#RSAC

SESSION ID: HTA-F02

EXFILTRATING DATA THROUGH IOT

Mike Raggo Chet Hosmer

CSO & Threat Research Founder
802 Secure, Inc. Python Forensics, Inc. A Non Profit Research Ins1tute
@DataHiding @MikeRaggo @PythonForensics
Speaker IntroducIon
#RSAC

Mike Raggo Chet Hosmer

Mike Raggo is Chief Security Officer at 802 Secure and Is an interna1onal author, educator & researcher, and
has over 20 years of security research experience. founder of Python Forensics, Inc., a non-profit research
ins1tute focused on the collabora1ve development of
His current focus is wireless IoT threats impac1ng the open source inves1ga1ve technologies using the Python
enterprise. Michael is the author of “Mobile Data programming language.
Loss: Threats & Countermeasures” and “Data Hiding”
for Syngress Books, and contribu1ng author for - A Visi1ng Professor at U1ca College in the
“Informa1on Security the Complete Reference 2nd Cybersecurity Graduate Program, where his research
and teaching is focused on data hiding, ac1ve cyber
Edi1on”. defense and security of industrial control systems.

A former security trainer, Michael has briefed - Adjunct Professor at Champlain College in the Digital
interna1onal defense agencies including the FBI and Forensics Graduate Program, where his research and
Pentagon, and is a frequent presenter at security teaching is focused on solving hard digital inves1ga1on
problems using the Python programming language.
conferences, including Black Hat, DEF CON, Gartner,
DoD Cyber Crime, OWASP, HackCon, and SANS.

2
“Apply” Slide
#RSAC

•  Our role is to provide insights based on our research/analysis of data

exfiltraIon vulnerabiliIes found in IoT protocols (i.e. SSDP, P25, Zigbee, Z-
Wave, WiFi, uPnP). With an eye toward miIgaIng weaknesses in current
protocols and to impact future protocol designs to eliminate them.
•  From a student perspecIve we hope to first make you aware of these
vulnerabiliIes and weaknesses. Then more specifically delve into the details
and demonstrate data exfiltraIon using IoT protocols.
•  The applicaIon of this knowledge will allow you to assess and miIgate these
risks as you integrate IoT technologies into your producIon systems, as well
as making informed decisions regarding IoT device and protocol selecIon.

3
 #RSAC

What’s really different about IoT?

IoT is more than smart devices
#RSAC

DetecIng ExfiltraIon on the DetecIng ExfiltraIon in an IoT World

Wire - Old School

IoT exfiltration is easy - No one is monitoring!

5
ExfiltraIon
Methods
Zero Configuration
Devices
Are obscured from
normal network
operaIons - can operate
autonomously outside
the scope of the
enterprise network.
6
#RSAC
Protocol Limitations
Many IoT protocols lack
even basic authenIcaIon,
integrity and privacy
consideraIons.
Supply Chain Integrity
Data is back channeled to
remote country or close
proximity listening staIons.
CommunicaIon is
obfuscated by the cloud or
the use of alternate
protocols and frequencies.
Smart Watch ExfiltraIon
#RSAC

Tested 4 Smartwatches
Apple Watch, Samsung Gear 2 Neo, Moto 360, U8

Samsung Apple U8 Nucleus Android Wear

Tizen watchOS (Moto 360)

7
Smart Watch ExfiltraIon
#RSAC

•  U8 Nucleus Smart Watch found to be sending data through the app on the
mobile device to a random IP in China, over an encrypted channel

•  Samsung Gear 2 Neo found with no password and allowed remote privilege
escalaIon (disclosed to Samsung and now patched)
•  HackCon Norway, BSidesSF, DEF CON Demo Lab demonstrated SWATtack -
python tool for exploiIng smartwatches

8
IoT Hubs and ExfiltraIon
#RSAC

•  Many IoT devices and IoT Hubs now have USB ports for data backup
•  New USB backup flash drives support Wireless (WiFi, BT, etc.)
Z-Wave Hub with
Ethernet and USB Ports

EXFIL - Steal and exfiltrate surveillance

files, data, videos, etc. Nothing seen on
the corporate WiFi or Wired Network

9
Windows Virtual WiFi (7, 8, & 10)
#RSAC

•  This is naIve to Windows operaIng system. In all

versions of Windows 7, 8, & 10
•  Setup at the DOS Prompt
•  Share either a Wired or Wireless connecIon
The user can share their own desktop (like So)AP, not
ad-hoc network)
•  And the user can share their network connecIon with
others - USING THE SAME WiFi CARD!
•  Corporate wireless network may use authenIcaIon and
encrypIon
•  BUT the user can share that connecIon with others,
allowing those users to connect to the corporate
network with weaker authenIcaIon & encrypIon, or
OPEN!!!

10
Wireless Rogues on Network - Virtual WiFi
#RSAC

Passerby
Hacker in
Contractor or Friend Parking Lot

Windows 10 Virtual WiFi OPEN - EXFIL!!!

