 As you can already see I will give my talk about the Mirai Botnet and how those devices, IoT devices, bypass routers. Before I begin I will just introduce myself. Mainly I'm a physicist, I'm currently studying physics here at the KIT. I've been a geek for almost as long as I can remember. I have always done anything with computers. And specifically an infosec geek for four to five years. And it's already my fourth 2PM. So I thought it would be time to give a talk myself about something I've done. So before I begin I want to introduce the term Internet of Things. As a small definition it's just some simple item you can find at your home or anywhere. You need to add some sensors or remote control and add a TCP IP stack or basically connect it to the Internet. And your IoT device is finished. It can be basically anything from a phone to watch or some random decoration you can find at your home. It's as long as you connect it to the Internet it's an IoT device. And therefore a lot of different people are building those. IoT as a trend is on its own really fascinating. And a person you can't wait until they finally build something useful, something I want at my home. But until now the security aspects heavily our way the usefulness. Because the most vendors who build IoT devices are not native to IT. Which means they have to face those challenges. Because usual IT persons face again. And which is a real problem. Because, okay, sorry. Which means they instead of the usual challenges with embedded devices they build. They also have the challenge of considering security. And it's hard enough in the normal IT environment to consider security when building something. And a lot of big players do it wrong. Like Sony or Yahoo. And so for embedded devices it's way harder. Because you have real big limits on the hardware. Because for every security aspect you want to build in you need the processing power. You need special hardware. For example, when you want to implement a TCP IP stack you have to add additional hardware or better hardware to use SSL or GLS. And also you need to make those devices way more robust. Because installing a new OS on your laptop isn't a big problem. But if you want to flash a new firmware on those devices you need to consider this beforehand. Because to make sure you can flash the firmware without accidentally breaking those devices. You need to have additional hardware and consider it from the beginning. Because until now or before the IoT trend all embedded devices were rather simple. You could use a 15 year old version of the Linux kernel and put it in a coffee machine and it would just sit in someone's kitchen. And you don't need to update it. Even if there were security problems there wouldn't be much of an issue. But if you put those devices on the internet it has major implications. And yes, everything boils basically down to one reason. Money. Because to implement security you need the personnel, the people who know how to use, how to do security. Because security isn't the bolt-on option. You can't just bolt-on security at the end once you're finished creating your IoT device. You need to build your architecture around it. You need to consider it from the beginning. And that adds to the final cost of the product. Like the additional hardware you need to use to have encryption. It all adds to the cost and makes it less likely people will buy your product. And to stay competitive vendors have to consider this additional cost and weigh how much they value security. Which basically boils down to the MIUI botnet. Which is the result of a huge amount of devices not properly secured. You can see the effects here. It all started with a creator researcher's personal blog. And it was hit by a really big denial of service attack. The numbers it came in were huge. Several times bigger than anything I've ever seen before. His DDoS protection provider had to actually let him down. Because they just couldn't handle the amount of traffic they received. And it just went upwards from there. The MIUI botnet took down a whole web host. It even basically took down the internet for North America. Because they attacked a DNS provider and made it impossible to connect to the major services most people use. And I don't believe many of you know the IP address for GitHub or Twitter. To connect yourself once the DNS is down. Well, some would change the DNS provider but it needs knowledge to circumvent those problems. And for the most of the people the internet just went down. And yes, the numbers were really big. You can see it's one terabit per second. Or to put it in a more graspable number, 125 gigabytes per second came in on a single host. And with our current infrastructure and service, those amount of traffic just can't be handled properly. And yes, it also has been distributed over 400,000 devices. Which is also a really huge number. Because classical DDoS attacks were also built on a number of devices connected to the botnet. But MIUI blew the whole scale. So how did MIUI infect those devices? A few years ago, somebody invented a tool called Mascan. Which allows to scan the entire IPv4 space in less than 20 minutes. Which means it's impossible to hide something on the internet. If it's up there, you can't just say nobody will use it or find it because it's hidden. I just didn't tell anybody about it. But if somebody is looking for it, it will be found. And therefore it's a really bad idea to put old and reek protocols on the internet. For example, telnet. And that's exactly what MIUI used. It used a small list of default credentials, used in many IoT devices. Roughly 60 unique combinations. And has been able to infect over half a million devices. And this isn't a new or complex mechanism to attack devices. Worms or viruses used it 10 to 15 years ago already. It's nothing new or innovative. Well, something interesting, maybe I did something interesting