Stepping P3wns: Adventures in full-spectrum embedded exploitation (and defense!)

Presented at Black Hat USA 2013, Aug. 1, 2013, 11:45 a.m. (60 minutes).

Our presentation focuses on two live demonstrations of exploitation and defense of a wide array of ubiquitous networked embedded devices like printers, phones and routers. The first demonstration will feature a proof-of-concept embedded worm capable of stealthy, autonomous polyspecies propagation. This PoC worm will feature at least one* 0-day vulnerability on Cisco IP phones as well as several embedded device vulnerabilities previously disclosed by the authors. We will demonstrate how an attacker can gain stealthy and persistent access to the victim network via multiple remote initial attack vectors against routers and printers. Once inside, we will show how the attacker can use other embedded devices as stepping-stones to compromise significant portions of the victim network without ever needing to compromise the general-purpose computers residing on the network. Our PoC worm is capable of network reconnaissance, manual full-mesh propagation between IP phones, network printers and common networking equipment. Finally, we will demonstrate fully autonomous reconnaissance and exploitation of all embedded devices on the demo network. The second demonstration showcases host-based embedded defense techniques, called Symbiotes, developed by the authors at Columbia University under support from DARPA's Cyber Fast Track and CRASH programs, as well as IARPA's STONESOUP and DHS's S&T Research programs. The Symbiote, is an OS and vendor agnostic host-based defense designed specifically for proprietary embedded systems. We will demonstrate the automated injection of Software Symbiotes into each vulnerable embedded device presented during the first demonstration. We then repeat all attack scenarios presented in the first demo against Symbiote defended devices to demonstrate real-time detection, alerting and mitigation of all malicious embedded implants used by our PoC worm. Lastly, we demonstrate the scalability and integration of Symbiote detection and alerting mechanisms into existing enterprise endpoint protection systems like Symantec End Point. Over the past two years we have discovered vulnerabilities in and and developed exploits for several embedded system. 2011 had not only the version agnostic Cisco IOS rootkit ("Killing the Myth of Cisco IOS Diversity", Black Hat USA), but also the HP RFU vulnerability ("Print Me if You Dare", 28C3). In 2012 we presented the Cisco IP phone kernel vulnerability ("Hacking Cisco Phones", 29C3) . While each exploit focused on one device, we posited polyspecies malware propagation in which a device of one type could be used to exploit a device of a completely different type. In this presentation, we demonstrate an HP printer being used to exploit two different Cisco IP phones (which includes a yet-to-be-disclosed privilege escalation exploit in the 8900/9900 series). We may throw in a fourth yet-to-be-named device just for good measure. We then take the same devices on the same network and install host-based defense to detect or prevent the same exploits.

Presenters:

  • Michael Costello
    Embedded systems offensive and defensive research.
  • Salvatore Stolfo
  • Ang Cui
    Ang Cui is currently a PhD student at Columbia University in the Intrusion Detection Systems Laboratory. His research focuses on the exploitation and defense of embedded devices. Before starting his PhD, Ang worked as a security specialist within various financial institutions.

Links:

Similar Presentations: