by Timo Thräm Lufthansa Industry...

Preventing Mirai by Timo Thräm Lufthansa Industry Solutions

Title of presentation (click on “Insert > Header & Footer”) Space for logo of client

We are Lufthansa Industry Solutions

3/29/2017 Preventing Mirai 2

IT Consulting and Systems Integration Lufthansa Industry Solutions

combines the dynamics of an SME

with the economically secure

background of Lufthansa; an

internationally acting global

corporation.

Hard Facts

100% owned by Lufthansa

208 Mil. € total revenue (46% of

which within the

Lufthansa Group)

>200 customers

>1300 skilled employees

Managing Director Bernd Appel

Founding 1997


We are Lufthansa Industry Solutions


Automotive Transport

& Logistics Travel Healthcare Media Energy

Manufac

-turing Manufacturing 3 MRO

Industries

Service Portfolio

Idea/

Strategy

Process

Consulting

Conception

Design

Development/

Technology

Integration

Deployment

Application

Management


Agenda


3 Secure Architecture and Business Cases

2 Security and IoT

1 Information Concerning Mirai



Mirai

Botnet consisting of

400,000 to several million

devices and still growing


Caused the largest DDoS Attack seen till then

against Brian Krebs’ Blog

“https://krebsonsecurity.com” [1]

Caused a DDoS Attack against DynDNS which

made Web Services (e.g. Amazon, Twitter, GitHub)

unavailable for the US East coast [2]

Consists mainly of Internet of Things (IoT) devices

The first generation of Mirai used “Standard

Credentials” to compromise the IoT devices

A modified version of Mirai attacked Telekom

routers last November [3]

Mirai


Facts

heide.de

golem.de

krebsonsecurity.com


Agenda



2 Security and IoT




Why are IoT devices so

interesting for hackers?


User driven devices

Individually configured

Passwords

Software

…

Updateable

Monitored

Why do Attackers Focus on IoT Devices?


IoT devices

Multiple devices with same configuration

Updated more seldom

Mostly unmonitored


Why do Attackers Focus on IoT Devices?


Seems like a perfect cost-benefit

calculation for hackers

User driven devices

Individually configured

Passwords

Software

…

Updateable

Monitored

IoT devices

Multiple devices with same configuration

Updated more seldom

Mostly unmonitored



How is it possible to create such

a large and powerful Botnet?

Let’s dig deeper into IoT security


Embedded device constraints

Insufficient update management

Insufficient quality assurance

(Solution-) developers and what they think about security

System integrators are often engineers,

but rarely trained security

Cost driven development

Weak standard credentials

The S in IoT


Key Problems with IoT and Security


Embedded device constraints

Insufficient update management

Insufficient quality assurance

(Solution-) developers and what they think about security

System integrators are often engineers,

but rarely trained security

Cost driven development

Weak standard credentials

The S in IoT


Key Problems with IoT and Security

Similar to the challenges

in IT a few years ago



IoT Security Myths



Myth #1

There is no cryptography

for IoT devices Wrong


Block Ciphers (ISO/IEC 291922)

SIMON [4]

SPECK [4]

Protocols

IPSec for 6LowPAN [5]

MQTT over SSL

Hash Functions

PHOTON [6]

Stream Ciphers

MICKESv2 [6]

Trivium [6]

And others …

We do have the Tools …


… we just need to use them


Myth #2

Our custom devices can

not perform security related

operations


Wrong


Custom devices

Designed with cryptographic-co-processors

Designed with additional memory and storage

for security features

Designed with secure storages

We do have the Tools …


… we just need to use them


Myth #3

Our solution is not worth

being hacked


Wrong


We do have the Tools … … we just need to use them


This assumption is the

reason why Mirai 1.0

entered the market


System architecture

Security-by-design

Update management must be considered

during the design-phase

Security as quality gate

We do have the Tools … … we just need to use them



Agenda



2 Security and IoT




Secure Architecture Real World Example


Real World Examples


Secure Architecture

Intranet

GSM

LAN

Wifi

Internet

VPN

VPN

VPN

VPN

VPN

Update-Server

Middleware Access

Control

Monitoring

…

Internal System

VPN

Devices are deployed with a

minimum hardened image

and an unique ID

Configured by the update

server

Strict separation of intranet

and internet

No intranet credentials

stored on the devices

…

Security features

improved the business

solution



Securing your IoT solution is

not just about securing you

business case. It is about

securing the infrastructure of

the internet and therefore

securing all business cases.