on the other hand, because it removed access for competing malware once it infected the host. Which means it shut down telnet behind itself. Here are some examples from the source code. And yes, they're rather embarrassing. My favorite is the last one, actually, which is just a username root and no password at all. Yes, and it just results in a huge denial of service attack. So after I read several articles about it, I found out what devices are actually part of the MIUI botnet. Which is mostly CCTV cams, digital video records, and routers themselves. And this led me to a rather interesting question. Which also inspired me to give this talk. Which is, why are those devices on the internet? If you ever heard of the name Dent Handler, you probably know people put stupid stuff on the internet. Basically anything. What one of the talks is rather frightening, what people put up there. But the amount of people who put things directly on the internet is not that huge that could justify this many devices. Because after several iterations, there were millions of devices reported to be on the MIUI botnet. And everybody should have something like this at home. A router. And most home routers have built-in firewalls, which should protect you from anything from the outside. And in all the things I read about MIUI, there has been nothing which would indicate that they hacked routers remotely. And there's also probably a small portion of people who know how to manually configure a port mapping on those routers. Which would circumvent a firewall. But it would, in my mind, just not enough to give us those numbers. So I had to look for a candidate who would justify or who would explain why those devices are on the internet. It did take long and I found universal plug and play. Which is, plug and play is always, well let me put it that way. For an end user it's really convenient. Because the majority of the population barely knows what an IP address is. So it's complicated enough for them to set up an IP cam on a network with an IP address. And let alone use port mapping. So Microsoft created the UPMP protocol. Which allows network devices to set up themselves. But with every plug and play protocol, it's not always the best idea. As we have seen with USB plug and play. You give those devices a huge advantage, huge privileges on your system. So, before I get into how exactly the bypass routers want to explain how the UPMP protocol works. Here's a small example network of devices. And I want to find out any device which runs UPMP. Therefore I need to send a discovery package. Which is sent from my smartphone over this multi-cast address. Anybody in here knows how IP multi-cast works? IP broadcasting? Okay, multi-casting means I can send a package to the broadcasting address. Which is one fixed IP. And it will be delivered to every client in the network. So I send the package to the router and it will be distributed to every client connected. Multi-casting is rather similar. We have a given IP range. Into which this IP falls. And every device which wants to listen on a specific multi-cast channel. Will subscribe to the multi-cast channel. To a specific IP on the router. And every time package is sent to this IP address. The router will distribute it to every subscribed client. So the discovery package looks something like this. It uses the SSDP protocol. Which is the simple service discovery protocol. It's really HTTP like. And for example this package is the classical discovery package. In which we are looking for every service running on every host. Which would be the classical discovery package I send once I initially get into the network. After that I get an answer from every machine running UPnP. Which would look something like this. It would give back a list of services it's running. And most importantly the location. Which is an XML file which describes how I can talk to these services. And now that I know on which hosts which services are running. I can initiate TCP connection. And talk to it using SOAP. And SOAP is just a protocol which exchange XML back and forth. Here's a small example. I just have an usual XML file. And can set arguments or get those from this server. And now comes the interesting part. Which is called IGD. The internet gateway device port control protocol. Which means UPnP has become a major standard in the last few years. And therefore it's default installed on every home router. And part of this UPnP stack is the IGD protocol. Which allows every device on your network to configure firewall. The firewall. Or configure port mappings. So every device you put on your network can just send a package. UPnP package to your router and reconfigure your firewall. So after I found this out. Obviously I wanted to test it out of my own network. But unfortunately I don't have IoT devices at home. You probably can guess why. So I have no CCTV cameras available. No DVRs. And I have a router but I had to learn the hardware several times. Don't mess with production systems. And I worked with my router a little bit. But not too far that I would feel uncomfortable. So I had to look at my home. What could lure the specifications for a smart device. And the only thing I found was a multi-function printer. So once I got my smart device. I had to think about how do I scan for a network device. Anybody knows the standard tool for scanning on a network? Exactly. And usually I thought I could write it myself with a short Python script and Skeppy. But I thought, well, I'm a little bit lazy. I have always... I'm always short on time on if somebody already did it while I reinvented the wheel. So, oops, so, end map. So, I looked into end map and looked if somebody already did something with UPnP. And I found the broadcast UPnP info script. Because end map has the NSE... So the NSE scripting engine. Which allows people to enhance end map's capabilities using lure scripts. So