Infecting Internet of Things · Infecting Internet of Things Axelle Apvrille - Fortinet...

Infecting Internet of Things

Axelle Apvrille - Fortinetaapvrille@fortinet.com

DefCamp, November 2016

Outline

1 Introduction

2 Ransomware on IoT

3 Trojans on IoT

4 SMS Dialer on IoT

5 Spyware on IoT

6 Existing IoT malware

7 Future

8 Conclusion

Defcamp November 2016 - A. Apvrille 2/33

Who am I?

whoamimy $self = {

realname => ’Axelle Apvrille’,

nickname => ’Crypto Girl’,

company => ’Fortinet, Fortiguard Labs, Research EMEA’,

time => ’8 years’,

job => ’Senior Anti-Virus Researcher’,

topics => ’Malware for smart objects (phones, IoT...)’,

twitter => ’@cryptax’,

languages => ’French, English, Hexadecimal :)’

Outline

1 Introduction

2 Ransomware on IoT

3 Trojans on IoT

4 SMS Dialer on IoT

5 Spyware on IoT

7 Future

8 Conclusion

Demo: Ransomware on Smart Glasses

How the PoC works: architecture

OMAP 4430

LPS25 MEMS

Pressuresensor

LSM9DS0Accelerometer

GyroscopeCompass

TMP103Temperature

sensor

Free FallSensor

APDS9900Ambient

Light Sensor

Android 4.1.2

Recon Camera

Recon Compass Calibration

Assisted GPS

Heading Service

3rd party expanded apps

PoCRecon SDK

System apps (/system/app)

Data apps (/data/app)

How the PoC works: source code

public void onCreate(Bundle savedInstanceState) {

super.onCreate(savedInstanceState);

CharSequence msg = (CharSequence)

this.getIntent().getStringExtra("message");

if (msg == null) {

msg = "No text provided!";

int duration = Toast.LENGTH_LONG;

for (int i=0; i<40; i++) { // Quick hack for a longer toast ;)

Toast.makeText((Context)this,

(CharSequence)msg, duration).show();

this.finish();

That simple? Yes. That makes even more scary :=)

What will you do? 1/3

Did they really record your activity? Perhaps...Smart glasses cost 500 USD ≈ 2030 RON

You can’t use your bloodpressure monitor any longer.

But, given your medicalcondition, you need it

This is a fake screenshot - no knownransomware on that app (yet)

What will you do? 2bis /3

Your insulin pump has beenhacked!

NB. This is a fake screenshot -however vulnerabilities exist

I October 2016 - R7-2016-07:Multiple Vulnerabilities inAnimas OneTouch Ping InsulinPump

I More on medical devices: seeMarie Moe’s talks onpacemakers

Ransomware on IoT “business case”

Higher interest &Risk for ransomware

Smart Cars

Internet of Medical Things

Smart TV

Smart glasses

Smart watch

Sports wristband

Device cost + Criticality (+ bonus: ease of implementation)

Outline

1 Introduction

2 Ransomware on IoT

3 Trojans on IoT

4 SMS Dialer on IoT

5 Spyware on IoT

7 Future

8 Conclusion

Advanced Trojan Malware on Smart Glasses

I ≈ 5,000 new Android malwareper day

I Are the smart glasses vulnerableto those?

I In theory, yes.

I In practice, it’s worth checking:no GSM/3G, wifi possible butnot easy, virtual keyboard,difficult to upgrade the OS...

I In theory, yes.

Android AngeCryption PoC on Smart Glasses

See A. Apvrille, A. Albertini, Hide Android Applications in Images,BlackHat Europe 2014

AES decrypt

AngeCryption “trick”

PNGPNG Header

Dummy chunkType = 'aaaa'

Data=Encrypted APK

Chunk IHDR

Chunk IDAT

Works on Android 4.4.2.Smart glasses are Android 4.1.2.Should work.

1 Put the image in an apparentlybenign Android application

2 Trigger decryption...

3 ... Install malicious application

Step 1: Install benign application

$ adb install PocActivity.apk

Screenshots taken from the smart glasses:

Step 2: Trigger decryption

Click!

This is PoC for encrypting APK as imagenot a PoC for hiding install

but this is possible via DexClassLoader

Step 2: Trigger decryption

Click!

This is PoC for encrypting APK as imagenot a PoC for hiding install

but this is possible via DexClassLoader

Step 3: Malware installed on the smart glasses

So, yes, it worked - without modification

Outline

1 Introduction

2 Ransomware on IoT

3 Trojans on IoT

4 SMS Dialer on IoT

5 Spyware on IoT

7 Future

8 Conclusion

Demo: SMS Dialer on a Smart Watch

I Sony SmartWatch SW2

I ARM Cortex M4 with MicriumµC/OS-II

I Light sensor and accelerator

I NFC, Bluetooth 3.0

I Launched in Sept 2013

I ≈ 600 RON

How it works: architecture

Smart Accessory Smartphone

Constanza msg

SmartConnectSmartConnect

......

