i t core in depth exploration of windows 10 iot · pdf fileinto the core: in-depth exploration...
TRANSCRIPT
INTOTHECORE:IN-DEPTHEXPLORATIONOFWINDOWS10IOTCORE
PaulSabanal
IBMSecurityX-ForceAdvancedResearch
sabanapm[at]ph[dot]ibm[dot]com
@polsab
Abstract
TheInternetofThingsisbecomingareality,andmoreandmoredevicesarebeingintroducedintothemarketeveryday.Withthis,thedemandfortechnologythatwouldeasedevicemanagement,improvedevicesecurity,andfacilitatedataanalyticsincreasesaswell.
OnesuchtechnologyisWindows10IoTCore,Microsoft'soperatingsystemaimedatsmallfootprint,lowcostdevices.Itoffersdeviceservicingandmanageability,enterprisegradesecurity,and-combinedwithMicrosoft'sAzureplatform-dataanalyticsinthecloud.Giventhesefeatures,MicrosoftWindows10IoTCorewilllikelyplayasignificantroleinthefutureofIoT.Assuch,understandinghowthisoperatingsystemworksonadeeplevelisbecomingimportant.Methodsandtechniquesthatwouldaidinassessingitssecurityarealsobecomingessential.
InthistalkIwillfirstdiscusstheinternalsoftheOS,includingthesecurityfeaturesandmitigationsthatitshareswiththedesktopedition.IwillthenenumeratetheattacksurfaceofadevicerunningWindows10IoTCoreaswellasitspotentialsusceptibilitytomalware.IwillalsotalkaboutmethodstoassessthesecurityofdevicesrunningWindows10IoTCoresuchasstatic/dynamicreverseengineeringandfuzzing.IwillendthetalkwithsomerecommendationsonhowtosecureaWindows10IoTCoredevice.
1 Introduction.............................................................................................................................................3
1.1 Background......................................................................................................................................3
1.2 Overview..........................................................................................................................................4
2 Internals...................................................................................................................................................4
2.1 FastFlashUpdateImageFormat.....................................................................................................4
2.2 PartitionLayout...............................................................................................................................6
2.3 Bootprocess....................................................................................................................................6
2.4 Apps.................................................................................................................................................6
2.5 Security............................................................................................................................................7
2.5.1 What'snotinWindows10IoTCore?.......................................................................................7
2.5.2 ASLR,DEP,andControlFlowGuard.........................................................................................7
2.5.3 TrustedPlatformModule(TPM)..............................................................................................7
2.5.4 SecureBoot..............................................................................................................................8
2.5.5 BitLocker...................................................................................................................................8
2.5.6 WindowsUpdate......................................................................................................................8
3 AttackSurface..........................................................................................................................................9
3.1 NetworkServices.............................................................................................................................9
3.1.1 WindowsDevicePortal............................................................................................................9
3.1.2 SSH.........................................................................................................................................12
3.1.3 WindowsFileSharing.............................................................................................................12
3.1.4 WindowsIoTRemoteServer..................................................................................................12
3.2 DeviceDriversVulnerabilities........................................................................................................13
3.3 MalwareSusceptibility...................................................................................................................13
4 HackingWindows10IoTCore...............................................................................................................14
4.1 PassiveDeviceDiscovery...............................................................................................................14
4.2 PowerShell.....................................................................................................................................17
4.3 Staticanalysis.................................................................................................................................18
4.4 Dynamicanalysis............................................................................................................................19
4.4.1 KernelDebuggingusingWinDbg............................................................................................19
4.4.2 DebuggingusermodeprocessesusingWinDbg....................................................................22
4.4.3 Crashdumpanalysis...............................................................................................................25
4.5 Fuzzingapproaches........................................................................................................................26
5 Recommendations.................................................................................................................................28
5.1 Segmentyournetworks................................................................................................................28
5.2 Disableunnecessarynetworkservices..........................................................................................28
5.3 ChangeDefaultAdministratorPassword.......................................................................................28
5.4 UseadevicethatsupportsTPM....................................................................................................29
5.5 Takeadvantageofavailablesecurityfeatures...............................................................................29
6 Conclusion.............................................................................................................................................29
1 INTRODUCTION
1.1 Background
AstheInternetofThingsarebecomingmoreandmoreprevalent,theneedfortechnologiesthatwouldmakemanagingandsecuringthesedevicesbetterarebecomingmoreimportant.Oneofthethingsthatwouldfacilitatethisistheoperatingsystemrunningonthedevice.WhiletherearecurrentlyoperatingsystemsthataremorethancapableofhandlingtherequirementsofanIoTdevice,itssimplynotenough.IoTisnotjustaboutthedevice,it'salsoabouttheserviceecosystemthatprovidesmostofthevalueandfunctionalitytotheusers.That'swhyoperatingsystemsdevelopedfromthegroundupwithIoTinmindaregoingtobevaluable.
AcoupleoftheseIoT-focusedoperatingsystemswereannouncedlastyear-Microsoft'sWindows10IoT,andGoogle'sBrillo.Whileatthetimeofwritingtheseoperatingsystemsarenotyetfullyreleased,theylookpromisingandarepoisedtobecomemoresignificantinthefuture.
Thisalsomeanstheyarepotentiallyinterestingtargetsforsecuritymindedfolks,attackersanddefendersalike.
Forasecurityresearcher,investigatinganewtechnologyisasignificantpartofthejob.Understandingtheinnerworkingsofacomplextechnologysuchasanewoperatingsystem,especiallyinanexplodingfieldlikeIoT,isveryexciting.Italsogoeswithoutsayingthatassessingthesecurityofthesedeviceswillbecomeanimportantpartofasecurityresearchersjobinthefuture.
Whenassessingthesedevices,weneedtothinkabouttheirattacksurface.Typicallythiswouldincludebutwillnotbelimitedto,networkcommunicationsbetweenthedevicesanditsserviceecosystem,networkservicesrunningonthedevice,andtheapplicationsrunningonthedevice.Wehavetoknowifitcommunicatessecurelywiththecloud.Wehavetoknowwhatservicesarerunningonthedevices,oriftheyevenneedtoberunningatall.Intheeventthatanattackerhasgainedaccesstoadevice,wealsoneedtoknowtheextentofdamagetheycando.Todoallthis,weneedtobeabletoknowthetechniquesandmethodsofanalyzingadevice.Onlyafterunderstandinganddoingallthiscanwemakeeffectiverecommendationstothemanufacturersandusersalikeonhowtosecurethesedevices.
1.2 Overview
TherearethreeeditionsofWindows10IoT.
Edition Description TargetDevices
Windows10IoTEnterprise
UWPapps,Win32apps,desktopshell,x86,advancedlockdown
Kiosk,POS,ATM,Medicaldevices
Windows10IoTMobile
UWPapps,multiusersupport,lockdownfeatures
MobilePOS,Industryhandheldterminals
Windows10IoTCore
Forlow-cost,low-powerdevices.UWPappsonly.ARMandx86
Smarthomedevices,IoTgateway,digitalsignage
Windows10IoTCorewasfirstreleasedbyMicrosoftlastAugust2015.ThelastpublicreleasewaslastDecember2015.SincethenseveralWindowsInsiderPreviewbuildswerereleasedwithalotofimprovements,includingsupportfortheRaspberryPi3.ThereislittlepriorresearchonWindows10IoTCoresecurity,whichisunderstandablesinceitisstillinitsinfancy.TheonlyresearchthatweareawareofwasdonebyFFRI1andwaspresentedatCodeBlue2015.Alothaschangedsincethen,andthispaperwillreflectthosechanges.
