Jianpeng Mo , Sr. Director of Software Engineering , OPSWAT

Advanced Persistent Threats (APT) is a well understood among in Cyber Security professionals with respect to risks posted by APTs to the enterprise workstation space. However, extending this concept to the Internet of Things (IoT) brings the attack efficiency to the next level. It highlights the complexity of detecting and preventing APTs to the security solution in an in-complexity environment. Up until know, device profiling combined with behavioral monitoring solutions represent the best ATP prevention weapon for the world of IoT. But these technologies, are far from mature to effectively fight against IoT APTs.

The first challenge that these threat prevention systems have is how to classify a given device. Is it a user workstation, a thermostat, a Kinect sensor or something else? A preliminary question is whether the device is truly what it claims to be. Monitoring the device network connections, tracking its broadcast messages and inspecting its ongoing traffic packages provides clues of device type, but relying only upon these indicators is insufficiently reliable. Any well-spread APT is likely developed and supported by an experienced hacker organization. Such malware can specifically target only certain IoT environments and randomly initiate network traffic to valid domains and fake web-surfing actions.

Secondly, remediation is another road blocker. Even after an APT is detected, there are only limited options to remediate a compromised device. For example device quarantine may not be a viable remediation in the IoT world. Think of a cardiac pacemaker. It is not realistic to quarantine it regardless it has APT on it or not without serious inspection on the current state of the device. Although it is possible to downgrade the suspicious IoT device’s network profile and keep it relatively isolated in a mini subnet, such devices may still have live connections. Another interesting point is on the zero day vulnerability. Average firmware patching cycle from the top IoT market vendors, including Intel, GE, Samsung and etc. is around 13 calendar days. Such an update frequency is not sufficiently relative to accepted current Cyber Security best practices. It means an APT can potentially survive for nearly 2 weeks after its “free-to-pass” vulnerability being identified and patched.

Last but not least, user setup is another dangerous catalyst for an IoT device. IoT devices need strong passwords together to fight against the APT. Generic default credentials shipped with IoT devices act like “poison candy” to the system, what it provides in simplicity for user convenience exposes a high chance for the device to become part of a destructive botnet. According to a recent article on arstechnica.com, there are only 144 unique username-password combinations in the exploited 8,233 IoT devices. This may take less than 10 seconds of a brute force attack to make through these kind of simple credentials. Pairing APT with remote execution code payload and then turning the target IoT devices into a powerful denial-of-service platform is not a fashion technology. With commonly available and well-developed hacker toolkits, an average computer user is now capable to deploy an APT onto any IoT devices that with simple login.

In this paper, we are going to perform a deep dive discussion into the challenges that are mentioned above and then follow with a demo of exploiting 2 different cameras with an APT which leverages a known vulnerability on their firmware.

Jianpeng Mo Jianpeng Mo joined OPSWAT in 2011 and works as Sr. Director of Software Engineering. He leads OPSWAT’s development teams for device compliance management solutions, MetaAccess and OESIS Framework. He specializes in developing modern concept products, leading the engineering groups in solving unique and difficult technical problems. Jianpeng received his M.S. from New York University with a major in Electrical Engineering. And he has granted 6 us. patents around device encryption, network access control and vulnerability assessment area.