anybody can write their own scripts and enhance the scanning capabilities of end map. They already had a little example for how to use this command. But I immediately got an error. Because somehow end map didn't know how to handle this broadcasting. How it was done in the script. Or maybe just my laptop, but I'm not quite sure about it. I didn't want to mess too much about it. Because I'm not that much into the NSE scripting engine. And to look what exactly went wrong is one of my next projects. So, I thought, okay, broadcasting is not an option. Scan every single host on its own. In my network, it's not a big problem. I only have around 265 hosts, maximum. So I just had to scan the whole IP range. And I actually found two hosts. As it turned out, the only two hosts I found were my router. And the Wi-Fi repeater. I didn't find the printer. Which was rather unsatisfying. And there was another thing. I only found the media server description file. But I wanted the IGD. Which brought me back to a little bit of research. And I randomly found Rapid7 Block entry. Rapid7 is the company which currently owns and runs Metasploit. And around four years ago, there was a researcher who has done a lot with the UPNP. I will give you a link later. Because his findings are very interesting. And around this time, a lot of people looked into UPNP. And somebody created an auxiliary module to scan for UPNP. Metasploit. So I thought, well, it couldn't hurt to run another scan. But I also didn't find my printer. Which wasn't very surprising. But I found a more general description file. The fbox desk here. So I just browse to this location with my browser. And here's an example for how those XML files can look. Here at the top, you can see the UPNP version. Which is 1.0. You can already also see it here. And I get some information about the device. The icon list. And most importantly, the service list. But unfortunately, it's also just one service. So, whoops. I looked, well, if I can find IGD, I at least can look into this media server. I found the icon list again. Small description. And several services like Connect Directory, Content Directory, Connection Manager. Well, commands you can use for a media server, obviously. So, after I didn't find anything I actually wanted, I had to go back to research. And it turned out Fritzbox deactivated IGD per default within the last few iterations of their home routers. Somewhere around the router version, 7,300 I guess. Well, within the least four years at least. Once they got all this information from this researcher, we've done something with it. Which means I can manually activate those devices, UPNP, IGD access for single devices and with the online configuration of the router. But there was something else. I found this sentence in my settings. Which was rather confusing because it seems like I should be able to configure every IGD port mappings for every device I don't specifically set in my configurations. But with my scanning I just haven't been able to confirm my theory. At the moment I just have two possible theories to explain this. Either my router is just too new and which would mean IoT devices combined with not the newest router models would allow those devices to bypass the firewalls. Or I have to use a standard way to communicate with IGD which isn't listed in the service list. But at this point I didn't want to mess around with my router too much and I didn't have a spare router at home I could use. Which means it would be really interesting to find out if any other routers allow IGD access. And if any of you come home after the UPN it would be really cool if you could just run the NMAP scan yourself and look if you can find IGD access, the IGD description file on your routers. And send me whether or not you found anything. Here's the URL for UPNP Hex.org which is the researcher who looked into UPNP four years ago. He found several flaws in the UPNP implementation which for example allowed remote code execution or to set port mapping from the outside on your routers. They have already been fixed within the last few years but those are major things at the time which are really cool to read into. Also there's more details about how to configure port mapping with IGD but not enough for me to create a package I could send to my router which is the big point why I couldn't go further. Well UPNP didn't work as much for me at this point so I thought well at least I could find out where my printer is. Because I know for a fact I can communicate with it without the need to enter my IP address into my computer and I know for a fact if I use one of the iDevices of my parents I can just print something on it. So this was the major clue for me, the iDevices and once I have been through Microsoft UPNP I had to look for Apple's alternative which is for sure. It's also a service discovery protocol and I personally like it more than UPNP because it's built also a multi-cast but with a DNS error in the background which means every device running Bonjour has a DNS error in the background and you can communicate with that. So it's basically the same setup like UPNP but you have a different multi-cast IP and port you get back the answers from those devices running Bonjour and those are examples for the DNS records because it's built up with the local network whether or not which protocol yourself is using UDP or TCP what kind of service you're running on your system like music, HTTP or printer and then you can name it and on the service record for the DNS error looks something like this. You have the string I just showed you time to live, service record, port mapping and the location of the device, the IP address basically. So with this I should be able to print on my printer so I had to go back to scanning which means it was just a DNS server so I could use one of the standard DNS tools which in MLP is DNS service discovery. For my router