Outsmarting IoT Defenses: The Hacker Perspective - IoT Tech Expo 2022

Transcript

1. Outsmarting IoT Defense:
   The Hacker’s Perspective
   IoT Tech Expo Europe | Amsterdam August 2022
   

   View Slide

2. My Background
   Natali Tshuva
   CEO & Co-Founder
   Sternum
   Computer
   Scientist
   (age 14)
   Reverse Engineer
   Unit 8200
   (Israel NSA)
   Exploit
   Designer
   Inventor of patented
   technology I can’t
   exploit
   Company
   Founder
   CEO of growing
   company
   

   View Slide

3. View Slide

4. THE RISE OF IoT
   

   View Slide

5. 1.5
   Billion
   IoT device breaches in 6
   months
   IoT devices connect to the
   internet every second
   Global IoT security spending
   by 2023
   $1.1
   Trillion
   Source: IoT Analytics, Gartner, Statista
   The Rise Of IoT
   127 New
   Devices
   

   View Slide

6. 3rd Party
   Dependencies
   Limited
   Resources
   High
   Diversity
   Operating Systems
   Communication
   Protocols
   Hardware
   Old/Existing/In-dev
   Devices
   3rd Party Libraries
   Closed-Sourced
   Components
   Communication
   Modules
   Homegrown Code
   Compute
   Memory
   Battery
   Bandwidth
   Extremely Difficult to
   Protect & Observe
   

   View Slide

7. IOT DEVICES - VULNERABLE &
   CONSEQUENTIAL ASSET
   ENTERPRISE DEVICE MANUFACTURERS INFRASTRUCTURE
   

   View Slide

8. RASP – Runtime Application Self Protection.
   VULNERABILITIES
   ARE INEVITABLE
   AND ENDLESS.
   

   View Slide

9. New CVE’s
   Each Month
   2000~
   Patch Tuesdays
   Due To Memory
   Vulnerabilities
   70%
   Companies Have A
   Publicly Available
   Exploit.
   58% 15
   Vulnerabilities
   Per 1000 Lines
   Of Code
   Many Third-party Code Vulnerabilities
   Left Undiscovered By Static Analysis Tools
   

   View Slide

10. RASP – Runtime Application Self Protection.
    I KNOW A
    VULNERABILITY
    EXISTS.
    “
    “
    

    View Slide

11. View Slide

12. View Slide

13. My way in.
    ● Ransomware
    ● Network Breach
    ● APT
    ● Reputation Damage
    ● Intelligence
    ● IP Theft
    ● Cryptomining
    ● Power Play
    Outcome
    LARGE
    VOLUME OF
    DEVICES
    ONE
    SPECIFIC
    COMPANY
    Openssl, TCP/IP,
    BT Libraries, OS’s
    Schneider Electric
    APC (TLStorm),
    VERKADA hack,
    CISCO business router
    Reversing
    One
    Targeted
    Device
    Target Way In Examples
    3rd-party
    Vulnerability
    

    View Slide

14. Many Attack Vectors
    Chip level
    vulnerabilities
    3rd party Code
    Vulnerabilities
    Protocol
    vulnerabilities
    Network
    Vulnerabilities
    Mobile App
    vulnerabilities
    Smart Camera
    Insulin Pump
    Vulnerable connected devices
    

    View Slide

15. Hacker Defender
    

    View Slide

16. LIMITED OPTIONS:
    REACT. PATCH.
    CVE-2022-20699
    STACK OVERFLOW
    VULNERABILITY
    Exploit publicly available
    Direct access from the
    Internet
    HACKER ON
    THE INTERNET
    FULL
    ENTERPRISE
    NETWORK
    EXPOSED
    Hacker View: Cisco Router
    No prevention on-device. No search for indicators of attack.
    CHANGE CONTROLS
    LATERAL MOVEMENT
    RANSOMWARE
    DISRUPT SERVICE
    Complete takeover on the
    VPN/Gateway
    ACCESSES THE NETWORK
    AND DEVICES
    CISCO RV340 BUSINESS CLASS ROUTER
    Exploitation Video: https://youtu.be/O1uK_b1Tmts
    