Approved laptop with
built-in Rogue AP
(hidden) Sanctioned
Access Point

INTERNET

Users

11
Wireless Rogues on Network - Virtual WiFi
#RSAC

Passerby
Hacker in
Contractor or Friend Parking Lot

OPEN - EXFIL!!!
Windows 10 Virtual WiFi
Rogue AP on Wireless
Sanctioned
Access Point

INTERNET

Users

12
Nearby IoT Threats - Drones
#RSAC

•  Video and Audio Surveillance, Wireless surveillance

•  Drop cellphones, pathogens, baeery operated spy cameras
•  Consumer drones pair via WiFi (Virtual AP) with smartphones and tablets
•  Most organizaIons blind to threat (1-2 per day, 3-7 per week)

13
Drones
#RSAC

14
Drones
#RSAC

•  Forensics/DetecIon - who, what, when, where, how

15
IoT Protocol ExfiltraIon
#RSAC

16
ExploiIng Lack of Integrity in IoT Protocols
#RSAC

•  What - Many devices support UPnP to allow an app or other devices to

discover other devices (M2M)
•  Sends mulIcast packets broadcasted to local network
•  SSDP UPNP - Simple Service Discovery Protocol (Part of Universal Plug and
Play)
•  M-SEARCH - Discover packet sent by app or another device
•  NOTIFY - Device announces itself on the network, rouInely, and also when
it leaves

17
ExploitaIon of SSDP - ULA OPT Field
#RSAC

•  ULA OPT FIELD

•  Unique Local Addresses - Site-Routable
•  Used in NOTIFY and M-SEARCH messages
•  For use in IPv4 and IPv6 (for backward compaIbility)
Reference: hep://upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1-AnnexA.pdf

18
 UDP - ExploitaIon of SSDP
#RSAC

Our Target

19
UDP - ExploitaIon of SSDP
#RSAC

•  Modify SSDP OPT Field with Hidden Message, URL, etc.

•  Covert communicaIons, dead drop, malware callback to CnC for updates,
etc.

20
Covert UDP - SSDP
#RSAC

Two-way conversations using

SSDP to hide content (M2M)
1.  Smart Plug sends M-Search
2.  M-Search packet embeds hidden
message/content or CnC URL in
OPT field
3.  Received by other IoT devices on
network 4.  Smart TV receives M-Search
packet and responds
5.  NOTIFY packets send a packet
back with embedded response

21
IoT Device CriIcal ConsideraIons
#RSAC

22
 #RSAC

ExfiltraSon Demo
ExfiltraIon Case Study and Demo
#RSAC

•  ExfiltraIon Example
•  Typical Broadcast Message
broadCastMsg = \
'M-SEARCH * HTTP/1.1\r\n' \
'HOST:192.168.86.115:1900\r\n' \
'ST:upnp:rootdevice\r\n' \
'MX:2\r\n' \
'MAN:"ssdp:discover"\r\n' \
'\r\n'

24
ExfiltraIon Case Study and Demo
#RSAC

•  ExfiltraIon Example
•  Typical Broadcast Message
•  Broadcast Message Data Appending Example - Simple
broadCastMsg = \
'M-SEARCH * HTTP/1.1\r\n' \
'HOST:192.168.86.115:1900\r\n' \ Plain-Text
'ST:upnp:rootdevice\r\n' \
'MX:2\r\n' \
InserIon
'MAN:"ssdp:discover"\r\n' \
‘Hello World\r\n'

25
ExfiltraIon Case Study and Demo
#RSAC

•  ExfiltraIon Example
•  Typical Broadcast Message
•  Broadcast Message Data Appending Example - Obfuscated
broadCastMsg = \
'M-SEARCH * HTTP/1.1\r\n' \
'HOST:192.168.86.115:1900\r\n' \ Index to
'ST:upnp:rootdevice\r\n' \ pre-exchanged
'MX:2\r\n' \ lookup table
'MAN:"ssdp:discover"\r\n' \
‘894629\r\n'

26
Python Script to Exfiltrate Data using SSDP
#RSAC

27
PrescripIon for beeer non-Exfil Hygiene
#RSAC

•  Monitor for anomalous network behaviors - wired AND wireless!!!

•  Strange outbound desInaIons, and from what IoT source internally
•  DetecIon of odd (non-WiFi) frequencies and protocols (BT, Zigbee, etc.)
•  Out-of-band & off network WiFi connecIvity
•  Monitor for neighboring IoT threats
•  Drones, spy cameras, wireless aeacks
•  Monitor wired “and” wireless security postures across Enterprise Network
and IoT/IIoT autonomous network deployments
•  MisconfiguraIons
•  State change of devices
•  Cloud connecIons and Outbound Data Storage from IoT devices

28
Thank You!
#RSAC

Michael Raggo Chet Hosmer

@MikeRaggo @PythonForensics
www.802secure.com www.python-forensics.org

29