1 / 21

Name: Peter Ouma Email: ptrouma@tespok.co.ke Twitter: @H4CK1T3CT

HoneyHouse. A Damn Vulnerable Home Automation System. Name: Peter Ouma Email: ptrouma@tespok.co.ke Twitter: @H4CK1T3CT Information Security Analyst, TESPOK – iCSIRT Web Security Consultant, FocWeb Technologies Graduate Architect, Urban Savannah Design Studios.

sbillings
Download Presentation

Name: Peter Ouma Email: ptrouma@tespok.co.ke Twitter: @H4CK1T3CT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HoneyHouse A Damn Vulnerable Home Automation System Name: Peter Ouma Email: ptrouma@tespok.co.ke Twitter: @H4CK1T3CT Information Security Analyst, TESPOK – iCSIRT Web Security Consultant, FocWeb Technologies Graduate Architect, Urban Savannah Design Studios linkedIn Profile: http://ke.linkedin.com/in/ptrouma

  2. LEGAL DISCLAIMER It is recognized that the deployment of honeypots and their use to gain attacker techniques raise both legal and privacy concerns... Therefore, information and techniques gathered through the deployment of the honeypots do not fall under entrapment and did not require legal consent, since it is for informational and research purposes only. Additionally no remote system's confidentiality, Integrity or Availability was intentionally affected during the course of the research.

  3. WHAT IS A HONEYHOUSE? Home Automation Honeypot Concepts Log Analysis Home Automation – Involves the control and automation of systems such as ventilation, lighting, security and appliances, in a home environment, to benefit residents and enable efficiencies. Honeypot Concept – A Honeypot is an internet connected device/server, acting as a decoy to lure potential attackers so as to study their actions and techniques, with a goal towards defending critical assets. Log Analysis – The attempt to make sense of computer generated records, by use of statistical and data visualization techniques. HoneyHouse: coined word, intersection of 3 disciplines

  4. THE SETUP Core requirements – internet connection without ISP filtering, home router with wifi capability, a physical server with virtualization software, honeypot software, log analysis/management stack, etc. Other requirements – USB modem for SMS alerts, Android apps for device control, network monitoring software, open source home automation frontend. Core devices – home router, Raspberry PI, IP camera, Z-wave controller, z-wave light bulb, z-wave wall plugin. Physical devices acquired for the setup; home router,z-wave wall plugin, foscam camera, z-wave usb controller and raspberry PI.

  5. THE SETUP Other devices – virtualized devices include, home routers, DVRs, popular webcams, serial-to-ethernet bridge, etc. Challenges – how to securely segregate 3 networks, while allowing attacker access to a subset of them at a time. Outcome – 3 logical networks consisting of physical and virtual devices; secure home network, attacker environment and z-wave network. Virtualized devices configured for the setup; foscam camera, modbus serial-to-ethrnet bridge, vulnerable linksys router, BACnet/IP BMD, DVR.

  6. THE SETUP Primary access is through the home router. Secure remote access to the network is through a VPN server. All internet traffic hitting the home router externally are channeled towards a DMZ host. Port-forwarding has been done for all unsolicited traffic to specific TCP/IP ports, representing virtual and physical devices. Host firewalls and subnetting done to segregate the 3 networks shown. DMZ host Internet Device 4 Honeypot Device 3 Secure home network Device 2 Logs server WIFI camera Z-wave controller Z-wave bulb Z-wave socket Network topology; secure home network, DMZ network, Z-wave network.

  7. UTILITY, MOBILITY... Mobile Apps enabling access, monitoring, etc...

  8. DEMO

  9. ATTACK LOCATIONS Geographical locations of IPs connecting to the HoneyHouse; mainly from China, USA, Russia and Germany, a 24hr period.

  10. ATTACK STATISTICS Unique connections on the physical and virtual devices; observed telnet and SSH to be most prominent, a 1 month period.

  11. ATTACK TYPES Observed attempted logins and bruteforce attacks; top section; DMZ, middle section; SSH services, bottom section; Telnet.

  12. ATTACK TRENDS Attack logs collected and index for search/statistics; Average of 5,000+ connection attempts from all the honeypots, a 24hr period

  13. ATTACK TRENDS Search on successful logins to decoy smart devices; Average of 150+ successes and interactions, a 24hr period

  14. ATTACK DETAILS Majority of the attacking IPs are part of an existing botnet of compromised devices and vulnerable windows machines, with for example Telnet running. We managed to telnet to a number of these devices, some allow anonymous logins, so no attack was done from our end. Through this, we obtained malicious files for further analysis. Most of these files consist of web/bash scripts for command and control, binaries targeting various device architectures and executables for bitcoin mining. Anonymous FTP server with malicious files

  15. ATTACK DETAILS • SCENARIO: • Attacker automates vulnerability scanning and adds devices/machines to the botnet. • Machines/devices have different functions; some host malicious software to be downloaded by other compromised devices, others serve as command and control. • Compromised machines join IRC channels to get commands; for example, to DDoS, further bruteforce attacks, vulnerability scanning, and the cycle continues. Obtained malicious scripts for carrying out attacks on devices

  16. DEMO

  17. ATTACK SUMMARY Most of the attacks on smart devices are targeted on open and unsecured services to the internet; Telnet, FTP and SSH, through bruteforce login attempts. Most targeted devices are home routers, DVRs, IP surveillance cameras and microcontrollers that allow default usernames and passwords. The IPs targeting vulnerable devices are compromised machines/devices that are mostly part of the Mirai botnet variant. Compromised Windows machines are also increasingly being used to facilitate bruteforce login attempts, command and control, distribution of malicious code etc. Attackers are constantly updating their list of targeted devices, username/password combinations, and exploit code, to accommodate latest vulnerabilities.

  18. SECURITY RECOMMENDATIONS Do not allow access to your device from outside of your local network, unless you specifically need it to use your device. If remote access is necessary, use a VPN. Disable all network services that you don’t need to use in your device/machine. Before you start using your device, change the default password and set a new strong password. Review this password periodically to avoid compromise. If the device has a preconfigured or default password and you cannot change it, or a preconfigured account that you cannot deactivate, then disable the network services where they are used, or disable access to them from outside the local network. Regularly update your device’s firmware to the latest version (when such updates are available).

  19. REFERENCES Tracking Attackers with a Honeypot http://resources.infosecinstitute.com/tracking-attackers-honeypot-part-1-kippo/ Setting Up a Honeypot Using a Bait and Switch Router https://www.sans.org/reading-room/whitepapers/casestudies/setting-honeypot-bait-switch-router-1465 Security and Privacy Guidelines for the Internet of Things https://www.schneier.com/blog/archives/2017/02/security_and_pr.html Mapping Mirai: A Botnet Case Study https://www.malwaretech.com/2016/10/mapping-mirai-a-botnet-case-study.html OWASP Internet_of_Things_Top_Ten https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project

  20. THANK YOU Any Questions?

More Related