$HOME Sweet $HOME

SANSFIRE 2016 - Xavier Mertens

$ cat ~/whoami.xml<profile> <real_name>Xavier Mertens</real_name> <day_job>Freelance Security Guy</day_job> <night_job>Hacker, Blogger</night_job> <![CDATA[ www.truesec.be blog.rootshell.be isc.sans.edu www.brucon.org ]]></profile>

$ cat ~/.profile

• I like (your) data

• Playing “Active Defense”

• I prefer t-shirts than ties

• Geek and gadgets over!

$ cat ~/disclaimer.txt

“The opinions expressed in this presentation are those of the speaker and do not necessarily reflect those of past, present employers, partners or customers.”

$HOME Sweet $HOME

$HOME Sweet $HOME

Agenda

• A Revolution Entered Our Homes

• Internet of Nightmares

• Mitigations

• Conclusions

Fidonet: 2:291/715.9

Aminet: 39:120/201.9

BBS Fidonet UUCP IP (SLIP) “Broadband” Mobile

What’s next?

Today?

• More bandwidth at home that when I started to work for ISP’s (1996)

• SLA @ home (Kids complaint when offline)

Today?

Today?

$DATA

• Family pictures

• Administrative docs (taxes, insurances, invoices)

• Medias (MP3, movies, books)

• $YOU

Before:

Internet LAN

Fire

wal

l

Ingress Traffic

Today:

Internet LAN

Fire

wal

l

Egress Traffic

IoT Botnet

IoT Botnet

Source: https://www.emaze.com/@AIFFFTIO/IoT-Health-ppt

Google Too!

More info: https://developers.google.com/brillo/

Agenda

• A Revolution Entered Our Homes

• Internet of Terrors

• Mitigations

• Conclusions

Resistance is Futile!

Growing Attack Surface

“Smart”?

“having or showing a quick-witted intelligence”

TrueSec 30

Smart Devices? Really?

Smart-ization…

Adding a communication module to an objectdoesn’t make it “smart”…

TrueSec 32

TrueSec 33

What is the differencebetween…

Sensors Software Connectivity Bigdata

VulnerabilityExploit MitM PrivacyAbuse

OWASP

• Insecure Web Interface

• Insufficient Authentication/Authorization

• Insecure Network Services

• Lack of Transport Encryption

• Privacy Concerns

• Insecure Cloud Interface

• Insecure Mobile Interface

• Insufficient Security Configurability

• Insecure Software/Firmware

• Poor Physical Security

Developers…

We already fail to patch regular computers…

… what about IoT devices?

TrueSec 44

SecurityFeatures

Ease of Use

TrueSec

Agenda

• A Revolution Entered Our Homes

• Internet of Terrors

• Mitigations

• Conclusions

45

<warning> This section focuses on devices connected

to your IP home network </warning>

Rule #0

• Think twice: “Do you really need this device?”

• Agreed… very difficult for the most of us!

• What is the MAC address of the device?

• What are the network requirement? (DNS, NTP, SNMP, Syslog)

• What are the open ports required? To which IP address(es)?

• Can the device be upgraded?

• Are firmwares signed?

• Can we backup/restore the config?

Rule #1

Rule #2

• Assign a fixed DHCP lease to known devices

host myflattv { hardware ethernet aa:bb:cc:dd:ee:ff; fixed-address 192.168.1.100; option routers 192.168.1.1; default-lease-time 3600; }

Rule #3

• Implement an egress filter

• Any:Any to Any:Any, Drop & Log

• Allow only required traffic (see rule #1)

Rule #4

• Segmentation

Rule #5

• Use a local resolvers (DNS queries) and log

Rule #6

• Disable unsafe protocols like SSDP/UPnP

• Risk of DDoS (amplification attack)

Rule #7

• Capture the traffic from unknown devices(http://blog.rootshell.be/2015/03/17/the-lack-of-network-documentation/)

Rule #8

• Be offensive!

• Know your enemy

Hardware

Hardware

TrueSec

Topology

59

Ethernet Switch

Router

Server

Device1 Device2

Firewall

Software Shopping

Commercial $olution$

PA200, Sophos UTM Home Edition, <insert your preferred $VENDOR>

TrueSec

Virtualize!

62

KVM (“Kernel-based Virtual Machine”), VirtualBox,ESX, XenServer, …

Security Onion

Security Onion is a Linux distro for intrusiondetection, network security monitoring, and log

management. Core components are: Snort,Suricata, Bro, OSSEC, Sguil,

Squert, Snorby, ELSA, Xplico, NetworkMiner, andmany other security tools.

Security Onion

Security Onion

Security Onion

pfSense

The pfSense project is a free networkfirewall distribution, based on the FreeBSDoperating system with a custom kernel and

including third party free software packages foradditional functionality.

pfSense software, with the help of the packagesystem, is able to provide the same functionality

or more of common commercial firewalls

pfSense

Keep an Eye on ARP

• arpwatch is a nice tool to track new/changing MAC addresses

Apr 17 11:36:03 shiva arpwatch: new station 10.90.14.85 34:a3:95:c5:d2:e5 eth0

Keep an Eye on ARP

Next Level…

Detecting Suspicious Devices On-The-Fly!

(https://isc.sans.edu/forums/diary/Guest+diary+Detecting+Suspicious+Devices+OnTheFly/18993)

Next Level…

• Inspect HTTP(S) traffic for suspicious data, vulnerabilities (who said “hacking”?)

• MitM, ettercap, sslstrip, BurpSuite

Agenda

• A Revolution Entered Our Homes

• Internet of Terrors

• Mitigations

• Conclusions

5 Tips to Keep in Mind

• IoT is there and will(is) invade(ing) our homes

• Think “IoT” == “Computers” (same issues)

• Smart != Safe

• Tools exists to control them

• Ask yourself: “Do I need it?”

Thank you!

@xme

xavier@rootshell.be

xmertens@isc.sans.edu