Windows10IoTCorecurrentlysupportsfoursuggesteddevelopmentboards:
DeveloperBoard Architecture Details
RaspberryPi2 ARM 4xUSB2.0,Ethernet
RaspberryPi3 ARM 4xUSB2.0,Ethernet,OnboardWi-fiandBluetooth
MinnowboardMax x86 1xUSB2.0,1xUSB3.0,Ethernet
Dragonboard410c ARM 2xUSB2.0,OnboardWi-fiandBluetooth
Inadditiontothesesuggesteddevices,Windows10IoTCoremayalsosupportotherdevicesthatisbuiltonthesameSoCastheabovedevices.Unlessotherwisestated,theOSversiondocumentedhereisWindows10IoTCoreInsiderPreviewbuild14393.ThedevicesusedareRaspberryPis2and3.
2 INTERNALS
2.1 FastFlashUpdateImageFormat
Windows10IoTCoreimagesusetheFastFlashUpdate(FFU)imageformat.TheFFUformatisdocumentedhere2.Windows10IoTCoreusestheV2versionoftheformat.Youcanretrieveitscontents
1"ThreatAnalysisonWindows10IoTCoreandRecommendedSecurityMeasures"http://www.ffri.jp/assets/files/research/research_papers/Threat_Analysis_on_Win10_IoT_Core_en.pdf
2"FFUImageFormat"https://msdn.microsoft.com/windows/hardware/commercialize/manufacture/mobile/ffu-image-format
byusingtheImgMount3tool,whichwillconverttheFFUfileintoaVirtualHardDrive(VHD)imageandmountit.
C:\>ImgMount.exe"c:\ProgramFiles(x86)\MicrosoftIoT\FFU\MinnowBoardMax\flash.ffu"WP8ROMImageToolsv.1.0.204htcROMImageEditor(⌐)2007-2012AnDim&XDA-DevelopersImgMountToolv.1.0.15(htcRIE)Mountingtheimagefile:'c:\ProgramFiles(x86)\MicrosoftIoT\FFU\MinnowBoardMax\flash.ffu'Loading.FFUimage...okCreatingvirtualdisk...okMountingMainOSpartitionas:'\\flash.mnt\'...ok(htcRIE)Successfullymountedanimagefile.
Ifthecommandwassuccessful,theresultingVHDimagewillbemounted.
Figure1. Windows10IoTCorefilesystemmountedbyImgMount
Ifyou'renotusingWindows,therearesomealternativetoolstodothis.ffu2img4andffu2dd5willbothconverttheFFUimageintoarawimagethatyoucanthenmountusingtheddtool.Ihaven'tusetheseasmuchthoughsoyourmileagemayvary.
3ImgMountToolv.1.0.15http://forum.xda-developers.com/showthread.php?t=2066903
4FFU2IMGhttps://github.com/t0x0/random
2.2 PartitionLayout
AWindows10IoTCoreimagecontains4partitions.
Partition FileSystem
MountPoint
Contents
EFISystemPartition FAT C:\EFIESP Bootmanager,bootconfigurations,UEFIapplications
Crashdumppartition
FAT32 D: Crashdumpdata
MainOS NTFS C: OS,registryhives,OEMapplications
Datapartition NTFS U: Applications,applicationdata,userdata
TheEFIsystempartitioncontainstheWindowsBootManager(bootmgfw.efi)andthebootconfigurationdatabase(BCD).Thecrashdumppartitionwillcontaincrashdumpswhenacrashedoccurthatcausedthedevicetorestart.TheMainOSpartitioncontainsallthecomponentsoftheOS.TheDatapartition,whichislinkedtoC:\Data,containsuserdata,installedapps,andappdata.
2.3 Bootprocess
ThetypicalbootprocessforWindows10IoTCorelookslikethis:
1. ThedevicepowersonandrunstheSoCfirmwarebootloader.
2. ThebootloaderlaunchestheUEFIenvironmentandUEFIapplications.
3. TheUEFIenvironmentlaunchestheBootManager,whichcanbefoundinC:.\EFIESP\EFI\Microsoft\boot\bootmgfw.efi.
4. TheBootManagerlaunchestheWindowsBootLoader,whichcanbefoundinC:\Windows\System32\Boot\winload.efi.
5. TheWindowsBootLoaderlaunchesthemainOS.
2.4 Apps
Windows10IoTCoresupportsdifferenttypesofapplications.FirstthereareUniversalWindowsPlatform(UWP)apps.UWPisthecommonappplatformusedinallWindows10editions.ItallowsthedevelopertotheoreticallydevelopanappthatcanrunonanyWindows10versionshemaychoosetosupport,withminimalchangesincode.InWindows10IoTCoreonlyoneappcanrunintheforegroundandiscalledthedefaultapp.Youcaninstallseveralappsonyourdevice,butonlyonecanbesetasthedefaultapp,anditislaunchwhenthesystemstarts.
BackgroundapplicationsareappsthathavenoUIandrunsonthebackground.Theyarelaunchedatdevicestartupandwillcontinuetodosoindefinitely,andwillberespawnedwhentheycrash.
Windows10IoTCorealsosupportsnon-UWPappssuchasconsoleapplications.InthiscaseyoucanonlyuseC++andWin32GUIAPIswon'tbeavailable.
5FFU2DDhttps://github.com/alxbse/ffu2dd
Windows10IoTCorecanalsobeconfiguredtorunoneitherheadedmodeorheadlessmode.InheadedmodethedefaultappdisplaysaUIandisfullyinteractive.Fordevicesthatdon'trequireanyuserinteraction,headlessmodeismoreappropriate.Youcansetyourdevicetoeithermodebyfollowingtheinstructionshere6
2.5 Security
InthissectionwewilldiscussthesecurityfeaturesimplementedinWindows10IoTCore.Windows10addednewsecurityfeaturesthatoffersignificantimprovementsoverearlierversions.Unfortunately,Windows10IoTCoredoesnotsupportallofthem.
2.5.1 What'snotinWindows10IoTCore?
Itmaybepossiblethatsomeofthesefeaturesmaybeaddedinthefuture,butatthetimeofwritingthesearenotsupported:
• SecurityfeaturesthatarebuiltontopofVirtualizationBasedSecurity(VBS)suchasCredentialGuard,DeviceGuard,andHypervisorCodeIntegrity(HVCI)
• WindowsDefender
• MicrosoftPassport
2.5.2 ASLR,DEP,andControlFlowGuard
CurrentIoTdevicesdonotusuallyimplementorenablemodernexploitmitigations,andthefacttheWindows10IoTCoreimplementsthesegivesitanadvantageoverotheroperatingsystems.ExecutablesincludedbydefaultarecompiledwithASLRandDEPenabled.Windows10IoTCorecurrentlyonlysupports32-bitboards,sotheASLRimplementationwillinherentlyhavelowerentropycomparedtothethe64-bitimplementation.ControlFlowGuard7isalsoenabledontheinstalledbinaries,andcanbebeenabledbythedeveloperontheirappbysettingthe/guard:cfswitchinthebuildconfiguration.
