Democracy and Democratization in Developing Countries (Samarasinghe)
Nayanamana Samarasinghe and Mohammad Mannan
Transcript of Nayanamana Samarasinghe and Mohammad Mannan
Nayanamana Samarasinghe and Mohammad Mannan
Concordia University, Montreal, Canada
____________________________________________Nayanamana Samarasinghe__Apr 5, 2017__2
_____________________________________TLS Ecosystems in Networked Devices vs. Web Servers
Background
▪ Rapid growth of Internet-connected devices (IoT)➢ Forecast:
25-50 billion devices (Cisco, Ericson, Gartner) by 2020
26 devices/person
Economic impact: $2-$5 trillion
➢ They will increase opportunities for an attacker
▪ Rise in TLS adoption to improve communication security
____________________________________________Nayanamana Samarasinghe__Apr 5, 2017__3
_____________________________________TLS Ecosystems in Networked Devices vs. Web Servers
Devices in focus
____________________________________________Nayanamana Samarasinghe__Apr 5, 2017__4
_____________________________________TLS Ecosystems in Networked Devices vs. Web Servers
Motivation
▪ Several measurement studies done on TLS vulnerabilities of websites
➢TLS ecosystem of the web is improving
▪But what about devices?
____________________________________________Nayanamana Samarasinghe__Apr 5, 2017__5
_____________________________________TLS Ecosystems in Networked Devices vs. Web Servers
Our goals
▪ Study TLS vulnerabilities in devices➢ Parameters used in secure communication
(SSL/TLS) of devices
▪ TLS parameters in Alexa 1M sites used for comparison
____________________________________________Nayanamana Samarasinghe__Apr 5, 2017__6
_____________________________________TLS Ecosystems in Networked Devices vs. Web Servers
Some options for large scale collection of TLS certificates
▪ EFF SSL Observatory
▪ Rapid 7
▪ ZMap
▪ Shodan
____________________________________________Nayanamana Samarasinghe__Apr 5, 2017__7
_____________________________________TLS Ecosystems in Networked Devices vs. Web Servers
How to identify device types?
▪ Manual inspection
▪ Automatically, using meta-data (e.g. Censys, Shodan)
____________________________________________Nayanamana Samarasinghe__Apr 5, 2017__8
_____________________________________TLS Ecosystems in Networked Devices vs. Web Servers
▪ TLS search engine for devices & networks➢ Based on ZMap (network scanner)
➢ Supports phased out cipher suites of popular browsers
Our analysis is based on Censys
zgrab ztag database
TLS banner grabber
user
Allows annotating raw scan
data with additional metadata.
____________________________________________Nayanamana Samarasinghe__Apr 5, 2017__9
_____________________________________TLS Ecosystems in Networked Devices vs. Web Servers
Methodology
1. Extract certificates and TLS parameters
2. Based on annotations, categorize devices into logical groupings
3. Compute statistics for weak and strong TLS security parameters
4. Compare between devices and Alexa 1M sites
____________________________________________Nayanamana Samarasinghe__Apr 5, 2017__10
_____________________________________TLS Ecosystems in Networked Devices vs. Web Servers
Grouping of devices based on annotations in Censys
We’ve categorized device types as:
Infrastructure routers, Modem, Camera, NAS, Home
router, Network, Printer, SCADA, CPS and Media
Example:
Category Device types
SCADA SCADA controller, router, gateway, server, front-end
____________________________________________Nayanamana Samarasinghe__Apr 5, 2017__11
_____________________________________TLS Ecosystems in Networked Devices vs. Web Servers
Analysis & Results (1)
Comparisons of WEAK cryptographic primitives
Signature algorithms
0
10
20
30
40
50
60
70
80
90
100
Infra.router
Modem Camera NAS Homerouter
Network Printer Scada CPS Media Deviceavg.
Alexa1M
%
MD5WithRSA SHA1WithRSA
____________________________________________Nayanamana Samarasinghe__Apr 5, 2017__12
_____________________________________TLS Ecosystems in Networked Devices vs. Web Servers
Analysis & Results (2)
Comparisons of WEAK cryptographic primitives
Hashing algorithms
0
10
20
30
40
50
60
70
80
90
100
Infra.router
Modem Camera NAS Homerouter
Network Printer Scada CPS Media Deviceavg.
