Upload
tranphuc
View
216
Download
2
Embed Size (px)
Citation preview
Outline
1 Introduction
2 Ransomware on IoT
3 Trojans on IoT
4 SMS Dialer on IoT
5 Spyware on IoT
6 Existing IoT malware
7 Future
8 Conclusion
Defcamp November 2016 - A. Apvrille 2/33
Who am I?
whoamimy $self = {
realname => ’Axelle Apvrille’,
nickname => ’Crypto Girl’,
company => ’Fortinet, Fortiguard Labs, Research EMEA’,
time => ’8 years’,
job => ’Senior Anti-Virus Researcher’,
topics => ’Malware for smart objects (phones, IoT...)’,
twitter => ’@cryptax’,
languages => ’French, English, Hexadecimal :)’
};
Defcamp November 2016 - A. Apvrille 3/33
Outline
1 Introduction
2 Ransomware on IoT
3 Trojans on IoT
4 SMS Dialer on IoT
5 Spyware on IoT
6 Existing IoT malware
7 Future
8 Conclusion
Defcamp November 2016 - A. Apvrille 4/33
Demo: Ransomware on Smart Glasses
Defcamp November 2016 - A. Apvrille 5/33
How the PoC works: architecture
OMAP 4430
LPS25 MEMS
Pressuresensor
LSM9DS0Accelerometer
GyroscopeCompass
TMP103Temperature
sensor
Free FallSensor
APDS9900Ambient
Light Sensor
Android 4.1.2
Recon Camera
app
Recon Compass Calibration
Assisted GPS
Heading Service
3rd party expanded apps
PoCRecon SDK
System apps (/system/app)
Data apps (/data/app)
Defcamp November 2016 - A. Apvrille 6/33
How the PoC works: source code
public void onCreate(Bundle savedInstanceState) {
super.onCreate(savedInstanceState);
CharSequence msg = (CharSequence)
this.getIntent().getStringExtra("message");
if (msg == null) {
msg = "No text provided!";
}
int duration = Toast.LENGTH_LONG;
for (int i=0; i<40; i++) { // Quick hack for a longer toast ;)
Toast.makeText((Context)this,
(CharSequence)msg, duration).show();
}
this.finish();
}
That simple? Yes. That makes even more scary :=)
Defcamp November 2016 - A. Apvrille 7/33
What will you do? 1/3
Did they really record your activity? Perhaps...Smart glasses cost 500 USD ≈ 2030 RON
Defcamp November 2016 - A. Apvrille 8/33
What will you do? 2/3
You can’t use your bloodpressure monitor any longer.
But, given your medicalcondition, you need it
This is a fake screenshot - no knownransomware on that app (yet)
Defcamp November 2016 - A. Apvrille 9/33
What will you do? 2bis /3
Your insulin pump has beenhacked!
NB. This is a fake screenshot -however vulnerabilities exist
I October 2016 - R7-2016-07:Multiple Vulnerabilities inAnimas OneTouch Ping InsulinPump
I More on medical devices: seeMarie Moe’s talks onpacemakers
Defcamp November 2016 - A. Apvrille 10/33
What will you do? 3/3
Defcamp November 2016 - A. Apvrille 11/33
Ransomware on IoT “business case”
Higher interest &Risk for ransomware
Smart Cars
Internet of Medical Things
Smart TV
Smart glasses
Smart watch
Sports wristband
Device cost + Criticality (+ bonus: ease of implementation)
Defcamp November 2016 - A. Apvrille 12/33
Outline
1 Introduction
2 Ransomware on IoT
3 Trojans on IoT
4 SMS Dialer on IoT
5 Spyware on IoT
6 Existing IoT malware
7 Future
8 Conclusion
Defcamp November 2016 - A. Apvrille 13/33
Advanced Trojan Malware on Smart Glasses
I ≈ 5,000 new Android malwareper day
I Are the smart glasses vulnerableto those?
I In theory, yes.
I In practice, it’s worth checking:no GSM/3G, wifi possible butnot easy, virtual keyboard,difficult to upgrade the OS...
Defcamp November 2016 - A. Apvrille 14/33
Advanced Trojan Malware on Smart Glasses
I ≈ 5,000 new Android malwareper day
I Are the smart glasses vulnerableto those?
I In theory, yes.
I In practice, it’s worth checking:no GSM/3G, wifi possible butnot easy, virtual keyboard,difficult to upgrade the OS...
Defcamp November 2016 - A. Apvrille 14/33
Advanced Trojan Malware on Smart Glasses
I ≈ 5,000 new Android malwareper day
I Are the smart glasses vulnerableto those?
I In theory, yes.
I In practice, it’s worth checking:no GSM/3G, wifi possible butnot easy, virtual keyboard,difficult to upgrade the OS...
Defcamp November 2016 - A. Apvrille 14/33
Advanced Trojan Malware on Smart Glasses
I ≈ 5,000 new Android malwareper day
I Are the smart glasses vulnerableto those?
I In theory, yes.
I In practice, it’s worth checking:no GSM/3G, wifi possible butnot easy, virtual keyboard,difficult to upgrade the OS...
Defcamp November 2016 - A. Apvrille 14/33
Android AngeCryption PoC on Smart Glasses
See A. Apvrille, A. Albertini, Hide Android Applications in Images,BlackHat Europe 2014
AES decrypt
Defcamp November 2016 - A. Apvrille 15/33
AngeCryption “trick”
PNGPNG Header
Dummy chunkType = 'aaaa'
Data=Encrypted APK
Chunk IHDR
Chunk IDAT
...
Works on Android 4.4.2.Smart glasses are Android 4.1.2.Should work.
1 Put the image in an apparentlybenign Android application
2 Trigger decryption...
3 ... Install malicious application
Defcamp November 2016 - A. Apvrille 16/33
Step 1: Install benign application
$ adb install PocActivity.apk
Screenshots taken from the smart glasses:
Defcamp November 2016 - A. Apvrille 17/33
Step 2: Trigger decryption
Click!
This is PoC for encrypting APK as imagenot a PoC for hiding install
but this is possible via DexClassLoader
Defcamp November 2016 - A. Apvrille 18/33
Step 2: Trigger decryption
Click!
This is PoC for encrypting APK as imagenot a PoC for hiding install
but this is possible via DexClassLoader
Defcamp November 2016 - A. Apvrille 18/33
Step 3: Malware installed on the smart glasses
So, yes, it worked - without modification
Defcamp November 2016 - A. Apvrille 19/33
Outline
1 Introduction
2 Ransomware on IoT
3 Trojans on IoT
4 SMS Dialer on IoT
5 Spyware on IoT
6 Existing IoT malware
7 Future
8 Conclusion
Defcamp November 2016 - A. Apvrille 20/33
Demo: SMS Dialer on a Smart Watch
I Sony SmartWatch SW2
I ARM Cortex M4 with MicriumµC/OS-II
I Light sensor and accelerator
I NFC, Bluetooth 3.0
I Launched in Sept 2013
I ≈ 600 RON
Defcamp November 2016 - A. Apvrille 21/33
How it works: architecture
Smart Accessory Smartphone
Constanza msg
SmartConnectSmartConnect
......
Bluetooth
Smart Extensions
ControlExtension
API
Low Power
API
Host application
Defcamp November 2016 - A. Apvrille 22/33
How it works: code
Trigger a command from the Smart Watch
class SmartWatchSms extends ControlExtension {
Act when clicked
ControlView btn = mLayout.findViewById(...);
btn.setOnClickListener(new OnClickListener() {
public void onClick() {
sendSms();
}
});
Work when not lit
public boolean supportsLowPowerMode() {
return true;
}
Defcamp November 2016 - A. Apvrille 23/33
Outline
1 Introduction
2 Ransomware on IoT
3 Trojans on IoT
4 SMS Dialer on IoT
5 Spyware on IoT
6 Existing IoT malware
7 Future
8 Conclusion
Defcamp November 2016 - A. Apvrille 24/33
Mom Attack :)
Credits: Dilbert Comic Strips
“Business” case for attacker depends on:
Onboard sensors, Wearable or not, Target population
Defcamp November 2016 - A. Apvrille 25/33
Outline
1 Introduction
2 Ransomware on IoT
3 Trojans on IoT
4 SMS Dialer on IoT
5 Spyware on IoT
6 Existing IoT malware
7 Future
8 Conclusion
Defcamp November 2016 - A. Apvrille 26/33
Some of the (in)famous IoT malware
Carna 2012 Research botnetLinux/Darlloz 2013 Worm exploiting PHP vuln. Infects
ADSL routers, satellite and televisionreceivers. Mine cryptocurrencies.