2.5.3 TrustedPlatformModule(TPM)
TheTrustedPlatformModule8(TPM)isasecurecrypto-processorthatprovidescryptographickeycreationandstorage.OthersecurityfeaturesimplementedinWindows10IoTCoresuchasSecureBootandBitLockerwillonlyworkwhenTPMisinstalled.
Type Description
FirmwareTPM TPMimplementedintheSoC
DiscreteTPM Chipmodulethatcanbeattachedtoaboard
SoftwareTPM SoftwareemulatedTPMusedindevelopment
6"HeadedandHeadlessmode"https://developer.microsoft.com/en-us/windows/iot/win10/headlessmode
7"ControlFlowGuard"https://msdn.microsoft.com/en-us/library/windows/desktop/mt637065(v=vs.85).aspx
8"TPMonWindowsIoTCore"https://developer.microsoft.com/en-us/windows/iot/win10/tpm
TherearethreetypesofTPMs.FirmwareTPMisenabledintheDragonboard410candMinnowboardMax(firmwareversion0.8orhigher),butit'snotavailableonRaspberryPis.OndevicesthatdonotsupportfirmwareTPM,youcanuseDiscreteTPMs,whichcanbeattachedonyourchosenboard.SoftwareTPMonlyprovidesthesoftwareinterfaceforyourappanddoesnotactuallyprovideanysecurity.ItallowsyoutodevelopyourapplicationonadevicewithoutTPM(liketheRaspberryPi),butthendeployitlateronadevicewithTPMwithouthavingtochangeyourcode.
TheinstructionstosetupTPMonWindows10IoTCoredevicescanbefoundhere9.YoucanalsoconfigureTPMontheWindowsDevicePortal's"TPMconfiguration"tab.
2.5.4 SecureBoot
SecureBootisafeaturethatpreventsadevicefrombeingtamperedwithduringboottime.Itstopsthesystemforrunningbinariesthatarenotdigitallysignedbythespecifiedauthority.Itisdesignedtoprotectthesystemfromrootkits,bootkits,andotherlow-levelmalware.SecureBootonWindows10IoTCorerequiresTPMtobeinstalled.InstructionstoenableSecureBootonWindows10IoTCorecanbefoundhere10.
2.5.5 BitLocker
Windows10IoTCoreimplementsalightweightversionofBitLocker11.BitlockerallowsautomaticencryptionoftheuserandsystemfilesontheOSdrive.BitlockeronWindows10IoTCorerequiresTPMtobeinstalled.InstructionstoenableBitLockeronWindows10IoTCorecanbefoundhere12.
2.5.6 WindowsUpdate
OneofthemostpressingproblemsinIoTsecurityisthedevicefirmwareupdateproblem.Vendorsusuallydonotimplementautomaticupdatefunctionalityandupdateshavetobedonemanually.Traditionally,devicefirmwareupdateisnotconsideredansimpleprocess,ofteninvolvingseveralstepssuchasdownloadingthefirmwareupdatefromthevendor'swebsite,connecttothedevice'swebmanagementinterface,uploadthefirmwareupdate,restartthedevice,etc.Insomecasesitmayeveninvolvepressingsomebuttoncombinationorsomesortofunusualprocedurejusttoputthedeviceinfirmwareupdatemode.Formostusers,thisisjusttoomucheffortandtheywilltendtoputoffapplyingupdates.Thisleavesthedeviceinaknowninsecurestateuntiltheupdateisapplied.
Anotherissueishowtomanagetheupdatesofalotofdevices.Ahomeofthefuturecanpotentiallyhavedozens,maybehundredsofIoTdevicesinstalledandmonitoringwhichdevicesneedupdatesanddoingtheupdateitselfwouldbeimpossibletomanage.
9"SetupTPMonSupportedPlatforms"https://developer.microsoft.com/en-us/windows/iot/win10/SetupTPM.htm
10"EnablingSecureBootandBitLockerDeviceEncryptiononWindows10IoTCore"https://developer.microsoft.com/en-us/windows/iot/win10/sb_bl
11"BitLockerOverview"https://technet.microsoft.com/en-us/itpro/windows/keep-secure/bitlocker-overview
12"EnablingSecureBootandBitLockerDeviceEncryptiononWindows10IoTCore"https://developer.microsoft.com/en-us/windows/iot/win10/sb_bl
WindowsUpdatesolvesthisproblemfordevicesrunningWindows10IoTCore,asitwasaddedinanInsiderPreviewBuildearlierthisyear.Updatesoccurautomatically,anditcan'tbedisabledeasily.Ifyouwanttodisable,orwanttohavescheduledupdates,youhavetoavailoftheProeditionofWindows10IoTCore.YoucancheckforupdatesusingtheWindowsDevicePortal's"WindowsUpdate"tab.
3 ATTACKSURFACE
Inthissection,wewillenumeratethedifferentpotentialentrypointsanattackercanleveragetogainaccesstoaWindows10IoTCoredevice.NotethatinthispaperwewillonlytalkabouttheattacksurfaceexposedbythedeviceorOSitself.Theattacksurfacewillbebiggerifyoufactorinthedevice'sconnectivitywithIoTplatformsandservicessuchasMicrosoftAzure.However,itisoutsideofthescopeofthispaper,andwouldwarrantawholepapertoitself.
3.1 NetworkServices
UsingNmap,wecanseetheopenservicesonafreshlyinstalledWindows10IoTCoredevice.
StartingNmap7.12(https://nmap.org)at2016-07-1301:33MalayPeninsulaStandardTimeNmapscanreportfor10.0.1.108Hostisup(0.020slatency).Notshown:996closedportsPORTSTATESERVICE22/tcpopenssh135/tcpopenmsrpc445/tcpopenmicrosoft-ds8080/tcpopenhttp-proxyMACAddress:B8:27:EB:B5:A9:E0(RaspberryPiFoundation)Nmapdone:1IPaddress(1hostup)scannedin3.24seconds
3.1.1 WindowsDevicePortal
EveryeditionofWindows10providesawebinterfacethatyoucanusetomanageandconfigureyourdeviceremotelycalledWindowsDevicePortal.It'senabledbydefaultinWindows10IoTCoreandrunsupondevicestartup.Youcanaccessitbyconnectingtohttp://<deviceip>:8080.ThefilesfortheWindowsDevicePortalcanbefoundinC:\Windows\WebManagement\wwwonthedevice.
Here'sasummaryofthetabscurrentlyavailable.