    View Slide

17. SAME STORY.
    DIFFERENT DEVICE.
    

    View Slide

18. LIMITED OPTIONS:
    REACT. PATCH.
    HACKER ON
    THE INTERNET
    Zero-Day Exploit
    CHANGE CONTROLS
    LATERAL MOVEMENT
    RANSOMWARE
    DISRUPT SERVICE
    Enterprise Video Recorder
    ACCESS TO
    SENSITIVE
    ENTERPRISE DATA
    (BOARD/
    MANAGEMENT
    MEETINGS)
    Hacker View: Video Recorder
    Exploitation – No prevention on-device. No search for indicators of attack.
    

    View Slide

19. Hacker View: Take over access controls
    Target: HCI Mercury Access controllers (CVE-2022-31481)
    *REAL-LIFE EXAMPLE*
    RS-485
    IP Network
    Vulnerable Access Controller
    e.g. HID Mercury LP1501
    Other Access
    Controllers
    Access Control Server
    “Trellix noted that by chaining two of the
    aforementioned weaknesses, it was able to gain
    root-level privileges on the device remotely and unlock
    and control the doors, effectively subverting the system
    monitoring protections.”
    

    View Slide

20. Patching is
    Reactive & Costly
    but Can’t Safeguard
    Static Analysis
    Finds Only 50% of
    Vulnerabilities
    “ Usually there are
    much simpler ways
    of penetrating the
    security system[…] than
    cracking the crypto”
    Adi Shamir
    Current Approaches
    Reactive. Imposing. Not Holistic.
    

    View Slide

21. RASP – Runtime Application Self Protection.
    We Can’t Fight
    Vulnerabilities.
    But We Can Fight
    Exploits In Real-time.
    “
    “
    

    View Slide

22. IT IS WHEN AN
    ATTACKER WALKS
    THE INEVITABLE
    PATH OF
    EXPLOITATION
    

    View Slide

23. EVERY VULNERABILITY
    IS DIFFERENT,
    EXPLOITATIONS
    SHARE A UNIQUE
    FINGERPRINT
    

    View Slide

24. Memory override
    (stack, heap, data,
    overflow)
    Manipulation of
    execution flow
    Command
    Injection
    Information
    leak
    Injection of
    malicious code
    Exploitation Fingerprint™ Patented Technology
    Sternum Is Uniquely Able to Deliver Benefits of EPP/XDR & RASP
    

    View Slide

25. Hacker
    Defender
    

    View Slide

26. CVE-2022-20699
    STACK OVERFLOW
    VULNERABILITY
    Exploit publicly available
    HACKER ON
    THE INTERNET
    NO REACTION REQUIRED
    NOTIFICATION SENT
    FORENSICS SHARED
    VISIBILITY INTO BIGGER PICTURE
    DEVICE INTEGRITY MAINTAINED
    Defender View
    Power Flips.
    Exploitation Fingerprint:
    Memory corruption
    Command Injection
    Manipulation of execution flow
    Information leak
    Injection of malicious code
    Real-time monitoring
    Anomaly detection
    

    View Slide

27. BRINGING
    INDUSTRY
    STANDARDS
    TO IOT.
    RASP*.
    EDR.
    ZERO-DAY PROTECTION.
    Be Ahead Of Attacker.
    Real-time.
    On The Edge.
    No Patching Needed
    Implementation On New And
    Legacy Devices
    

    View Slide

28. A REAL
    WORLD
    ATTEMPT TO
    EXPLOIT AN
    IOT DEVICE
    

    View Slide

29. SEE US IN ACTION BOOTH #228
    [email protected]
    

    View Slide

30. Thank You IoT Tech Expo Europe 2022
    [email protected]
    

    View Slide

31. SEE HOW
    WE STOP IT
    CLICK TO DEPLOY
    

    View Slide

32. Thank You Hexacon 22
    [email protected]
    

    View Slide