Presentation is loading. Please wait.

Presentation is loading. Please wait.

linkedIn Profile:

Published byChristian Williams Modified over 7 years ago

Similar presentations

Presentation on theme: "linkedIn Profile:"— Presentation transcript:

1

2 linkedIn Profile: http://ke.linkedin.com/in/ptrouma
HoneyHouse A Damn Vulnerable Home Automation System Name: Peter Ouma Information Security Analyst, TESPOK – iCSIRT Web Security Consultant, FocWeb Technologies Graduate Architect, Urban Savannah Design Studios linkedIn Profile:

3 LEGAL DISCLAIMER It is recognized that the deployment of honeypots and their use to gain attacker techniques raise both legal and privacy concerns... Therefore, information and techniques gathered through the deployment of the honeypots do not fall under entrapment and did not require legal consent, since it is for informational and research purposes only. Additionally no remote system's confidentiality, Integrity or Availability was intentionally affected during the course of the research.

4 WHAT IS A HONEYHOUSE? Home Automation Honeypot Concepts Log Analysis Home Automation – Involves the control and automation of systems such as ventilation, lighting, security and appliances, in a home environment, to benefit residents and enable efficiencies. Honeypot Concept – A Honeypot is an internet connected device/server, acting as a decoy to lure potential attackers so as to study their actions and techniques, with a goal towards defending critical assets. Log Analysis – The attempt to make sense of computer generated records, by use of statistical and data visualization techniques. HoneyHouse: coined word, intersection of 3 disciplines

5 THE SETUP Core requirements – internet connection without ISP filtering, home router with wifi capability, a physical server with virtualization software, honeypot software, log analysis/management stack, etc. Other requirements – USB modem for SMS alerts, Android apps for device control, network monitoring software, open source home automation frontend. Core devices – home router, Raspberry PI, IP camera, Z-wave controller, z-wave light bulb, z-wave wall plugin. Physical devices acquired for the setup; home router,z-wave wall plugin, foscam camera, z-wave usb controller and raspberry PI.

6 THE SETUP Other devices – virtualized devices include, home routers, DVRs, popular webcams, serial-to-ethernet bridge, etc. Challenges – how to securely segregate 3 networks, while allowing attacker access to a subset of them at a time. Outcome – 3 logical networks consisting of physical and virtual devices; secure home network, attacker environment and z-wave network. Virtualized devices configured for the setup; foscam camera, modbus serial-to-ethrnet bridge, vulnerable linksys router, BACnet/IP BMD, DVR.

7 THE SETUP Primary access is through the home router.
Secure remote access to the network is through a VPN server. All internet traffic hitting the home router externally are channeled towards a DMZ host. Port-forwarding has been done for all unsolicited traffic to specific TCP/IP ports, representing virtual and physical devices. Host firewalls and subnetting done to segregate the 3 networks shown. DMZ host Internet Device 4 Honeypot Device 3 Secure home network Device 2 Logs server WIFI camera Z-wave controller Z-wave bulb Z-wave socket Network topology; secure home network, DMZ network, Z-wave network.

8 Mobile Apps enabling access, monitoring, etc...
UTILITY, MOBILITY... Mobile Apps enabling access, monitoring, etc...

9 DEMO

10 ATTACK LOCATIONS Geographical locations of IPs connecting to the HoneyHouse; mainly from China, USA, Russia and Germany, a 24hr period.

11 ATTACK STATISTICS Unique connections on the physical and virtual devices; observed telnet and SSH to be most prominent, a 1 month period.

12 ATTACK TYPES Observed attempted logins and bruteforce attacks; top section; DMZ, middle section; SSH services, bottom section; Telnet.

13 ATTACK TRENDS Attack logs collected and index for search/statistics; Average of 5,000+ connection attempts from all the honeypots, a 24hr period

14 ATTACK TRENDS Search on successful logins to decoy smart devices; Average of 150+ successes and interactions, a 24hr period

15 ATTACK DETAILS Majority of the attacking IPs are part of an existing botnet of compromised devices and vulnerable windows machines, with for example Telnet running. We managed to telnet to a number of these devices, some allow anonymous logins, so no attack was done from our end. Through this, we obtained malicious files for further analysis. Most of these files consist of web/bash scripts for command and control, binaries targeting various device architectures and executables for bitcoin mining. Anonymous FTP server with malicious files

16 ATTACK DETAILS SCENARIO:
Attacker automates vulnerability scanning and adds devices/machines to the botnet. Machines/devices have different functions; some host malicious software to be downloaded by other compromised devices, others serve as command and control. Compromised machines join IRC channels to get commands; for example, to DDoS, further bruteforce attacks, vulnerability scanning, and the cycle continues. Obtained malicious scripts for carrying out attacks on devices

17 DEMO

18 ATTACK SUMMARY Most of the attacks on smart devices are targeted on open and unsecured services to the internet; Telnet, FTP and SSH, through bruteforce login attempts. Most targeted devices are home routers, DVRs, IP surveillance cameras and microcontrollers that allow default usernames and passwords. The IPs targeting vulnerable devices are compromised machines/devices that are mostly part of the Mirai botnet variant. Compromised Windows machines are also increasingly being used to facilitate bruteforce login attempts, command and control, distribution of malicious code etc. Attackers are constantly updating their list of targeted devices, username/password combinations, and exploit code, to accommodate latest vulnerabilities.

19 SECURITY RECOMMENDATIONS
Do not allow access to your device from outside of your local network, unless you specifically need it to use your device. If remote access is necessary, use a VPN. Disable all network services that you don’t need to use in your device/machine. Before you start using your device, change the default password and set a new strong password. Review this password periodically to avoid compromise. If the device has a preconfigured or default password and you cannot change it, or a preconfigured account that you cannot deactivate, then disable the network services where they are used, or disable access to them from outside the local network. Regularly update your device’s firmware to the latest version (when such updates are available).

20 REFERENCES Tracking Attackers with a Honeypot
Setting Up a Honeypot Using a Bait and Switch Router Security and Privacy Guidelines for the Internet of Things Mapping Mirai: A Botnet Case Study OWASP Internet_of_Things_Top_Ten

21 THANK YOU Any Questions?

Download ppt "linkedIn Profile:"

Similar presentations

DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
DSL-2870B How to Change ADSL Username and Password in your modem router How to Change Wireless Channel in your modem router How to Open Ports in your modem.

DSL-2870B How to Change ADSL Username and Password in your modem router How to Change Wireless Channel in your modem router How to Open Ports in your modem.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.

Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
Remote Viewing Setup DVR & IP Video Devices

Remote Viewing Setup DVR & IP Video Devices
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.

Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Wi-Fi Structures.

Wi-Fi Structures.
Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.

Lesson 9-Securing a Network. Overview Identifying threats to the network security. Planning a secure network.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Enterprise Network Security Accessing the WAN Lecture week 4.

Enterprise Network Security Accessing the WAN Lecture week 4.
Introduction to Broadband HamNet

Introduction to Broadband HamNet
Technical Training: DIR-615

Technical Training: DIR-615
Remote Accessing Your Home Computer Using VNC and a Dynamic DNS Name.

Remote Accessing Your Home Computer Using VNC and a Dynamic DNS Name.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
Advanced Networking for DVRs

Advanced Networking for DVRs

Similar presentations

Ads by Google