Secure or Get Compromised: Unveiling the Web Security in IoT Devices
1:45PM Aug 1, 2020
embedded web server
Go From the logs to
smart things, IoT devices a part of the human DNA a large number of security
exists due to inability of imposing strong authentication and authorization controls to granular level badasses Same fact this gift is also inherited one abilities, secure or get compromised is another next talk for The man Dr. Aditya suit, who is the senior director of threat research and development, finance books that are
how Embedded Web servers used in IoT devices are exploited by adversaries to trigger advanced cyber attacks. So let's hear from others.
So let's take a look into the
next one, which is like cookies, the credential carrier. We have seen that in number of IoT devices, people assume that the way it is being designed, you know, sometimes people think that bypassing or by simply passing the values in the cookies is a secure mechanism, which in fact, it is not true. And that's what we are going to discuss in this use case. So generally, various in lots of devices are available on the internet with different functionalities and variations. Some of the IoT devices follow viq session management, and that's what we are going to cover in this case study. But take a look into this one. So when we have seen that you authenticate any kind of to the web interface of any specific IoT device, which in this case, it has to be one label when you send the agent UDP post request to a specific file you can clearly see a cookie is passed and then the cookie is actually contains user diagnose session ID user password 111 and then 111 sorry. So, in this case, you can clearly sense it out like in a somehow this by default this password, and that parameter is being passed to the cookie. And this is being used on a multiple places, which means that somehow the Embedded Web Server and the application which is in this case is a web interface to access the device is like falling a very design, which is called as a very insecure design practices. And it is allowed allowing the cookie and the password is passed in the cookie. So that is not at all a good scenario. And which means that by simply looking into the HTTP traffic, and then if this traffic is sent in an encrypted fashion over non HTTPS channel, which isn't like TLS is used. So you can actually extract this credentials, and you can get an access to the system. Now,
we're just moving
So it is all about injecting payloads, but what kind of interface we are choosing. And which means like, you know, when we talk about web interfaces or the HTTP protocol, you know, you will In a web browser and you start interacting with the IoT device, in this case, what we have seen that in a number of IoT devices actually provides different remote management interfaces as well. It could be HTTP, it could be SSH, it could be FTP, and it could be telnet as well. So, there is a one design background that what I have analyzed during this researches unit, whenever you provide any kind of arbitrary values, let's say for example, you want to use a telnet remote login interface, right? In this case, you provide username and a password, and you try to log in by the telnet interface. And then, you know, all that, you know, user supplied values is gets logged into the web interface, making sure they are want to make sure that who's accessing the telnet interface, what they're exactly doing with the telnet interface, and they actually put all that logs back into the that inter interface. In that is What happens that the whole mod component that is being designed to handle that logs, it does not validate what kind of arbitrary values are being supplied by the telnet interface. And let's take a look into this one. Now in this case, I'm actually showing you one of the telnet interface here. And then it asked for username. This is our attack point, right. So we will inject arbitrary payloads here. Now, in this slide, if you see what I did, I didn't know the username or a password for this particular assessment. So, in this case, you can clearly see
that we supplied arbitrary values here.
this MP SL file, changing the file permission mode and executing it and then cleaning the directory. They don't want to have any kind of traces remain on the IoT device so they just let it run and then they just keep on doing it for a longer period of time. So that's how they weaponize and automate this Kind of exploits targeting various IoT devices. In the next one. In this case, I want to talk about why hungry, similar case study, what we're going to highlight is the kind of exploit in this case is an XML based. You know, the system that y is designed different IoT devices, they are accepting the XML based payloads and then they actually process it in the same way. Similarly, we extracted this payload from the embedded binary. And then you can see here, I have a very simple demo. Let's see, I've added it and see it works.
So, a little bit forward it up to get to the real context. So what we are doing we are trying to fetch binary from the remote location here. We fetched it
So now we are extracting the embedded HTTP GET and POST requests carrying the exploit payloads.
So for this particular PLC, I mean, I just used a very simple
packet baggage file.
But you have to perform number of different steps as well in order to reverse engineer it and sort of things like that. Yeah,
so that's how these expired files are actually embedded in that.
We use files that are specific to different architectures for various IoT devices can be accessed JSX npsl and sort of others. Now, another topic that I want to touch base is in 2019 You know, there was this this issue came up with hp ILO systems ransomware and we've been following this thing for like Peter a one and a half year, we are still seeing these kind of number of devices that are being still infected with this ransomware and
this is again
a very important or you can say issue which is significant attention because no ransomware are also targeting IoT devices. If you look at this, when I actually you know, found this wonderful system which is compromised, and then I able to open it in the browser, you can clearly see a scary notice is triggered here and you can see that the massive the ransom message It has been disbanded where they actually want the money while the Bitcoin
I have this
small demo lined up and one of the one level system to actually just show that you know how these problems are actually real in nature. So let's kind of take a look at it.