Utility Function
Home Deviceinformation,changedevicename/password,timezonesettings
Apps Install/uninstallofapps
AppFileExplorer Fileexplorerforinstalledappslocations
Processes Runningprocesseslist,processmemoryusage,andprocesstermination
Performance RealtimegraphicaldisplayofCPUandI/Ousage
Debugging StartingVSremotedebugger,downloadingoflivekernelandprocessdumps
ETW Eventtracing
PerfTracing TraceloggingofCPU,disk,andmemoryusage
Devices Devicemanagerforperipheralsattachedtothedevice
Bluetooth Bluetoothdevicesearch
Audio Devicespeakerandmicrophonevolumeadjustments
Networking WiFiconfiguration
WindowsUpdate Lastupdatetimestamp,checkforupdates
IoTOnboarding InternetConnectionSharingsettings,SoftAPsettings,AllJoynonboardingsettings
TPMConfiguration TPMinstallation,configuration,andprovisioning
Remote EnableWindowsIoTRemoteServer
Let'stalkaboutsomeofthemoreinterestingones.TheAppstaballowsyoutoinstall/uninstallanapponthedevice.Italsoshowsalistofthecurrentlyinstalledappsandtheirstatus.Youcanalsousethistabtosetanappasthedefaultapp.
TheProcessestabshowsalistoftherunningprocessesonthedevice.Italsoshowstheprocessowner,sessionid,CPUusage,andmemoryusage.Youcanalsoterminateaprocessfromthistab.Thereisalsoaboxwhereyoucanenteracommandandhaveitrunonthedevice.
TheDebuggingtabcontainsoperationsrelatedtodebuggingandcrashdumping.HereyoucanclickabuttontostarttheVisualStudioRemoteDebuggerwhenyouwanttodebugyourapprunningonthedevicefromVisualStudio.Therearealsobuttonsthatallowyoutodownloadlivekernelandprocessesdumps.WelookmoreintocrashdumpsintheDynamicAnalysissection.
TheWindowsUpdatetabshowsthelatestupdateinformationandabuttontocheckifanupdateforthedevice'sOSisavailable.
IntheTPMConfigurationtabyoucanselectwhichtypeofTPMyouwanttoenable.Dependingonthedevice,youcanselectfromfirmwareTPMs,variousdiscreteTPMs,andsoftwareTPM.
TheRemotetaballowsyoutoenabletheWindowsIoTRemoteServer.Wewilldiscussmoreaboutthisfeaturebelow.
WhiletheWindowsDevicePortalisusefulfordevicemanagement,itcanbeasecurityliabilityifnotconfiguredproperly.InWindows10IoTCore,thedefaultAdministratorpasswordishardcodedonthedevice.YoucanlogintotheWindowsDevicePortalusingthedefaultAdministratorcredentials(Username:Administrator,Password:p@ssw0rd).Ifyoudidnotbothertochangethedefaultpassword,yourdeviceissusceptibletounauthorizedaccess.Forexample,anattackercanuseShodan13tosearchfordevicesrunninganHTTPserveronport8080thatreturnsabannercontainingthestring"WindowsDevicePortal".ThatShodansearchwillyieldaresultsimilartothis:
13Shodanhttps://www.shodan.io/
Figure2. ShodanresultswhensearchingfortheWindowsDevicePortalbanner
NowtheattackercanconnecttothedeviceandattempttologinusingthedefaultAdministratorcredentials.
TheWindowsDevicePortalalsousesBasicAuthenticationbydefault,soanyonewhoissniffingonthenetworkcaneasilystealthecredentials.WecanfixbyusingHTTPSfortheWindowsDevicePortalinsteadofHTTP.Todoso,connecttothedevicethroughremotePowerShellorSSHandrunthefollowingcommands:
#EnableHTTPSRegaddHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\IoT\webmanagement/vUseHttps/tREG_DWORD/d1/f#SetHTTPSportRegaddHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\IoT\webmanagement
/vHttpsPort/tREG_DWORD/d<PORT>/f#Restartservicenetstopwebmanagement&netstartwebmanagement
ThefunctionalityoftheWindowsDevicePortalisbuiltonasetofRESTAPIsthatyoucanusetocontrolandconfigureyourdevicesprogrammatically.Asfarasweknow,therearecurrentlynotoolsavailabletocontrolorconfiguremultipledevicesatonce,sothisAPIisespeciallyusefulwhenwritingyourowntoolstodoso.There'ssomedocumentationsavailablehere14,butamoreupdatedversioncanbefoundbygoingto<deviceip>:8080/restdocumentation.htm,orbetteryetbyreadingtheJavaScriptsourcecodeinC:\Windows\WebManagement\www\iot\jsfolderonthedevice.
3.1.2 SSH
Windows10IoTCoreallowsremoteadministrationandconfigurationthroughSSH,anditisenabledbydefault.SSHloginalsousesthedefaultAdministratorcredentials,soiftheuserneglectedtochangethis,anattackercaneasilygainaccess.Itcanalsobesusceptibletopasswordguessingandbrute-forceattacks.
3.1.3 WindowsFileSharing
WindowsFileSharingstartsatboottime,andyouonlyneedtheIPaddressofthedeviceandusercredentialstoaccessit.Itisalsosusceptibletotheaforementioneddefaultlogincredentialsattack.
3.1.4 WindowsIoTRemoteServer
WindowsIoTRemoteServerisafeaturethatallowstheUIoftheUWPapplicationrunningonthedevicetobeviewedremotelythroughaclientapplicationrunningonatabletmobilephone,orPC.YoucanenableWindowsIoTRemoteServerbycheckingtheenableboxintheRemotetaboftheWindowsDevicePortal.Onceenabled,thefileNanoRDPServer.exewillbeexecutedonthedeviceandwillstartlisteningonport8000forincomingconnections.
Figure3. RemoteServertabintheWindowsDevicePortal
14"DevicePortalcoreAPIreference"https://msdn.microsoft.com/en-us/windows/uwp/debug-test-perf/device-portal-api-core
Tousethisremotedisplayfeature,youneedtoinstalltheWindowsIoTRemoteClientappthatcanbedownloadedfromtheWindowsStore.However,thisfeaturedoesnotuseanyauthentication,soanyonewhoknowstheIPaddressofthedevicecanconnecttoitusingtheremoteclientandremotelycontrolyourdevice.
3.2 DeviceDriversVulnerabilities
DevicedrivervulnerabilitiesareanotherpotentialattackvectoronWindows10IoTCoredevices.IoTdevicesobviouslyneedconnectivitywithotherdevicesinordertobeuseful.Tofacilitatethisdeviceswouldneedtousebuilt-inorexternalperipherals,andtheseperipheralsrequiredevicedriverstooperate.Thesedevicedriversmaycontainvulnerabilitiesthatcouldgiveanattackerremoteaccesstothedeviceifsuccessfullyexploited.
Driversforwirelessconnectivity,suchasforWifi,Bluetooth,Zwave,Zigbeeetc,areviabletargets.Oneadvantageoftargetingdriversisthatsuccessfullyexploitingthemwilloftenresultinkernellevelprivilege.