The Moon 2014 Worm exploiting CGI exploit. InfectsLinksys routers
ELF/Gafgyt 2014 DDoS. Targets CCTVLinux/Wifatch 2015 Trojan/Vigilante. Targets DVR,
CCTVLinux/Moose 2015 Perform illegimate likes/followsLinux/PnScan 2015 DDoS. Targets routers (India mainly)Linux/Remaiten 2016 DDoS. IRC basedLinux/Mirai 2016 DDoS. Targets DVR, CCTV...Linux/IRCTelnet 2016 DDoS. IRC based. IPv6 ready
Defcamp November 2016 - A. Apvrille 27/33
Outline
1 Introduction
2 Ransomware on IoT
3 Trojans on IoT
4 SMS Dialer on IoT
5 Spyware on IoT
6 Existing IoT malware
7 Future
8 Conclusion
Defcamp November 2016 - A. Apvrille 28/33
Worm propagation via wearable
Attacker
INJECT MALICIOUS CODE
IoT is infected
Victim’s laptop
PROPAGATEINFECT PC
More IoT, computers...PROPAGATE
Defcamp November 2016 - A. Apvrille 29/33
Worm propagation via wearable
Attacker
INJECT MALICIOUS CODE
IoT is infected
Victim’s laptop
PROPAGATEINFECT PC
More IoT, computers...PROPAGATE
Defcamp November 2016 - A. Apvrille 29/33
Worm propagation via wearable
Attacker
INJECT MALICIOUS CODE
IoT is infected
Victim’s laptop
PROPAGATEINFECT PC
More IoT, computers...PROPAGATE
Defcamp November 2016 - A. Apvrille 29/33
Worm propagation via wearable
Attacker
INJECT MALICIOUS CODE
IoT is infected
Victim’s laptop
PROPAGATEINFECT PC
More IoT, computers...PROPAGATE
Defcamp November 2016 - A. Apvrille 29/33
Worm propagation via wearable
Attacker
INJECT MALICIOUS CODE
IoT is infected
Victim’s laptop
PROPAGATEINFECT PC
More IoT, computers...PROPAGATE
Defcamp November 2016 - A. Apvrille 29/33
Worm propagation via wearable
Attacker
INJECT MALICIOUS CODE
IoT is infected
Victim’s laptop
PROPAGATE
INFECT PC
More IoT, computers...PROPAGATE
Defcamp November 2016 - A. Apvrille 29/33
Worm propagation via wearable
Attacker
INJECT MALICIOUS CODE
IoT is infected
Victim’s laptop
PROPAGATEINFECT PC
More IoT, computers...PROPAGATE
Defcamp November 2016 - A. Apvrille 29/33
Worm propagation via wearable
Attacker
INJECT MALICIOUS CODE
IoT is infected
Victim’s laptop
PROPAGATEINFECT PC
More IoT, computers...PROPAGATE
Defcamp November 2016 - A. Apvrille 29/33
Malware of (Every)Things
So far, we have had malware on complex IoT
Prediction: we will have them everywhere
They have a firmware. They can have a malware ;)
Defcamp November 2016 - A. Apvrille 30/33
Malware of (Every)Things
So far, we have had malware on complex IoT
Prediction: we will have them everywhere
They have a firmware. They can have a malware ;)
Defcamp November 2016 - A. Apvrille 30/33
Outline
1 Introduction
2 Ransomware on IoT
3 Trojans on IoT
4 SMS Dialer on IoT
5 Spyware on IoT
6 Existing IoT malware
7 Future
8 Conclusion
Defcamp November 2016 - A. Apvrille 31/33
References
I Reversing Internet of Things from Mobile Applications,presented at AREA 41, 2016
I Is Ransomware Coming to IoT? by Candid Wuest(Symantec), presented at Insomni’hack, 2016
I Mirai: source code, analysis, protocol
I Thermostat Ransomware: a lesson in IoT security by KenMunro, August 2016
I IoT Goes Nuclear: Creating a ZigBee Chain Reaction by EyalRonen et al - worm propagation with ZigBee on Philips Huelightbulbs - 2016
I SDK: Sony Smart Watch, Recon Instruments
I Videos: Remotely controlling a toothbrush, Fitness trackerhacking
Defcamp November 2016 - A. Apvrille 32/33
Thanks for your attention!
PowerPoint slides? No way! This is LATEX/ Beamer
Defcamp November 2016 - A. Apvrille 33/33