欢迎来到天天文库
浏览记录
ID:41634502
大小:4.71 MB
页数:15页
时间:2019-08-29
《alex- IoT Threats - The scary state of the Internet of Things》由会员上传分享,免费在线阅读,更多相关内容在学术论文-天天文库。
1、IoTThreatsThescarystateoftheInternetofThingsBitdefenderAlex”Jay”BalanChiefSecurityResearcherBitdefenderRaduBasarabaSeniorIoTSecurityResearcherSMARTEVERYTHINGSmartlightbulb&WiFirepeaterSmartLightbulbSmartPortablefishfinderSmartYogaMatSmartThermostatSmartMusicPlayerSmartCoffeeMakerSmartBarbiedollSma
2、rtPowerOutletIOTHACKING-TOOLSOFTHETRADE•MobileAppdebugging•Networktools(nmap,wireshark,slssplit,etc)•EvilTwinattacks•UART(UniversalAsynchronousReceive&Transmit)•JTAG(JointTestActionGroup)–HWDebug•SPI(SerialPeripheralInterface)•I2C(Inter-IntegratedCircuit)GOALS:•Accessfilesystem•VendorBackdoorsMana
3、gementinterface•Dumpmemory•Firmware/Filesystemexposureyields•Hijackbootloaderwaysofhackingthedeviceinmostcases•SeenetworktrafficTHEMOSTCOMMONISSUES•Defaultpasswords.Undocumented.•Weakornoencryptionwhentalkingoutsidethenetworkenablingremotetakeover•Commandinjectioninsomeofthedevice’sunauthenticated
4、interactions•Veryold(asoldas2008orevenolder)services(dns,ssh,webserver,etc)withallthevulnerabilitiesthatcomewiththem.Weidentifiedacumulatednumberof300(!!!)vulnerabilitiesforasingledevicesimplybecauseeachservicehadanaverageof70-100vulnerabilitiesidentifiedtodate(fromDoStoLFI,RCE.Yougettheidea)•WiFi
5、configurationhotspotsthateitherremainopenoncesetupisfinishedorcanbestartedeasily•Firmwareupdatesareavailablebuttheyarestillverynon-intuitiveinmanydevicesandusersdon’tapplythem.IMPACT•It’smuchmoredifficulttostopattackson“things”thantraditionallaptopsandsmartphones.Ifanattackerdecidestostartplayingw
6、ithahome’ssmartlightsmostpeoplewillbepowerlesstodoanythingaboutitbarshuttingdownthepowerentirely•Inalotofscenarios,thedeviceswillleaktheWiFipassword.Insome,theywillleakevenmoresensitiveinformation•Manydevicesrunbusyboxandcanbeusedto“pivot”orsniffsensitivedatainthelocalnetwork.•We’vealreadyseenroot
7、kitsdesignedespeciallyforARMarchitecturesandbusyboxplacingthedevicesintobotnets.•In2014100.000refrigeratorswereincorporatedintoabotnetthatwasabletosend750.000spame-mailsinburstsof100.000emailsatatime,threetimesad
此文档下载收益归作者所有