Bluetooth

Smart Extensions

ControlExtension

Low Power

Host application

How it works: code

Trigger a command from the Smart Watch

class SmartWatchSms extends ControlExtension {

Act when clicked

ControlView btn = mLayout.findViewById(...);

btn.setOnClickListener(new OnClickListener() {

public void onClick() {

sendSms();

Work when not lit

public boolean supportsLowPowerMode() {

return true;

Outline

1 Introduction

2 Ransomware on IoT

3 Trojans on IoT

4 SMS Dialer on IoT

5 Spyware on IoT

7 Future

8 Conclusion

Mom Attack :)

Credits: Dilbert Comic Strips

“Business” case for attacker depends on:

Onboard sensors, Wearable or not, Target population

Outline

1 Introduction

2 Ransomware on IoT

3 Trojans on IoT

4 SMS Dialer on IoT

5 Spyware on IoT

7 Future

8 Conclusion

Some of the (in)famous IoT malware

Carna 2012 Research botnetLinux/Darlloz 2013 Worm exploiting PHP vuln. Infects

ADSL routers, satellite and televisionreceivers. Mine cryptocurrencies.

The Moon 2014 Worm exploiting CGI exploit. InfectsLinksys routers

ELF/Gafgyt 2014 DDoS. Targets CCTVLinux/Wifatch 2015 Trojan/Vigilante. Targets DVR,

CCTVLinux/Moose 2015 Perform illegimate likes/followsLinux/PnScan 2015 DDoS. Targets routers (India mainly)Linux/Remaiten 2016 DDoS. IRC basedLinux/Mirai 2016 DDoS. Targets DVR, CCTV...Linux/IRCTelnet 2016 DDoS. IRC based. IPv6 ready

Outline

1 Introduction

2 Ransomware on IoT

3 Trojans on IoT

4 SMS Dialer on IoT

5 Spyware on IoT

7 Future

8 Conclusion

Worm propagation via wearable

Attacker

INJECT MALICIOUS CODE

IoT is infected

Victim’s laptop

PROPAGATEINFECT PC

More IoT, computers...PROPAGATE

Attacker

IoT is infected

Victim’s laptop

PROPAGATEINFECT PC

Attacker

IoT is infected

Victim’s laptop

PROPAGATEINFECT PC

Attacker

IoT is infected

Victim’s laptop

PROPAGATEINFECT PC

Attacker

IoT is infected

Victim’s laptop

PROPAGATEINFECT PC

Attacker

IoT is infected

Victim’s laptop

PROPAGATE

INFECT PC

Attacker

IoT is infected

Victim’s laptop

PROPAGATEINFECT PC

Attacker

IoT is infected

Victim’s laptop

PROPAGATEINFECT PC

Malware of (Every)Things

So far, we have had malware on complex IoT

Prediction: we will have them everywhere

They have a firmware. They can have a malware ;)

Malware of (Every)Things

So far, we have had malware on complex IoT

Prediction: we will have them everywhere

They have a firmware. They can have a malware ;)

Outline

1 Introduction

2 Ransomware on IoT

3 Trojans on IoT

4 SMS Dialer on IoT

5 Spyware on IoT

7 Future

8 Conclusion

References

I Reversing Internet of Things from Mobile Applications,presented at AREA 41, 2016

I Is Ransomware Coming to IoT? by Candid Wuest(Symantec), presented at Insomni’hack, 2016

I Mirai: source code, analysis, protocol

I Thermostat Ransomware: a lesson in IoT security by KenMunro, August 2016

I IoT Goes Nuclear: Creating a ZigBee Chain Reaction by EyalRonen et al - worm propagation with ZigBee on Philips Huelightbulbs - 2016

I SDK: Sony Smart Watch, Recon Instruments

I Videos: Remotely controlling a toothbrush, Fitness trackerhacking

Thanks for your attention!

PowerPoint slides? No way! This is LATEX/ Beamer

Infecting Internet of Things · Infecting Internet of Things Axelle Apvrille - Fortinet...

Documents

Things to have & Things to hold

Infecting Python Bytecode

Characterization of marine diatom-infecting virus ... · SCIENTIFIC REPORTS 5170 DI 10.103srep170 1 Characterization of marine diatom-infecting virus promoters in the model diatom

INTESTINAL TREMATODES INFECTING HUMANS IN KOREA

Beautiful Things

Things Fall Apart

Ten Things

Volodymyr Bilyk, Things

Diap smart things

La programmation sécurisée Java - OSSIR : Accueil · 1 La programmation sécurisée Java Retours d’expérience Axelle APVRILLE Axelle Apvrille p.2 Plan de la présentation Retours

Small things are big things: can we design empathy into services?

Unsmart things

Internet of things

Simple Things

Things: Happening

REVISTA THINGS

Big Things Start From Small Things

Things we knew, things we did… Things we have learnt, things we should do Du nouveau dans la prise en charge de la Maladie dAlzheimer Dr R. Gouider, Dr

School things

Getting Things Done with "Getting Things Done"