The Network Inside Out New Vantage Points for Embedded Security J. Alex Halderman Mining Your Ps and Qs: Widespread Weak Keys in Network Devices Nadia Heninger, Zakir Durumeric, Eric Wustrow, and J. A. Halderman 21st USENIX Security Symposium, Aug. 2012 ZMap: Fast Internet-Wide Scanning and Its Security Applications Zakir Durumeric, Eric Wustrow, and J. A. Halderman 22nd USENIX Security Symposium, Aug. 2013 Based on joint work: Illuminating Security Issues Surrounding Lights-Out Server Management Anthony Bonkoski, Russ Bielawski, and J. A. Halderman 7th USENIX Workshop on Offensive Technologies (WOOT), Aug. 2013 Green Lights Forever: Analyzing the Security of Traffic Infrastructure Branden Ghena, William Beyer, Allen Hillaker, Jonathan Pevarnek, and J.A. H. 8th USENIX Workshop on Offensive Technologies (WOOT), Aug. 2014 Security Analysis of a Full Body Scanner Keaton Mowery, Eric Wustrow, Tom Wypych, Corey Singleton, Chris Comfort, Eric Rescorla, Stephen Checkoway, J. Alex Halderman, and Hovav Shacham 23rd USENIX Security Symposium, Aug. 2014 Carna botnet Internet Census 2012 What if...? What if Internet-wide surveys didn’t require heroic effort? What if scanning the IPv4 address space took under an hour? What if we wrote a whole-Internet scanner from scratch? an open-source tool that can port scan the entire IPv4 address space from just one machine in minutes With ZMap, an Internet-wide TCP SYN scan on port 443 is as easy as: $ sudo apt-get install zmap $ zmap –p 443 –o results.csv found 34,132,693 listening hosts (took 44m12s) Gigabit Ethernet linespeed (1200 x NMap) Ethics of Active Scanning Considerations Impossible to request permission from all owners No IP-level equivalent to robots exclusion standard Administrators may believe that they are under attacka Reducing Scan Impact Scan in random order to avoid overwhelming networks Signal benign nature over HTTP and w/ DNS hostnames Honor all requests to be excluded from future scans Bottom Line: Be a Good Neighbor Using ZMap Discover New Vulnerabilities Uncovering weak cryptographic keys and poor entropy collection We considered the cryptographic keys used by HTTPS and SSH HTTPS SSH Live Hosts 12.8 million 10.2 million Distinct RSA Public Keys 5.6 million 3.8 million Distinct DSA Public Keys 6241 2.8 million There are many legitimate reason that hosts might share keys… Shared Cryptographic Keys Why are a large number of hosts sharing cryptographic keys? We find that 5.6% of TLS hosts and 9.6% of SSH hosts share keys in a vulnerable manner: - Default certificates and keys - Apparent entropy problems What other, more serious, problems could be present if devices aren’t properly collecting entropy? Factoring RSA Public Keys What else could go wrong if devices aren’t collecting entropy? RSA Public Key: n = p  q, p and q are two large random primes Most efficient known method of compromising an RSA key is to factor n back to p and q While n is normally difficult to factor, for N1 = p  q1 and N2= p  q2 we can trivially compute p = GCD(N1, N2) Broken Cryptographic Keys Why are a large number of hosts sharing cryptographic keys? We find 2,134 distinct primes and compute the RSA private keys for 64,081 (0.50%) of TLS hosts Using another approach for DSA, we are able to compute the private keys for 105,728 (1.03%) of SSH hosts What was causing these vulnerable keys? Most compromised keys are generated by headless or embedded network devices Identified devices from > 40 manufacturers Linux /dev/urandom Why are embedded systems generating broken keys? Nearly everything uses /dev/urandom Time of boot Keyboard /Mouse Input Pool Disk Access Timing Only happens if Input Pool contains more than 192 bits… Time of boot Non-blocking Pool Problem 1: Embedded devices may lack all these sources /dev/urandom Problem 2: /dev/urandom can take a long time to “warm up” Typical Ubuntu Server Boot Why are embedded systems generating broken keys? Entropy first mixed into /dev/urandom Boot-Time Entropy Hole OpenSSH seeds from /dev/urandom /dev/urandom may be predictable for a period after boot. Moving Forward What do we do about fixing the Linux kernel and affected devices? Patches have been committed to the Linux 3.x Kernel • Use interrupts until other entropy is available • Mix in unique information such as MAC address Manufacturers have been notified. DHS, ICS-CERT, NSA, JPCERT, and other agencies are working with affected co