I got back nothing which isn't very surprising because UDP and PMP became standard and implemented in most home routers but Bonjour isn't. I don't know the exact reasons but I believe it has something to do with licensing or how Apple handles those pieces of software. For my printer on the other hand I got a really long list of information back. Here's a short overview of the services I found which is the simple web server running on my printer to printer services and the last one is probably App Print. I said probably because in the information I found I had some information about what my printer could do like duplex printing, scanning or giving it custom paper but I also found this admin URL which just routed me back to the configuration interface of my printer. So I'm mostly finished with my research and scanning part of my talk and now I want to come to the future of the Mirrorbotnet for the end which means the Mirrorbotnet itself has become publicly accessible source code. It has been published shortly after it was discovered and people are enhancing it nonstop and one of the newest iterations of the Mirrorbotnet is the application layer for the Mirror which means instead of bombarding a single server with IP packets you can send fewer packets but instead of attacking the bandwidth limitations you attack the CPU limitations because you just give the server more to do or give complicated commands to execute which take much of the CPU and you can reach the same effects you did beforehand but a few packages which makes the Mirrorbotnet way more dangerous. It has also been combined with other malware like WannaCry here I'm pretty sure all of you heard about it because it has even been covered in normal news and if you've heard about it you probably know the WannaCry worm works in a way that encrypts your hot disk if it can't reach a certain domain and to re-activate this domain has been purchased and activated by a security researcher in his work process to analyze what this malware does and therefore he accidentally shut down the whole branch and to reverse this activation somebody implemented the Mirrorbotnet to attack the WannaCry server of the domain so that the WannaCry won't get an answer back which would re-activate all those already infected devices and encrypt the hard drives which means they don't have to spread a newer version but could re-activate the version they already put out On the other side there are Ritchie Lante hackers which try to shut down Mirror The most famous is probably Brickerbot which is also run on a simple script it's basically the same way as Mirror it looks for open telnet ports on the internet connects to it and the first iterations were rather specific they looked up if embedded hardware is connected to the device especially memory once they found it they deleted everything they reconfigured the Linux kernel so only one process at a time can work and they basically break the device so that they can't even flash a new firmware and they have to be sent back to the vendor Newer iterations don't check if it's an embedded device they just break everything with telnet and default credentials and they're also spreading way more aggressively I guess the first iteration was around several hundred per day and the newer versions are in the thousands per day So what will the future of IoT hold for us? Well, the trend is really growing at the moment way more people are creating IoT devices more renders are interested in it and estimations show that we will have millions if not even billions of IoT devices within the next five to ten years and it's already hard enough for our infrastructure to handle the devices on their own let alone if they're being used maliciously So if they don't do something about it soon we will have real problems at our hands and in my eyes the main fault or basically the entire fault lies by the vendors who create those insecure devices because there's no other solution at the moment the home user can't be expected to fix those security problems hackers can try but in the legal range it's also very limited what they can do and yeah, I don't see privacy for our future but I believe there will be some way to fix this and we will find it So this ends my talk if you scan yourself and want to tell me what you found if you found IGD on your home routers just give me a short message or a Twitter or my email address and let me know if you found something Thank you for coming to my talk Any questions? Yeah Okay So do you think that every one of the manufacturers of IoT devices has to fix it or is it not better to check the routers? Or the routers should be safer because they promise us that they'll protect us so there's no going into traffic and if there's a weak spot in this protocol UPP doesn't have to be deactivated at this point isn't that the more efficient way to do it? It's certainly an idea to go to the routers and deactivate UPP you can do that with your I don't know the English word I'll answer that It's possible to deactivate UPP at home on the router you can do that the thing is there are better ways to telephone at home than to put a hole in the firewall and you can see UPP as a weak spot but every hacker who's already on the network has easier methods to connect to reverse TCP switch probably a term you know it's easier to connect to the house than to put a hole in the firewall but you already have a problem someone came in with you you already have a big problem but if you have a IoT device at home then you can also use other technology than to connect to the firewall to the house but you already have a damaged device you have the same if you use an IoT device but it's like this you have the choice if you want to have a connection back can you make a hole in the firewall which would also allow connection from the outside or you can just make a connection to the outside like you do with your laptop