So most of the SPL systems have a basic device dot XML file and we try to be able to fetch and you can clearly see a lot of, you know, the information that is available into it, what was you and things like that.
So, I missed a command here, but less Saturday.
So what are we able to fetch that how the web interface kind of look like so and the important information related to basic device dot XML file, so we are able to fetch the XML file and here we are opening it up. And yeah, that's it is working, so it is accessible the system. Now you can see which model which we defined and everything that is available.
Now, we actually going to fetch the web interface here, of course, SSL certificates, we need to accept it. And this is all kind of one level system. And now you can clearly see the system has actually been compromised with a ransomware. And you can see the messages being displayed. Yeah, so the idea of this particular presentation to actually show that you know, the kind of threats that we are talking about is actually pretty real in nature. And you will find a lot of systems on the internet that are still compromised with this kind of threat. A ransomware is not simple. As you know, targeting and users, but they are actually targeting now IoT devices, as well. Yeah, so now we we touched on two topics, we talk about six or seven real world case studies, you know, vulnerabilities that are, you know, and design flaws that exist in the web interfaces. Then we also talk about how they actually weaponize those kind of issues, the scarcity issues related to curl, you know, in scar configuration, you know, inherent vulnerabilities, how they actually automated and how they embed those exploits and then let the binary run in one IoT device and then how they clean up the entire you know, temporary directories to remove the traces. But another important aspect, which I will not talk about in the SCADA spaces as well, to some words related to IoT if you take up the broad definition, but there are a lot of problems associated associated with the web hm eyes as well. So hmm here holds the like human to machine interface, but it has a web component to it as well. But basically why a web interface, you can perform certain kind of operations that can directly guide the backend systems to function accordingly. So let's take a look at it. Here I'm basically gonna talk about interesting discoveries that we have and the insecurities that exist in the various SCADA infrastructure. Now, this one is a one simple example of irrigation controllers is a blue spray one and you can find a lot of these irrigation controllers and then you know, depending on the functionality that is available, you can conduct some kind of you know, reconnaissance information gathering, or you can even utilize it to perform some kind of unwarranted operations using these devices. The idea in this case is trying to highlight that you know, these kind of, you know, devices are available on the internet and if you have the right set of information, right knowledge And what kind of indicators you need to check you'll get an idea of it. So, this is kind of pretty amazing here, you can clearly see a whole home here and the house and we have these what kind of things they have set up what kind of irrigation controllers we have, they are exactly the kind of fun here. But let's just move on to the next one. These are smart IP controllers. In this case, you know, you can still switch on and off a lot of different outlets here, which means like here is output two output three you can you know, these are input status says these are inactive stays the all the inputs, but you can actually switch on and off the input as well because you can actually use this handle to actually perform that and this is all happening wovember which means that you actually perform this operation where the web HDMI and the back end system and the whole the back end design is like set up in such a way that this it actually translates back to a command and control Manually executed by the whole back end infrastructure and applications. Now let's take a look into the another one this one is related to industrial control automation hmm is here, in order to actually get an access to it, you need to buy a, you know, pass the four digit. And you can clearly see, it might not be that complex because if you look at this, like not cryptography secure is just like guessing. And you can how much combination or sorry, how many combinations we're going to have for four digits here. So, yeah, you can do it and you can actually be able to bypass it, find the right one or you know, you know, extract a lot of information from other components that are exposed.