3.3 MalwareSusceptibility
MalwarethreatsagainstWindows10IoTCoredevicesisindeedpossible.Aswehaveshownabove,logincredentialsthatarehardcodedandarenotchangedafterinstallmakesyourdevicessusceptibletoattacks.ThisishowcurrentIoTmalwaretypicallyinfectanIoTdeviceandwethinkthatitwillstillbeoneofthemostcommoninfectionmethodusedbymalwareinthefuture.
Anotherpossibleinfectionmethodistheexploitationofvulnerabilitiesonthenetworkservicesrunningonthedevice.ThismaynotbeascommonasthelogincredentialsmethodbuttherearemalwarethatdoesthisagainstembeddedLinuxdevices.
AnotherpossiblewaythataWindows10IoTCoredevicemaybecompromisedbyamalwareisthroughlateralinfectioncomingfromanalreadyinfectedmachine.ThereareseveralwaysinwhichamalwarecangainaccesstoaWindows10IoTCoredeviceonthesamenetwork.
OnescenarioisforthemalwaretosniffonthenetworkandlookfortraffictotheWindowsDevicePortal.SincebydefaultitusesBasicHTTPAuthentication,thecredentials
Forexample,amalwarehasinfectedamachinethatwasusedtologintoaPowerShellsessiononaWindows10IoTCoredevice.Inthiscasetheattackerdoesn'tneedtoknowthelogincredentialsforthedevicebeforehand.Usingatoollikemimikatz15willyieldthefollowingresults:
C:\>mimikatz.exe.#####.mimikatz2.1(x64)builtonJul11201600:32:57.##^##."ALaVie,AL'Amour"##/\##/***##\/##BenjaminDELPY`gentilkiwi`([email protected])'##v##'http://blog.gentilkiwi.com/mimikatz(oe.eo)'#####'with20modules***/
15"Mimikatz:AlittletooltoplaywithWindowssecurity"https://github.com/gentilkiwi/mimikatz
mimikatz#privilege::debugPrivilege'20'OKmimikatz#sekurlsa::sspAuthenticationId:0;247557(00000000:0003c705)Session:Interactivefrom1UserName:polsabDomain:DESKTOP-39HUL88LogonServer:(null)LogonTime:7/20/20166:15:59PMSID:S-1-5-21-4294890806-594742593-2658599142-1001ssp:[00000000]*Username:Administrator*Domain:10.0.1.108*Password:diwata
Inthisinstance,we'veloggedintotheAdministratoraccountonthedevicewithIPaddress10.0.1.108usingthepassword"diwata",andmimikatzcangetthisinfofromtheinfectedmachine'sRAM.
4 HACKINGWINDOWS10IOTCORE
Inthissection,wewilldiscussthevarioustechniquesthatwecanusewhentryingtoassessthesecurityofaWindows10IoTCoredevice.
4.1 PassiveDeviceDiscovery
Windows10IoTCoredevicesadvertisetheirpresenceinthenetworkbysendingoutmulticastUDPpackets.ThisishowtheIoTDashboardisabletolisttherunningdevicesinthelocalnetwork.
Figure4. IoTDashboarddisplayingthediscovereddevices
Wecanalsodothisbylisteningformulticastdatagramssentbythedevicesandparsingthedatapayload.Thedatagramsaresenttothemulticastgroup239.0.0.22andmulticastport6andcontainsthedevicename,IPaddress,OSversion,MACaddress,BIOSserial,devicetype,anddevicearchitecture.
Figure5. Multicastdatagrams
Thefixedlengthdatacontainsthedeviceinformation.AllstringsareinUnicode.
Offset Description
0 Devicename
0x42 IPaddress
0x64 MACaddress
0x96 BIOSserialnumber
0xe6 DeviceType
0x14a OSversion
0x1ae Devicearchitecture
4.2 PowerShell
Oneofmostusefulbuilt-infeaturesinWindows10IoTCoreisremotedeviceadministrationandconfigurationusingPowerShell.However,PowerShellisnotjustusefulforsystemadministration.Itisalsoapowerfultooltouseinsecurityassessments.TherearealotofexistingPowerShellmodules-bothbuilt-inandfromthird-partydevelopers-thatcouldassistinreversingandpenetrationtesting.NotallofthemwillworkinWindows10IoTCore,butsomeofthosethatwehaveusedareCimSweep16forremotelygatheringdeviceinformation,AutoRuns17tolistautorunentries.
Here'sanexampleusingCimSweeptolistAutostartentries:
PSC:\WINDOWS\system32>$CimSessionPi2=New-CimSession-ComputerName10.0.1.110-CredentialAdministratorPSC:\WINDOWS\system32>Get-CSRegistryAutoStart-CimSession$CimSessionPi2Path:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonAutoRunEntry:ShellImagePath:IotShell.exeCategory:LogonPSComputerName:10.0.1.110Path:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonAutoRunEntry:UserinitImagePath:userinit.exeCategory:LogonPSComputerName:10.0.1.110Path:HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinlogonAutoRunEntry:VMAppletImagePath:SystemPropertiesPerformance.exe/pagefileCategory:LogonPSComputerName:10.0.1.110Path:HKLM\SYSTEM\CurrentControlSet\Control\SessionManagerAutoRunEntry:BootExecuteImagePath:autocheckautochk*Category:BootExecutePSComputerName:10.0.1.110<snip>
Alternatively,youcanalsouseAutoRunswhichcanshowyoumoreautorunsentries.However,youcanonlyruniton-device.
16CimSweephttps://github.com/PowerShellMafia/CimSweep
17AutoRunsPowershellModulehttps://github.com/p0w3rsh3ll/AutoRuns
ToenableremotePowerShellsessions,followthestepsoutlinedhere18
4.3 Staticanalysis
ThereisgoingtobelittledifferenceinreversingaconsoleapplicationcompiledforWindows10IoTCoreversusonecompiledforthedesktop,buttherearesomethingstotakenotewhenreversingWindowsAppsakaUniversalWindwosPlatform(UWP)19apps.InstalledWindowsappscanbefoundintheDatapartition(U: \,alsolinkedwithC:\Data),specificallyintheU:\Programs\WindowsAppsfolder.Appinstallationfolderswillcontainatleastthefollowing:
Filename Description
<app_name>.exe Appstartupstub
<app_name>.dll Appcode
AppManifest.xml UWPapppackagemanifest
AppBlockMap.xml Cryptographicblockhashesforfilesinpackage
AppxSignature.p7x Apppackagedigitalsignaturefile
Inadditiontotheabovefiles,otherDLLsandXBF(binaryXAML)filesusedbytheapplicationmaybefoundintheappfolder.There'salsoanassetsfolderthatcontainsresourceslikeimagesandfontsthattheappuses.The<app_name>.exefileissimplyastubthatcallsthemainexportedfunctioninthefile<app_name>.dll.ThisDLLcontainstheapplication,.NETFramework,andthird-partylibrarycodes.