Space for logo of client

Any Questions?

Contact Timo Thräm, IT-Security Consultant

E-Mail: [email protected]

Phone: +49 151 589 227 71


Thank you for

your Attention. Contact Timo Thräm, IT-Security Consultant


Phone: +49 151 589 227 71


IP-Symcon – Smart Home

Web based user interface is only accessible via

the internet if it is password protected

Real World Examples


MQTT Broker [7]

More than 59000 open MQTT Broker

Some of them are used in productive systems

IP-Symcon WebFront

https://www.shodan.io/


Jeep Jerokee Hack [9]

The Jeep expose an execute command to the GSM

Network via a D-Bus interface Stock impact

Real World Examples


Wireless IP-Cam [8]

“Overall badly designed with a lot of

vulnerabilities”[8]

More than 1,250 various branded cameras

Unauthenticated access

Charlie Miller and Chris Valasek [9]


Any Questions?

Contact Timo Thräm, IT-Security Consultant


Phone: +49 151 589 227 71


Thank you for

your Attention. Contact Timo Thräm, IT-Security Consultant


Phone: +49 151 589 227 71


[1] https://www.golem.de/news/mirai-botnetz-dyndns-bestaetigt-angriff-von-zig-millionen-ip-adressen-1610-

123981.html

[2] https://www.golem.de/news/ddos-massiver-angriff-auf-dyndns-beeintraechtigt-github-und-amazon-1610-

123966.html

[3] https://www.heise.de/security/meldung/Grossstoerung-bei-der-Telekom-Was-wirklich-geschah-

3520212.html

[4] http://csrc.nist.gov/groups/ST/lwc-workshop2015/papers/session1-shors-paper.pdf

[5] https://www.iab.org/wp-content/IAB-uploads/2011/03/Raza.pdf

[6] http://ecrypt-eu.blogspot.de/2016/12/lightweight-cryptography.html

[7] https://m.heise.de/security/meldung/MQTT-Protokoll-IoT-Kommunikation-von-Reaktoren-und-

Gefaengnissen-oeffentlich-einsehbar-

3629650.html?wt_ref=https%3A%2F%2Fwww.google.com%2F&wt_t=1487357607699

[8] https://pierrekim.github.io/advisories/2017-goahead-camera-0x00.txt

[9] http://illmatics.com/Remote%20Car%20Hacking.pdf

Sources


https://www.golem.de/news/mirai-botnetz-dyndns-bestaetigt-angriff-von-zig-millionen-ip-adressen-1610-123981.html
























https://www.golem.de/news/ddos-massiver-angriff-auf-dyndns-beeintraechtigt-github-und-amazon-1610-123966.html






















https://www.heise.de/security/meldung/Grossstoerung-bei-der-Telekom-Was-wirklich-geschah-3520212.html
















http://csrc.nist.gov/groups/ST/lwc-workshop2015/papers/session1-shors-paper.pdf








https://www.iab.org/wp-content/IAB-uploads/2011/03/Raza.pdf






http://ecrypt-eu.blogspot.de/2016/12/lightweight-cryptography.html






https://m.heise.de/security/meldung/MQTT-Protokoll-IoT-Kommunikation-von-Reaktoren-und-Gefaengnissen-oeffentlich-einsehbar-3629650.html?wt_ref=https://www.google.com/&wt_t=1487357607699






















https://pierrekim.github.io/advisories/2017-goahead-camera-0x00.txt









http://illmatics.com/Remote Car Hacking.pdf

http://illmatics.com/Remote Car Hacking.pdf

by Timo Thräm Lufthansa Industry...

Documents

Transcript of by Timo Thräm Lufthansa Industry...