alex- IoT Threats - The scary state of the Internet of Things

《alex- IoT Threats - The scary state of the Internet of Things》由会员上传分享，免费在线阅读，更多相关内容在学术论文-天天文库。

1、IoTThreatsThescarystateoftheInternetofThingsBitdefenderAlex”Jay”BalanChiefSecurityResearcherBitdefenderRaduBasarabaSeniorIoTSecurityResearcherSMARTEVERYTHINGSmartlightbulb&WiFirepeaterSmartLightbulbSmartPortablefishfinderSmartYogaMatSmartThermostatSmartMusicPlayerSmartCoffeeMakerSmartBarbiedollSma

2、rtPowerOutletIOTHACKING-TOOLSOFTHETRADE•MobileAppdebugging•Networktools(nmap,wireshark,slssplit,etc)•EvilTwinattacks•UART(UniversalAsynchronousReceive&Transmit)•JTAG(JointTestActionGroup)–HWDebug•SPI(SerialPeripheralInterface)•I2C(Inter-IntegratedCircuit)GOALS:•Accessfilesystem•VendorBackdoorsMana

3、gementinterface•Dumpmemory•Firmware/Filesystemexposureyields•Hijackbootloaderwaysofhackingthedeviceinmostcases•SeenetworktrafficTHEMOSTCOMMONISSUES•Defaultpasswords.Undocumented.•Weakornoencryptionwhentalkingoutsidethenetworkenablingremotetakeover•Commandinjectioninsomeofthedevice’sunauthenticated

4、interactions•Veryold(asoldas2008orevenolder)services(dns,ssh,webserver,etc)withallthevulnerabilitiesthatcomewiththem.Weidentifiedacumulatednumberof300(!!!)vulnerabilitiesforasingledevicesimplybecauseeachservicehadanaverageof70-100vulnerabilitiesidentifiedtodate(fromDoStoLFI,RCE.Yougettheidea)•WiFi

5、configurationhotspotsthateitherremainopenoncesetupisfinishedorcanbestartedeasily•Firmwareupdatesareavailablebuttheyarestillverynon-intuitiveinmanydevicesandusersdon’tapplythem.IMPACT•It’smuchmoredifficulttostopattackson“things”thantraditionallaptopsandsmartphones.Ifanattackerdecidestostartplayingw

6、ithahome’ssmartlightsmostpeoplewillbepowerlesstodoanythingaboutitbarshuttingdownthepowerentirely•Inalotofscenarios,thedeviceswillleaktheWiFipassword.Insome,theywillleakevenmoresensitiveinformation•Manydevicesrunbusyboxandcanbeusedto“pivot”orsniffsensitivedatainthelocalnetwork.•We’vealreadyseenroot

7、kitsdesignedespeciallyforARMarchitecturesandbusyboxplacingthedevicesintobotnets.•In2014100.000refrigeratorswereincorporatedintoabotnetthatwasabletosend750.000spame-mailsinburstsof100.000emailsatatime,threetimesad