Why is security still an after-thought in devices?

Well. It has not been a good week for cyber security.

First Wonga showed that they had little idea of the concepts of encryption and access control, and then we hear that Schneider Electric, who make SCADA (supervisory control and data acquisition) equipment, have hard-coded passwords on one of their logic controllers. In fact, it is burnt into its firmware, and can't even be changed.

This password was used as a decryption key, and was generated by the phrase:

SoMachineBasicSoMachineBasicSoMa

The researchers who found it contacted Schneider Electric, and the company admitted to the failure in the systems. Other companies, too, involved in SCADA systems, such as Siemens, have also been caught doing similar things.

Along with this there have been many discoveries of hard-wired passwords in devices, including for the software used within the Cisco Aironet wireless access points, and where a password of "12345678" was coded into Lenovo's SHAREit file sharing application. In health care too there are many examples of devices having hard-coded passwords, and where Billy Rios and Terry McCorkle of Cylance found them in over 300 medical devices, across 40 different vendors [here].

A Major Design Flaw

The state of understanding of cryptography in industry is generally weak, and many systems are flawed in the way the integrate it. Companies, for example, often have little idea about where their encryption keys are stored, and who has access to them. There is still a feeling too in the design of systems that security is seen as an after thought ... "we'll build it, and then secure it!".

The great worry, though, is a lack of security of Internet of Things (IoT) devices, such as smart meters. For this it has been proposed that the 53 million smart meters in the UK will have a single decryption key. Anyone who knows anything about cryptography knows that having a single decryption key leaves the whole infrastructure open to a wide-scale data breach on the leakage of the key.

The roll-out is part of an ￡11bn scheme for smart meters in the UK, and it is thought that it will save consumers around ￡26 per year, with a ￡30 cost for wi-fi enabled energy meter.

With the roll-out smart meters in the UK, we have fairly sophisticated devices which not only monitor power consumption, but can be used to control the energy within the home. This would allow power companies to shut off power supplies to those who do not pay their bills.

The design and roll-out of the meters has been pitted with problems, such as the implementation of weak cryptography methods which had known weaknesses. Overall the system went for a modified cryptography implemented, rather than use standard encryption techniques, of which weaknesses have been identified.

Luckily, for security, GCHQ has stepped in on the issue and have identified the problem which could have cause chaos. A large-scale hack, for example, could cause the meters to shutdown, or even cause power surges which could bring down the energy infrastructure in the UK. The economic effects of a large-scale shutdown of the energy infrastructure in a country would be massive, including the shutdown of data centers, health care facilities, and everything else which relies on the electronic communications.

The creation of a secure network is a fairly easy thing to do, and there are many methods which could have been used to generate unique IDs and encryption keys for each device. Normally this involves a key negotiation process, and where a unique key is created for every device to use.

An army of 500K

The recent attack aimed against Dyn focused on the 1,200 domains that they take care of, and thus caused large-scale problems across the Internet (as many of their customers are leading Cloud service providers). A flood of traffic into the Dyn network thus caused a slow down in their core services for their customers (including Amazon, GitHub and Twitter). This included traffic from a range of IoT devices such as Web cameras and CCTV systems, and which had been infected by the Mirai botnet.

Recently a hacker named Anna_Senpai released the source code for Mirai, and it has already been used for a 620 Gbps attack on the KrebsOnSecurity site. One of the companies identified as being responsible for the devices used in the attack is XiongMai Technologies (XM), and who manufacture equipment used for white labelled CCTV and IP Web Camera applications.

It was then discovered that the default username and password combination is as root and xc3511, respectively. Overall there are thought there are over half a million of these devices on the Internet and which can be connected to by Telnet, where the malware can then be installed. As these systems tend not to update themselves, an intruder can create scripts which scans for port 23 (Telnet), and then tries to connect with the default password. If successful, the script can then upload the malware and compromise the device. Many people running CCTV systems might have no idea that their devices are being used to launch an attack against the core of the Internet. Within the malware code, here is the line which compromises the XM devices:

add_auth_entry("\x50\x4D\x4D\x56", "\x5A\x41\x11\x17\x13\x13", 10); 
         // root  xc3511

The following shows a compromise of a Web cam which has poor security:

A search of Shodan shows over 569,214 devices running Uc-httpd 1.0.0 (search for 'server: uc-httpd 1.0.0" "Expires: 0"') and that have the potential to be compromised [XM built DVRs]:

Overall there were two main waves of attack:

• Wave 1. This focused on Dyn data centers in Chicago, Washington, DC, and New York. This affected services located on the East Coast of the US.
• Wave 2. This happened around 7 pm (EST) and was focused on 20 Dyn data centers around the world. This would have required extensive planning, as the controller would have to gather enough local bot agents to sustain an attack against the data centers.

These attacks, unlike most other attacks for DDoS, used TCP SYN floods against port 53 of the DNS servers, along with a subdomain attack. For this the attacker uses a valid domain, such as:

mycoffeeshopboston.com

and then tags on an invalid subdomain at the start, such as:

boblovescoffee.mycoffeeshopboston.com

The requested DNS server will not have this in their cache, and must then go to the authoritative source of the domain, which, in this case, was Dyn. This will then flood the Dyn network with requests from DNS servers asking about the non-existant domain. The only way to cope with this is to increase the bandwidth of the incoming network connections, and to spin-up more servers to cope with the demand.

In this case, the Mirai-sourced IoT botnet, along with other compromised devices, was used to create this attack. The Botnet controller thus commands the infected network to either flood the target system with a SYN flood on Port 53, or go and do a DNS looking on a domain that the target manages (the target in this case is Dyn). For example they could thus ask for boblovescoffee within the mycoffeeshopboston.com domain (which the target is the authoritative server for). The local DNS servers do not have this in their cache, so they ask the authoritative server for some advice. Unfortunately, it won't have it registered, but will be swamped by requests from the DNS server infrastructure:

Read more here ...