deployments.png# w-60pct)

---
class: compact
# Vulnerabilities in MQTT Protocol
<audio controls>
  <source src="audio/attacks_18.mp3" type="audio/mpeg">
Your browser does not support the audio element.
</audio>
 
* Payload Remaining Length (think buffer overrun)

![](images/payloadremaininglength.png)

---
class: compact,small
# Vulnerabilities in MQTT
<audio controls>
  <source src="audio/attacks_19.mp3" type="audio/mpeg">
Your browser does not support the audio element.
</audio>

* Unicode handling in Topic strings -- standard does specify how illegal strings are handled

![](images/space.png# w-20pct)
![](images/unicode.png# w-50pct)

---
class: compact
# Malicious Client Uses Message Retain
<audio controls>
  <source src="audio/attacks_20.mp3" type="audio/mpeg">
Your browser does not support the audio element.
</audio>

![](images/space.png# w-20pct)
![](images/maliciousclient.png# w-50pct fr)

---
class: compact,small
# Vulnerabilities in MQTT (URI with Wild card)
<audio controls>
  <source src="audio/attacks_21.mp3" type="audio/mpeg">
Your browser does not support the audio element.
</audio>

![](images/illegaltopics.png# w-50pct fr)

Parsing a URI is only apparently simple, and the most straightforward way is to use regular expressions when developing a broker. This creates a perfect stage to score another renowned attack technique, regular expression denial of service (ReDoS),16 which was first spotted in web applications, due to their URL-based nature. MQTT topics are nothing but strings separated by slashes, pretty much like URLs. More recently, the most popular JavaScript libraries have been systematically scrutinized for ReDoS vulnerabilities, with alarming findings that could impact virtually any software based on such libraries.

---
class: compact
# MQTT Payload Remaining Length Bug in Implementation
<audio controls>
  <source src="audio/attacks_22.mp3" type="audio/mpeg">
Your browser does not support the audio element.
</audio>

* Nick O’Leary’s pubsubclient library is the most popular open-source MQTT client library for embedded systems such as Arduino-compatible boards (e.g., ESP8266) or the Intel Galileo. This library is used extensively by commercial platforms such as Losant and other IoT platforms.

* Bug can be exploited by sending two packets in a row to a client enabling the execution of arbitrary code.

---
class: compact
# MQTT Unicode Handling bug in the field
<audio controls>
  <source src="audio/attacks_23.mp3" type="audio/mpeg">
Your browser does not support the audio element.
</audio>

* Mosquitto versions up to 1.4.15 have this bug:

![](images/space.png# w-3-12th)
![](images/mosquittobug.png# w-50pct)

---
class: compact
# CoAP Amplification
<audio controls>
  <source src="audio/attacks_24.mp3" type="audio/mpeg">
Your browser does not support the audio element.
</audio>

* IP Address Spoofing on UDP -- CoAP is inherently susceptible
 * Use target as a reflector -- send request and reflect response to spoofed target address

---
class: compact
# References
<audio controls>
  <source src="audio/attacks_25.mp3" type="audio/mpeg">
Your browser does not support the audio element.
</audio>

* [IoT Security foundation](https://www.iotsecurityfoundation.org/)
  - [Best Practices](https://www.iotsecurityfoundation.org/wp-content/uploads/2019/11/Best-Practice-Guides-Release-2.pdf)
* [Hacking Lightbulbs Nitesh Dhanjani](https://www.dhanjani.com/docs/Hacking%20Lighbulbs%20Hue%20Dhanjani%202013.pdf)
* Cover photo By Ring - <a rel="nofollow" class="external free" href="https://ring.com/press">https://ring.com/press</a>, <a href="https://creativecommons.org/licenses/by-sa/4.0" title="Creative Commons Attribution-Share Alike 4.0">CC BY-SA 4.0</a>, <a href="https://commons.wikimedia.org/w/index.php?curid=58940160">Link</a>
* Several figures from https://documents.trendmicro.com/assets/white_papers/wp-the-fragility-of-industrial-IoTs-data-backbone.pdf
* Material drawn from "The Internet of Risky Things: Trusting the devices that surround us", Sean Smith