Similarly, in this case, the login page is a six digit but somehow we are able to, you know, find it out and we report it to the appropriate guys. So, you can clearly sends it out here you know, with this a verb igmi unauthenticated, and this and then you know, from Basically, you can actually already have an access to the system you can, you know, conduct a lot of different operations. And this is what we really need to prevent actually here or we need to work with the vendors to make sure that even if you're utilizing these kind of technologies in this case is web hm eyes, we just want to ensure that you know, you secure these devices and making sure that you know, much more robust security controls are being implemented. Anyhow, similarly with the next one, you know, so do you say go pump controls similar thing web Hmm, but is available on the internet in an insecure way. Now, so, looking at some of the examples that we have discussed in the context of WebEx share bias, it means like, you know, we really need to invest a lot of efforts and time to actually make the SCADA infrastructure more secure. Since this presentation is entirely focused on the web component of it. We need to make sure that, you know, the web interfaces, any web component being used. These are designed in a very effective way, ensuring that that design cannot be compromised or abused, including any exploitation of vulnerability and configuration flaws. But that being said, I still remember the very last time I attended hope. I was like walking through that Hotel in New York. And I was looking at some of the very interesting, you know, visuals. And I took some pictures out of a to be used in my presentation, and I'm using again at the whole conference, which is quite amazing. And I found this thing, very impressive. And it's a great work done by, you know, artists, you know, contributors that Whoa, and the message is very, very simple. This I like, security isn't new, right? It has nothing groundbreaking, but it's up to you. Like we have the benchmarks defined, we are actually advancing on the security front with the new technologies. We're building new benchmarks, new baselines, but are we implementing it? Right? Are we following the standards? Right? I think that is the most important part. And I think that's where you can see the security and it is a new solid to you. So that's what we really need to start thinking in this space of IoT as well as ensuring best end of breed security experience that we can actually provide from in the are in the context of IoT devices.
So that being said,
kind of done with my presentation here. I hope this is of somewhat interest. And since Although you are actually attending it online hope I'm able to share some interesting details interesting findings or intelligence with discussion. The research community and the whole team, I would say thanks again. And I, once again, I really respect the kind of efforts and the work done by the hope conference in still arranging the conference and this difficult times. I appreciate all your efforts. And if you have any questions and queries are here.
Thank you very much.
Thank you, Alicia, for creating more awareness on imposing strong authentication and authorization controls for our IoT devices. Now it's time for question and answers. Let me begin with the first question we received. Are
there any open
source secure IoT framework to start with a focus on security? Yeah, so
I think there there are a few avaliable but I think even IoT, if you look at this as a kind of broad space, right, with different variations, the way different devices are working even if you look from the networking architecture. So, it becomes very for you know, focus centric approach when you try to build any IoT framework, we do have few which have been used by different you know, organizations for example, GE use predicts there is a setter and then there's a thingspeak you know, a few of them are there already out there for the IoT Eclipse there is like, you know, you can use that as well. But irrespective of that, I think what the question we need to focus here is that, you know, is is the basics of security here, right? Even at the Embedded Web servers, you know, applications interfaces, it is much more important to understand what is the like the hardened baselines we need to use. So, you always believe that, you know, basics are the hardest part to conquer. And that's where we, as a result of that, you know, we think that basics are just like, okay, it's just normally Cz, but if you look at all sorts of vulnerability is the is the basics that are not being implemented efficiently. So you can have different frameworks But the way those frameworks are applied use these kind of security concepts also matters. I think it's a shared responsibility model to some extent. If you see recently this ID laws bill has been, you know, abortion has been boss, who just enforce to use enforce to actually implement a check where the username and password need to be changed for the very first time you actually deploy that device anywhere on the internet. So I think these are the small things, but eventually we really need to understand here is that scale frameworks do have but it becomes very product centric, right? I mean, you cannot have a one secure framework to applicable to all. So from that, I think are the guidelines, you know, basics that was we really need to do when we perform solid design reviews when we're building these products.
All right, we have another question. You describe a capture system, do you think capture should be abandoned entirely or it is still worthwhile to have it On IoT devices, I think,
again, is a good question. I think it again, what I feel during the power of this research and few other the generic web applications and all that. Yeah, it all depends on, you know, the way capsize, structured and implemented, right? And any design framework, so we believe in whenever build any design system. So you know, we never build that design based on the fact that client is secure, right? That assurance, the baseline is like anything you implement on the client side is always insecure. So that's where you need to set the foundation and start building your system. Now with the capture and all that I think it all depends on your complexity, and then how much it is going to harden or increase the complexity of the system to actually solve the world or the attacks that are happening again, the systems. blindside is always a no no CAPTCHA, it has to be really, really either designing a perspective that, you know, everything has to be on the server side, everything you generate, and it has to be, you know, implemented. In light of the defense in depth, like, you cannot say that you have implemented capture but the all the other web security benchmarks are gone. I am okay with capture to some extent. But there is a much more need to be done from the basics of the security, I'm still sticking to my point. And I feel that in a lot more needs to be done on that side. Whenever we building the EVAP console sub interfaces are the Embedded Web servers and sort of things like the capture is a good security, but nothing is 100% or bulletproof if you implement in a very insecure manner.