or your computer if you surf there are the firewall settings that allow connection to the outside but not that anyone can get in and if you have an IoT device that you have never bought then it would be more useful for this device to make a secure connection to the outside than to put it in the firewall do you have a specific technology that you can recommend for an IoT vendor what should we use if not UPNP a specific technology I can't recommend of course it depends on the use there are better techniques for example you could create a tunnel over HTTPS that you have a connection back you can connect safely with the database there are other ways to connect outside of the firewall of course it's a problem to connect back if you also want a channel from the outside to the inside the challenge is a bit tricky and I don't have a standard solution but there are solutions for that and people have found ways like for example with the batch that we have now with the Push Notify there are also ways to get information from the server to the client without me always connecting directly okay yes but I think you understand what I mean I don't know if it's already said but because I personally have a big connection UPNP maybe it's not a great technology but the idea that you can open from the outside ports to the inside is not bad there are many things that use it for example I don't know if it's a syncing for data synchronization they use it and they don't really work without something like that I would point out once that the techniques you need to build peer-to-peer networks that we all really like exactly, that's why the problem lies more with the manufacturers than with the routers because if they take another technology it remains operational and still secure I might ask the question what does this whole thing have to lose on the internet so maybe the approach the consideration of these devices even if they need network connections simply to plug into the network where they have no access to the outside yes, that's a good idea if you want to get rid of them then you can use home automation and IoT networks where there is a central point that means you have a network at home and a central point that communicates to the outside but the manufacturer decides how the network looks at the end what he builds and how it is implemented and yes problems arise so a approach that I would have for how to build the devices so that they don't communicate to the internet every device is configured for its interface, a link-local address that is not routable to the internet but can be used to communicate in the network and that would be my opinion exactly the right thing for communication that should only take place in the network so that you don't configure yourself as a global address but as a link-local address maybe just a statement not really the question I personally see the problem also with manufacturers if we always have devices that are not secured as long as manufacturers deliver devices that have users that are somehow reachable and have standard passwords if we always have these problems in other facets I believe that manufacturers are simply in charge of delivering devices that are sufficiently secured because of the technology and that also get updates for a certain time because then I know that when I buy I get updates for 5 years and then as a customer I can deal with such devices and I think that the majority of the people have to learn that such devices are like that just to this argument that you have an IoT device to look for we can go back to the stone side and throw away laptops because you can hack them but it is sometimes practical if you can control anything from anywhere you are always so bad in these hackers but it can be useful I have to say IoT itself is not a bad idea I think it is fascinating and I am curious what else will come but the security aspects are too strong and I think that's why hackers and circles are not a bad call because the problems that we have solved are the only ones to solve them with the embedded devices and it is not easy to build security and to pay attention for us it is still a challenge and for most classical players as I said still a big problem and for the whole business it shows the whole new problem it is a real challenge not that maybe I will repeat my appearance it can't be the solution to give up no it can't Mirai infected IoT device it shuts down the access behind it and scans the rest of the internet for available devices I forgot to mention it I plan to say it but sorry it's self-replicating the internet is not Germany the internet is worldwide and accordingly it will be utopian we will need other solutions exactly the guidelines are also a big thing that I have thought about it is a pretty difficult to cut on the one hand we can implement regulation on the EU level just as much as we also had for all other imports so passwords must be solved other technologies must be used regulations are on the other hand pretty long-term they can hang very long so it would be a possibility to introduce standards but there will also be apologies to use old regulations and only to introduce the minimum instead of doing the same and of course it can also be that the regulation then also contains nonsense which must be implemented in the sense of an idea they could eventually help but it is unlikely that they are the solution a possible approach that I still see is separated VLAN the new Fritz boxes also support a guest network a guest VLAN or you could simply expand it to an additional network that is separated from the actual computer network for example IOT devices exactly, there are many technologies that can always be used to prevent it to build smaller networks and there are also better technologies but UPMP was also set up and it is not the best to just make holes in the firewall ok then thank you for coming you are welcome