Here'show<app_name>.exelookslike:
Figure6. Appstartupstub
18"UsingPowerShelltoconnectandconfigureadevicerunningWindows10IoTCore"https://developer.microsoft.com/en-us/windows/iot/win10/samples/powershell
19"GuidetoUniversalWindowsPlatform(UWP)apps"https://msdn.microsoft.com/en-us/windows/uwp/get-started/universal-application-platform-guide
AllUWPbinariesarecompiledtonativecodeusing.NETNative20soallreversingwillbedoneagainstx86orARMcodedependingonthetargetdevice.Thecodewillbecompiledfromthesamesourcesooneadvantageofthisisthatyoucanchoosewhicharchitectureyou'remorecomfortablereversing,andthenchoosetheversionofthebinarycompiledforthatarchitecturebyinstallingitonadevicethatrunsonthatarchitecture.AnotherthingtoconsideristhatwhilewecandealwithcodewritteninC++likewe'vealwaysdone,ifthecodewaswrittenoriginallyinC#orVisualBasic,itwouldbedifferent.Binarieswrittenin.NETlanguagesarecompiledintoIL(intermediatelanguage)codeandwecandecompilethemusing.NETdecompilerslikeILSpy21or.NETReflector22.WithUWPappstheyarenowcompiledintonativecodesowecan'tusethosedecompilersanymoresowehavetodealwiththeidiosyncrasiesintheresultingnativecodeduetotheconversiondone.
4.4 Dynamicanalysis
Nowwe'lltakelookathowtodynamicallyanalyzeaWindows10Corebinaryusingadebugger.
4.4.1 KernelDebuggingusingWinDbg
Todynamicallyreversekernel-levelcodesuchasdevicedrivers,weneedtodokerneldebuggingusingWinDbg.Thegeneralinstructionstodothiscanbefoundhere23.
Let'susetheRaspberryPi3asanexample.WewillbeusingaShikra24asourUSB-to-UARTadapterbutfeelfreetouseanyofotheronesliketheBusPirate25.YoucangetthepinmappingsfortheShikrahere26andfortheRaspberryPi2&3here27.
First,connecttheShikra'sTXpintotheRaspberryPi'sRXpin,andtheShikra'sRXpintotheRaspberryPi'sTXpin.Connectthegroundpinsforbothaswell.
20"CompilingAppswith.NETNative"https://msdn.microsoft.com/en-us/library/dn584397(v=vs.110).aspx
21ILSpy.NETDecompilerhttp://ilspy.net/
22.NETReflectorhttp://www.red-gate.com/products/dotnet-development/reflector/
23"DebuggingWindows10IoTCoreDevicesUsingWinDbg"https://developer.microsoft.com/en-us/windows/iot/win10/windbg
24"UsingShikraToAttackEmbeddedSystems"http://www.xipiter.com/musings/using-the-shikra-to-attack-embedded-systems-getting-started
25BusPiratehttp://dangerousprototypes.com/docs/Bus_Pirate
26"Shikrapinouts"http://www.xipiter.com/uploads/2/4/4/8/24485815/shikra_documentation.pdf
27"RaspberryPi2&3PinMappings"https://developer.microsoft.com/en-us/windows/iot/win10/samples/pinmappingsrpi2
Figure7. ConnectingtheShikratoaRaspberryPi3'sUARTpins
Next,connecttoyourdeviceusingremotePowerShellorSSH.Youwillthenneedtoenableserialdebuggingandturnonturnondebuggingwiththefollowingcommands:
#Enableserialdebuggingbcdedit-dbgsettingsserial#Turnondebuggingbcdedit-debugon
YoucanfindouttheCOMportusedbyyourUSB-to-serialadapterbyusingtheDeviceManager,orbyrunningthefollowingPowerShellcommand:
Get-WMIObjectWin32_pnpentity|?Name-like"*Serial*COM*"
Here'sasampleoutput:
__GENUS:2__CLASS:Win32_PnPEntity__SUPERCLASS:CIM_LogicalDevice__DYNASTY:CIM_ManagedSystemElement__RELPATH:Win32_PnPEntity.DeviceID="FTDIBUS\\VID_0403+PID_6014+5&3278CBC5&0&3\\0000"__PROPERTY_COUNT:26__DERIVATION:{CIM_LogicalDevice,CIM_LogicalElement,CIM_ManagedSystemElement}__SERVER:DESKTOP-39HUL88__NAMESPACE:root\cimv2__PATH:\\DESKTOP-39HUL88\root\cimv2:Win32_PnPEntity.DeviceID="FTDIBUS\\VID_0403+PID_6014+5&3278CBC5&0&3\\0000"Availability:Caption:USBSerialPort(COM3)ClassGuid:{4d36e978-e325-11ce-bfc1-08002be10318}CompatibleID:ConfigManagerErrorCode:0ConfigManagerUserConfig:FalseCreationClassName:Win32_PnPEntityDescription:USBSerialPortDeviceID:FTDIBUS\VID_0403+PID_6014+5&3278CBC5&0&3\0000ErrorCleared:ErrorDescription:HardwareID:{FTDIBUS\COMPORT&VID_0403&PID_6014}InstallDate:LastErrorCode:Manufacturer:FTDIName:USBSerialPort(COM3)PNPClass:PortsPNPDeviceID:FTDIBUS\VID_0403+PID_6014+5&3278CBC5&0&3\0000PowerManagementCapabilities:PowerManagementSupported:Present:TrueService:FTSER2KStatus:OKStatusInfo:SystemCreationClassName:Win32_ComputerSystemSystemName:DESKTOP-39HUL88PSComputerName:DESKTOP-39HUL88
Intheaboveexample,theUSB-to-serialadapterusesCOM3.Youcannowremotelydebugthedevicefromyourmachinebyrunningthefollowingcommand(Makesureyouareusingthex86versionofWinDbg):
#PORTistheCOMportnumberusedbyyourUSB-to-serialadapterwindbg.exe-kcom:port=<PORT>,baud=921600
IfallgoeswellyouwillseeWinDbgspawnedlikethis:
Microsoft(R)WindowsDebuggerVersion10.0.10586.567X86Copyright(c)MicrosoftCorporation.Allrightsreserved.
Opened\\.\com3Waitingtoreconnect...
RestarttheRaspberryPiandyouwillseethis:
ConnectedtoWindows1014393ARM(NT)Thumb-2targetat(SunJul2419:32:43.1112016(UTC+8:00)),ptr64FALSEKernelDebuggerconnectionestablished.Symbolsearchpathis:srv*Executablesearchpathis:***ERROR:Symbolfilecouldnotbefound.Defaultedtoexportsymbolsforntkrnlmp.exe-Windows10KernelVersion14393MP(1procs)FreeARM(NT)Thumb-2Builtby:14393.0.armfre.rs1_release.160715-1616MachineName:Kernelbase=0x80c1b000PsLoadedModuleList=0x80e07c78SystemUptime:0days0:00:00.000Breakinstructionexception-code80000003(firstchance)**********************************************************************************Youareseeingthismessagebecauseyoupressedeither**CTRL+C(ifyourunconsolekerneldebugger)or,**CTRL+BREAK(ifyourunGUIkerneldebugger),**onyourdebuggermachine'skeyboard.****THISISNOTABUGORASYSTEMCRASH****Ifyoudidnotintendtobreakintothedebugger,pressthe"g"key,then**pressthe"Enter"keynow.Thismessagemightimmediatelyreappear.Ifit**does,press"g"and"Enter"again.*************************************************************************************ERROR:Symbolfilecouldnotbefound.Defaultedtoexportsymbolsforntkrnlmp.exe-nt!DbgBreakPointWithStatus:80c40d90defe__debugbreak
4.4.2 DebuggingusermodeprocessesusingWinDbg
Debuggingusermodeprocessesisabiteasierthankernel-modedebugging.Youonlyneedanetworkconnectiontoyourdevice.Wearegoingtousedbgsrv.exe(whichcanbefoundonthedevice'sC:\Windows\System32\Debuggersfolder)onthedeviceandWindbgonthedebugginghostmachine.Firstweneedtomakedbgsrv.exelistenonaportonthedevicesowecanconnecttoit.Onthedevice,runthefollowingcommandusingPowerShellorSSH:
#PORTisthelocalportyouwantdbgsrvtolistenondbgsrv.exe-ttcp:port=<PORT>
InWindbgrunningonthedebugginghost,gotoFile>ConnecttoRemoteStubandentertheIPaddressofyoudeviceandyourchosenportintheformatshown,thenclickOK:
GotoFile>AttachtoaProcessandselecttheprocessyouwanttoattachto:
Microsoft(R)WindowsDebuggerVersion10.0.10586.567X86Copyright(c)MicrosoftCorporation.Allrightsreserved.***waitwithpendingattachSymbolsearchpathis:srv*Executablesearchpathis:ModLoad:01110000011db000C:\windows\system32\WebManagement.exeModLoad:7740000077565000C:\windows\SYSTEM32\ntdll.dll
ModLoad:77270000773fe000C:\windows\System32\KERNELBASE.dllModLoad:76fc0000771cb000C:\windows\System32\combase.dllModLoad:76e6000076f0e000C:\windows\System32\ucrtbase.dllModLoad:76cb000076d2c000C:\windows\system32\msvcrt.dllModLoad:76f1000076fbe000C:\windows\System32\RPCRT4.dllModLoad:76e2000076e58000C:\windows\System32\kernel32legacy.dllModLoad:76dd000076e1a000C:\windows\System32\bcryptPrimitives.dllModLoad:772300007726c000C:\windows\System32\sechost.dllModLoad:7646000076489000C:\windows\system32\IPHLPAPI.DLLModLoad:76490000764ea000C:\windows\system32\WS2_32.dll<snip...>(69c.280):Breakinstructionexception-code80000003(firstchance)ntdll!DbgBreakPoint:77422740defe__debugbreak0:005>!pebPEBat00928000InheritedAddressSpace:NoReadImageFileExecOptions:NoBeingDebugged:YesImageBaseAddress:01110000Ldr774eb9e0Ldr.Initialized:YesLdr.InInitializationOrderModuleList:00c41738.00c4fcd0Ldr.InLoadOrderModuleList:00c41810.00c4fcc0Ldr.InMemoryOrderModuleList:00c41818.00c4fcc8BaseTimeStampModule111000057898ebeJul1609:32:462016C:\windows\system32\WebManagement.exe7740000057898ba5Jul1609:19:332016C:\windows\SYSTEM32\ntdll.dll7727000057898c4cJul1609:22:202016C:\windows\System32\KERNELBASE.dll76fc000057898c6dJul1609:22:532016C:\windows\System32\combase.dll76e6000057898b83Jul1609:18:592016C:\windows\System32\ucrtbase.dll76cb000057898fadJul1609:36:452016C:\windows\system32\msvcrt.dll76f1000057898cd8Jul1609:24:402016C:\windows\System32\RPCRT4.dll76e2000057898eb7Jul1609:32:392016C:\windows\System32\kernel32legacy.dll76dd000057898f49Jul1609:35:052016C:\windows\System32\bcryptPrimitives.dll7723000057898f0aJul1609:34:022016C:\windows\System32\sechost.dll7646000057898c40Jul1609:22:082016C:\windows\system32\IPHLPAPI.DLL7649000057898eafJul1609:32:312016C:\windows\system32\WS2_32.dll<snip...>0:005>u$exentry***ERROR:ModuleloadcompletedbutsymbolscouldnotbeloadedforWebManagement.exeWebManagement+0xa6631:011b6630e92d4800push{r11,lr}011b663446ebmovr11,sp011b6636f000fb65blWebManagement+0xa6d04(011b6d04)011b663ae8bd4800pop{r11,lr}011b663ef7ffbf25b.wWebManagement+0xa648c(011b648c)011b66420000movsr0,r0011b6644f24c6c64movr12,#0xC664011b6648f2c01c1cmovtr12,#0x11C
4.4.3 Crashdumpanalysis
CrashdumpscanbefoundintheC:\CrashDumpfolderonthedevice,butyoucanalsogeneratelivedumpsforthekerneloranyuser-modeprocessbyusingtheWindowsDevicePortal'sDebuggingtab.
Figure8. DebuggingtaboftheWindowsDevicePortal
Asanexample,let'sdownloadaliveprocessofdumptheusermodeprocessWebManagement.exe.Clickontheiconontheleftsideoftheprocessnametodownloadthedumptoyourbrowser'sDownloadfolder.FromWinDbggotoFile>OpenCrashDump,andyou'regoodtogo.
Microsoft(R)WindowsDebuggerVersion10.0.10586.567X86Copyright(c)MicrosoftCorporation.Allrightsreserved.LoadingDumpFile[d:\winiot\WebManagement.exe-LiveUM-2016-07-24-12-36-09.dmp]UserMiniDumpFile:Onlyregisters,stackandportionsofmemoryareavailableSymbolsearchpathis:srv*Executablesearchpathis:Windows10Version14376MP(4procs)FreeARM(NT)Thumb-2Product:WinNt,suite:SingleUserTSBuiltby:10.0.14376.0(rs1_release.160624-1700)MachineName:Debugsessiontime:MonJul2503:36:09.0002016(UTC+8:00)SystemUptime:notavailableProcessUptime:1days4:48:37.000........................................................................
Loadingunloadedmodulelist.CannotreadPEB32fromWOW64TEB32ffffffff-Win32error0n30UnabletoloadimageC:\Windows\System32\ntdll.dll,Win32error0n2***WARNING:Unabletoverifytimestampforntdll.dllntdll!NtWaitForSingleObject+0x6:***WARNING:UnabletoverifytimestampforKERNELBASE.dll77320ab64770bxlr{KERNELBASE!WaitForSingleObjectEx+0xc0(76fedf30)}0:000>|.0id:698examinename:C:\Windows\System32\WebManagement.exe0:000>!pebPEBat032f8000InheritedAddressSpace:NoReadImageFileExecOptions:NoBeingDebugged:NoImageBaseAddress:00a00000Ldr773eb9e0Ldr.Initialized:YesLdr.InInitializationOrderModuleList:034a1730.034ae758Ldr.InLoadOrderModuleList:034a1808.034ae748Ldr.InMemoryOrderModuleList:034a1810.034ae750BaseTimeStampModulea00000576dee48Jun2510:36:562016C:\windows\system32\WebManagement.exe77300000576deb18Jun2510:23:202016C:\windows\SYSTEM32\ntdll.dll76f20000576debe7Jun2510:26:472016C:\windows\System32\KERNELBASE.dll770b0000576debdaJun2510:26:342016C:\windows\System32\combase.dll76ce0000576deb16Jun2510:23:182016C:\windows\System32\ucrtbase.dll76e30000576ded32Jun2510:32:182016C:\windows\System32\RPCRT4.dll76de0000576dee1bJun2510:36:112016C:\windows\System32\kernel32legacy.dll76d90000576deeaaJun2510:38:342016C:\windows\System32\bcryptPrimitives.dll
4.5 Fuzzingapproaches
Fuzzingisoneofthemosteffectivewaysinfindingvulnerabilitiesinsoftware.It'sanobrainertoattempttothisonWindows10IoTCoreaswell.UnfortunatelyduetothelackofexistingtoolsforthisOStheapproachwehavebeendoingisfarfromefficient-spawningprocessesusingadebugger,nocoveragemeasurement,etc.Remotecontrol(devicerestart,processstart/stop,crashdumpcollection)isdonethroughtheWindowsDevicePortal'sRESTAPIs.It'sbasicallyfuzzinglikeits2007.Alsothedevice'slowCPUpowerseverelylimitstherateoffuzzingiterationswecando.
Figure9. Theauthor'slacklusterfuzzcluster
Oneinterestingapproachwouldbecorpusdrivenfuzzing28.WebelievethiswillbeeffectiveespeciallywhenfuzzingaUWPappwhichitispossibletogetholdholdofabuildfortheWindows10desktope.g.fromtheWindowsStore.Basicallywedon'tfuzzonthedevice.Wefuzztheappusingthedesktopversionusingwhatevermeansofinstrumentationtomeasurecodecoverageandwecollectthecorpora(samples)thatresultedinwidercodecoverageasmeasuredbytheinstrumentation.Aftercollectingthebestones,wecanthenapplythesecorporaontheapprunningonthedevicewithouthavingtoinstrumentit.Allwehavetotheniscollectthecrashesandanalyzethemforexploitability.ThiswaywecanatleasteasetheloadontheCPUandwon'tneedasmuchtooling.
28"TheArtofFuzzingWithoutFuzzing"https://github.com/bnagy/slides/blob/master/fuzzing_without_pub.pdf
Ofcourse,thisapproachwon'tbeapplicableifyouwanttofuzzdriversforperipherals,orfuzzappsthatinteractwithhardware.Inthosecasesyouhavetodoon-devicefuzzing.However,therearesomepromisingdevelopmentsrecentlythatmaymakethesituationbetter.OneofthoseisthereleaseofWinAFL29.WinAFLisaWindowsforkoftheverypopularfuzzerAFL30.WhileAFLusescompile-timeinstrumentation,WinAFLusesDynamoRIOfordynamicinstrumentationtomeasurecoverage.ThechallengerightnowistomakeDynamoRIOworkonanARMdeviceliketheRaspberryPi.Thisiscurrentlyanongoingprojectthatwehaveembarkedandhopefullywewillhavesomethingtoshowfortheeffortinthenearfuture.
5 RECOMMENDATIONS
Let'ssummarizethevariouswayswecanminimizetherisksagainstWindows10IoTCoredevices.
5.1 Segmentyournetworks
SegregatingyourIoTdevicesfromyourtraditionalcomputingdevicessuchaslaptopsandserversishighlyrecommended.Thisisespeciallyeffectiveincaseswhereoneofyourmachineshavebeencompromised,andtheattackerislookingtolaterallymovethroughnetwork.Thiswillalsoeffectiveinisolatingincidentsandconductingcleanups.
5.2 Disableunnecessarynetworkservices
Networkservicesthatarenotusedinproductionshouldbedisabled.ServicesthatareenabledbydefaultinWindowsIoTCoreincludeSSHandWindowsFileSharing.Todisablefilesharingonstartup,runthefollowingcommandusingSSHorPowerShell:
regaddHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\lanmanserver/vStart/tREG_DWORD/d0x3/f
5.3 ChangeDefaultAdministratorPassword
TheAdministratorpasswordishardcodedintheWindows10IoTCoreimage.DefaultlogincredentialsthattheuserfailedtochangeisstillthemostcommonwayinwhichamalwareinfectsanIoTdevices.Changingthedefaultpasswordimmediatelyafterinstallwillgoalongwayinavoidingunauthorizedaccess.YoucanchangethedefaultAdministratorpasswordbyusingthefollowingcommandusingSSHorPowerShell:
netuserAdministrator<newpassword>
29"AforkofAFLforfuzzingWindowsbinaries"https://github.com/ivanfratric/winafl
30AmericanFuzzyLop(AFL)http://lcamtuf.coredump.cx/afl/
5.4 UseadevicethatsupportsTPM
UsingRaspberryPisforhobbyprojectsisfine,butifyouaregoingtobuildadevicethatisgoingtobeusedinmoresensitivesituationse.g.homesecurity,youshouldbeusingboardsthatsupportTPM.YourchoicesfornowshouldbebetweenaMinnowboardMaxandaDragonboard410c,oruseadiscreteTPMwithaRaspberryPi.
5.5 Takeadvantageofavailablesecurityfeatures
Sonowyou'reusingaboardwithTPM.MakesureyouenableandsetupsecurityfeaturessuchasSecureBootandBitLocker.
6 CONCLUSION
Inthispaper,welaidoutthevariousattacksurfacesthatmaybetakenadvantageofbyattackerstogainaccesstoaWindows10IoTCoredevice.WealsoenumeratedtechniquestogetyoustartedinanalyzingWindows10IoTCoredevices.Built-infeatureslikePowerShellandthemanysecurity-relatedtoolswritteninithelpsagreatdealinassessingthesecurityofadevice.Wealsolearnedthatleavingdeviceconfigurationsatitsdefaultsettings,amongotherthings,areasurefirewaytoleaveyourdevicesusceptibletoattacks,andwegavesomerecommendationsonhowtoavoidthis.
Windows10IoTCoreisstillinitsearlystage,butwebelievethatonceitsmaturesitwillbecomeamoreviablealternativetotheotherIoTfocusedOSesthatcurrentlyexist.AsidefromthemanyfeaturesthisOSoffers-includingthesecurityfeatureswediscussedearlierinthispaper-whatmakesthisOSattractiveisthattherearealotofenterprisesanddevelopersalreadyinvestedinMicrosofttechnologies,andtheycanleveragetheknowledgeandexpertisetheyalreadyhaveindevelopingtheIoTdevicesofthefuture.Assuch,weexpectWindows10IoTCoretobecomeoneofthemajorIoTOSesinthefuture.ThiswouldalsomeanthatthisOSwillbeamoreattractivetargetforattackers,anditisourhopethattocounterthis,morepeoplewillengageinsecurityresearchtargetingthisOS,andthatthispaperhassomehowhelpencouragedit.
Finally,anycorrections,questions,orcommentsregardingthispaperareverymuchappreciated.Theauthorcanbereachedatsabanapm[at]ph[dot]ibm[dot]com.