All right, there's another question. Yeah. Would you talk a little bit about upgrading IoT devices? What happens when manufacturers disappear away? Or they stop providing updates? of software or firmware? Yeah. So I think
it is a very neat question. And this is very realistic in today's world as well. I think the I think it's always I believe that there is a cost associated with upgrading as well, right? Because these are the legacy devices to say, you know, to create a reference And then when once it is deployed, people believe that is a sticky business is gonna stay there, we don't care, right, what is happening and all that. And then it also depends on the vendor vendors as well how fast they are releasing the patches and fixes. And you know, and how effective they are working in line with customers or in conjunction with the customers to making sure that they update their devices. One of the interesting artifact, what we have seen in the real world is that it also depends, you know, how complex the deployment is, right? And how much cost it is associated with that. So I think it is just not again, I'm sticking to the point it's like a shared responsibility model, how effectively vendors need to work with the customers and also customers need to show a way that you know, small as well to making sure all these devices are you know, fixed and a bit it takes time. This is not an overnight job because there's a several dependencies that we really need to take into consideration. This Nita Val formulated plan to actually go step by step to you know, fix those issues and then you know, Making sure when these issues are fixed, it's not, you know, be any kind of, you know, problems in the network or environment, but it's not an easy task is require well formulated plans.
Alright, there's another question I'm seeing and some argue devices implicitly trust other devices from the same manufacturer. Would
that create a
bigger attack surface? Yeah, absolutely.
I think in certain cases where we have seen then I think it is. So we actually dissect when we look at from design perspectives, like in a horizontal escalation scenarios and the vertical escalation scenarios. So it is basically if you're staying in the same horizontal way, different devices, different manufacturers, for example, let's say you know, there's a manufacturer who has built this IoT devices, and it has like the back end support for some sort of cloud service as well. Right and cloud service, how they are performing authentication checks on with the cloud services that matters a lot. Sometimes we believe that you know, whenever the second activity happened, there is a like that. You know, again, if under the hood of authentication and authorization control is very weak, because they assume that I'm sending this identifier to the cloud and fetching that data, that is like kind of like pretty understood, I mean, they use some authentication, but is kind of very weak. From that, if we look into the distributed way like device to device communication, I mean, we have seen not enough traces like that, because every device that goes it follows a standard is sign and individual model of security. And considering that I think it could be a problem which needs to be well researched on that path. And that's really what we have, you know, kind of seen in this scenario, but eventually at the end of the day, it is much more related to the you know, the design of the systems, right? And usability is one part of it, but eventually at the end of the day, how it is being exploited. And we have definitely seen the pattern that has been followed a lot. I just listened the talk as well. The weaponization part, you install Binary and the binary is like using one it devices a launch pad, right? And then it definitely pick up some traces based on a pre populated knowledge that is gained from the device and when it runs distributed, it can be targeted, it can be broad based, right. But when it is run it is using the IoT device to perform different set of communication to other IoT devices. Right. So even from the detection and prevention point does we build IoT security, so it needs to be checked why IoT devices communicating with IoT device in just a very random were more frequently and you know, so again, this becomes a part of analytics, you know, how you formulate the patterns here. But definitely, you know, IoT devices are being launched use as launch packs to attack other IoT devices. All right.
Thank you so much for an interesting presentation. We are out of time, and we hope, by our hope you will come back again and create more awareness regarding IoT or other devices that we use in the future. Thank you so much for Audience thank you so much for being part of for 2020. We will be back with another talk in the next 10 minutes. Until then, stay safe. Thank you all. Thanks everyone. Take care.
having great time
Hey everyone, this is a
static sending ingredients from Berlin. I hope all of you are keeping safe and having a really good conference. I was debating what to create for a little bump and I picked two things I really like cats and Sparta or Ancient Greece. So I hope that you enjoyed this and I hope that you enjoy the conference.
Come back to home. And we have our next panel up now. We have a number of experts here with us to represent ICANN, IETF I triple E and the EU or the star organizations. And we're going to maximize the time available. So without further ado, let me turn it over to Mallory nodal to introduce herself and the rest of the panelists.
Thanks. Hi, everyone. Welcome back to another edition of updates on I start organizations from the bullshit beliefs. We're going to talk a little bit about what has been going on in the last couple of years since it's been two years since we did this session last time. We're just we're just experts that participate. paid in these AI store organizations not necessarily representing them. But we will try to do our best to update you on the most interesting things happening. And I can IETF I Tripoli and I trip and I to you. I'm going to let each of the panelists introduce themselves. We're just going to do round the table on what everybody is seeing that might be of interest. And while you're listening, you can type your questions into matrix and we'll make sure to get to them if we have time at the end. So I'm going to first turn it over to Amelia Go right ahead.