Stepping P3wns: Adventures in Full Spectrum Embedded Exploitation (and defense!)

Presented at DEF CON 21 (2013), Aug. 4, 2013, 1 p.m. (45 minutes)

Our presentation focuses on two live demonstrations of exploitation and defense of a wide array of ubiquitous networked embedded devices like printers, phones and routers. The first demonstration will feature a proof-of-concept embedded worm capable of stealthy, autonomous polyspecies propagation. This PoC worm will feature at least one 0-day vulnerability on Cisco IP phones as well as several embedded device vulnerabilities previously disclosed by the authors. We will demonstrate how an attacker can gain stealthy and persistent access to the victim network via multiple remote initial attack vectors against routers and printers. Once inside, we will show how the attacker can use other embedded devices as stepping stones to compromise significant portions of the victim network without ever needing to compromise the general purpose computers residing on the network. Our PoC worm is capable of network reconnaissance, manual full-mesh propagation between IP phones, network printers and common networking equipment. Finally, we will demonstrate fully autonomous reconnaissance and exploitation of all embedded devices on the demo network. The second demonstration showcases host-based embedded defense techniques, called Symbiotes, developed by the authors at Columbia University under support from DARPA's Cyber Fast Track and CRASH programs, as well as IARPA's STONESOUP and DHS's S&T Research programs. The Symbiote is an OS and vendor agnostic host-based defense designed specifically for proprietary embedded systems. We will demonstrate the automated injection of Software Symbiotes into each vulnerable embedded device presented during the first demonstration. We then repeat all attack scenarios presented in the first demo against Symbiote defended devices to demonstrate real-time detection, alerting and mitigation of all malicious embedded implants used by our PoC worm. Lastly, we demonstrate the scalability and integration of Symbiote detection and alerting mechanisms into existing enterprise endpoint protection systems like Symantec End Point.

Presenters:

  • Ang Cui - Ph.D. Candidate, Columbia University
    Ang Cui is a fifth year Ph.D. candidate at Columbia University and Chief Scientist at Red Balloon Security. He has focused on developing new technologies to defend embedded systems against exploitation. During the course of his research, Ang has also uncovered a number of serious vulnerabilities within ubiquitous embedded devices like Cisco routers, HP printers and Cisco IP phones. Ang is also the author of FRAK and the inventor of Software Symbiote technology. Ang has received numerous awards on his research and is the recipient of the Symantec Graduate Fellowship.
  • Michael Costello - Research Staff, Columbia University
    Michael Costello is a Research Staff Associate at Columbia University and Scientist at Red Balloon Security. He was a network engineer at various ISPs and other organizations prior to his current work in offensive and defensive research and development of embedded systems.

Links:

Similar Presentations: