The Connected World has been disconnected: Survival Guide in IoThreats Era

Transcript

1. SESSION ID: SESSION ID: #RSAC Denis Makrushin The Connected World

   has been disconnected: Survival Guide in IoThreats Era SBX2-W5 Security Researcher, Kaspersky GReAT, twitter.com/makrushind

2. Presenter’s Company Logo – replace or delete on master slide

   #RSAC Internet-of-Things or Internet-of-Threats? 2

3. Presenter’s Company Logo – replace or delete on master slide

   #RSAC You a Hero. And it’s not a Game. 3

4. Presenter’s Company Logo – replace or delete on master slide

   #RSAC My home is my castle, isn’t it? 4

5. Presenter’s Company Logo – replace or delete on master slide

   #RSAC My home is my castle, isn’t it? Show me. 5 Nope: “port:554 has_screenshot:true”

6. Presenter’s Company Logo – replace or delete on master slide

   #RSAC The cup of Smart Coffee 6

7. Presenter’s Company Logo – replace or delete on master slide

   #RSAC Cyber Jungle start right here: BMS 7

8. Presenter’s Company Logo – replace or delete on master slide

   #RSAC 8 If you're going to San Franciscoooo…oops

9. Presenter’s Company Logo – replace or delete on master slide

   #RSAC 9 Public terminals vulnerability assessment

10. PROOF-OF-CONCEPT

11. Presenter’s Company Logo – replace or delete on master slide

    #RSAC Parking terminal: the full screen app 11 The Full Screen Application contains Google Widget without any customization. Let’s try to escape.

12. Presenter’s Company Logo – replace or delete on master slide

    #RSAC How did you do it, David Blaine?! 12 The Street Magic baby: 1) Browser Properties 2) Control Panel 3) Virtual Keyboard 4) whoami :)

13. Presenter’s Company Logo – replace or delete on master slide

    #RSAC Keep calm and save the World! 13 Developer/Administrator: Customize all third-party components Don’t use Administrative privileges Restrict access to Internet Default Deny all non-whitelisted User Run from the terminal! Don’t trust the public device. Anyway don’t input your personal/payment data Found a bug? Send the report.

14. #RSAC The End. Thank you! [email protected] twitter.com/makrushind t.me/makrushind

15. Presenter’s Company Logo – replace or delete on master slide

    #RSAC One month later 15

16. Presenter’s Company Logo – replace or delete on master slide

    #RSAC Post-exploitation scenario 16 1) Application dump with Client’s data and transaction logs 2) Social Engineering (phishing, advertising, “Congrats, you’ve won the money, send us a SMS…”) 3) Botnet for DDoS-attacks, bitcoin mining, extraterrestrial civilizations search

17. Presenter’s Company Logo – replace or delete on master slide

    #RSAC A little more smart touch 17

18. Presenter’s Company Logo – replace or delete on master slide

    #RSAC A little more smart touch… worldwide! 18

19. Presenter’s Company Logo – replace or delete on master slide

    #RSAC A little more smart touch… worldwide! (video-demo) 19

20. Presenter’s Company Logo – replace or delete on master slide

    #RSAC How to live with that 20 Developer/Administrator, think out of the box: Don’t use Administrative privileges Restrict access to Internet Default Deny all non-whitelisted User Run from the terminal! Don’t trust the public device. Anyway don’t input your personal/payment data Found a bug? Send the report.

21. Presenter’s Company Logo – replace or delete on master slide

    #RSAC Getting the road devices’ data 21

22. Presenter’s Company Logo – replace or delete on master slide

    #RSAC “Somebody’s watchin’ me” (c) traffic cameras 22 1) Traffic volume data 2) Car patterns data 3) Geo Location

23. Presenter’s Company Logo – replace or delete on master slide

    #RSAC How to live with that 23 Developer/Administrator: Encrypt all wireless connections Don’t use Administrative privileges Restrict access to Internet Default Deny all non-whitelisted User: Found a bug? Send the report. (In the case, if this is interactive device) Anyway don’t input your personal/payment data

24. Presenter’s Company Logo – replace or delete on master slide

    #RSAC Connected Medicine 24 Diagnostic Device #2 (CT) Diagnostic Device #1 (MR) Diagnostic Device #3 (Cardiograph) DICOM DICOM DICOM

25. Presenter’s Company Logo – replace or delete on master slide

    #RSAC 25 “DICOM port:104”. Show me.

26. Presenter’s Company Logo – replace or delete on master slide

    #RSAC 26 “DICOM port:104” returned 1,344 results

27. Presenter’s Company Logo – replace or delete on master slide

    #RSAC 27 Information for Targeted Attack “medical port:445” Reconnaissance stage for targeted attack against medical institute provides answers for the questions: 1. What host in the medical infrastructure is most interesting? 2. What hotspot could be an entry point to sensitive data?

28. Presenter’s Company Logo – replace or delete on master slide

    #RSAC 28 Where PACS is, there patient’s data is

29. Presenter’s Company Logo – replace or delete on master slide

    #RSAC 29 PACS front-end as an entry point It shouldn’t be online, but: 1) It is 2) It has public vulnerabilities 3) It’s open for everyone

30. Presenter’s Company Logo – replace or delete on master slide

    #RSAC 30 What about medical device? There are two types of medical devices Very Expensive Expensive HOST-ORIENTED CONNECTION NETWORK-ORIENTED CONNECTION

31. Presenter’s Company Logo – replace or delete on master slide

    #RSAC 31 No Ethernet port - no problems, right? NOPE: 1. Compromised perimeter still contains medical workstations… 2. It has vulnerabilities and backdoors 3. And it has special medical software and drivers

32. Presenter’s Company Logo – replace or delete on master slide

    #RSAC 32 What adversary can do with Analyzer.exe* Steal all medical information received from the device Spoof all medical information received from the device Change the operating parameters (for ransom purposes?), that would entail a costly calibration procedures Analyzer.exe* is a software for a diagnostic medical device Notify you and help you to fix the issues ;)

33. Presenter’s Company Logo – replace or delete on master slide

    #RSAC 33 How to live with that Developer/Administrator: Don’t store data on medical device and organize easy restore point of the software (ransomware mitigation) Isolate all medical data storages (DICOM- devices, PACS/NAS/FTP-servers, even DICOM- viewers) in a separate segment Backup, encrypt, backup… User: Be healthy.

34. Presenter’s Company Logo – replace or delete on master slide

    #RSAC 34 We still have a “human factor”

35. #RSAC Keep calm and save the World! Thank you! [email protected]

    twitter.com/makrushind t.me/makrushind