Alexa1M
%
MD5 SHA1
____________________________________________Nayanamana Samarasinghe__Apr 5, 2017__13
_____________________________________TLS Ecosystems in Networked Devices vs. Web Servers
0
10
20
30
40
50
60
70
80
90
100
Infra.router
Modem Camera NAS Homerouter
Network Printer Scada CPS Media Deviceavg.
Alexa 1M
%
3DES_EDE_CBC RC4_128
Analysis & Results (3)Comparisons of WEAK cryptographic primitives
Encryption algorithms
____________________________________________Nayanamana Samarasinghe__Apr 5, 2017__14
_____________________________________TLS Ecosystems in Networked Devices vs. Web Servers
Analysis & Results (4)
Comparisons of WEAK cryptographic primitives
Key lengths
0
10
20
30
40
50
60
70
80
90
100
Infra.router
Modem Camera NAS Homerouter
Network Printer Scada CPS Media Deviceavg.
Alexa1M
%
RSA 512 RSA 768 RSA 1024
____________________________________________Nayanamana Samarasinghe__Apr 5, 2017__15
_____________________________________TLS Ecosystems in Networked Devices vs. Web Servers
Analysis & Results (5)
Comparisons of WEAK cryptographic primitives
SSL/TLS Protocol versions
0
10
20
30
40
50
60
70
80
90
100
Infra.router
Modem Camera NAS Homerouter
Network Printer Scada CPS Media Deviceavg.
Alexa1M
%
SSLv3 TLSv1.0 TLSv1.1
____________________________________________Nayanamana Samarasinghe__Apr 5, 2017__16
_____________________________________TLS Ecosystems in Networked Devices vs. Web Servers
Analysis & Results (6)Comparisons of STRONG cryptographic primitives
Hashing Algorithms Encryption AlgorithmsKey lengths
Signature Algorithms SSL/TLS protocol versions
✓ ECDSA mostly supported in the
web.
✓ Relative to Infrastructure
routers, other device categories
use stronger AES ciphers,
TLS1.2 & SHA256 hashing
algorithm.
✓ 4096 keys are mostly used in
webapps
0
10
20
30
40
50
60
70
80
90
100
%
TLSv1.2
0
10
20
30
40
50
60
70
80
90
100
%
RSA 2048 RSA 4096
0
10
20
30
40
50
60
70
80
90
100
%
AES_128_CBC
AES_256_CBC
AES_128_GCM
0
10
20
30
40
50
60
70
80
90
100
%
TLSv1.2
0
10
20
30
40
50
60
70
80
90
%
SHA256WithRSASHA512WithRSAECDSAWithSHA256
____________________________________________Nayanamana Samarasinghe__Apr 5, 2017__17
_____________________________________TLS Ecosystems in Networked Devices vs. Web Servers
Top manufacturers of vulnerable devices
Common defence by manufacturers is that though security patches are released, no action by users
(As of October 2016)
Manufacturer MD5 RC4 SSLv3 < RSA1024 Device types
Cisco 347 98,904 65,413 12,713 Network, infra. router
Hewlett Packard 1 5,214 1 12 Network, printer, scada, home router
AVM 78 5,062 33 2 Modem
Hikvision 664 1,085 214 75 Camera
QNAP 383 889 286 51 NAS
____________________________________________Nayanamana Samarasinghe__Apr 5, 2017__18
_____________________________________TLS Ecosystems in Networked Devices vs. Web Servers
Limitations (our work is not comprehensive!)
1. Possible limitations in Censys logic/misconfiguration
2. Censys annotations still evolving
3. Unreachable devices in ZMap
4. Device exploitations depend on how they are used
5. Devices in IPv6 not accounted
____________________________________________Nayanamana Samarasinghe__Apr 5, 2017__19
_____________________________________TLS Ecosystems in Networked Devices vs. Web Servers
Concluding remarks
1. TLS deployment in devices is weaker than the web
2. Raise awareness
3. How to improve? forced auto-update?
Thank [email protected]