Open by Default: The Hidden Cost of Convenience in Network Security

ladies and gentlemen in the the dwindling crowd uh we'll move on with aelo peon Lopez to whom I will now hand the microphone hello everybody I'm going to try to make this interesting slate in the day has been long day difficult subjects this one is going to be very high level this is about a realization I had do doing my regular job and I want to share that with as many people as I can so maybe maybe we have started of snowballing effect and maybe something will change okay first about me who am I why am I relevant to talk about this subject or any cyber security related subject for that matter I have in my background

experience I work for a large uh corporate in their fion Center as a thread Hunter tracking APS so I have knowledge of how they operate what targets do they are after what kind of tools they use the back of Tricks Etc thanks to my current job at kuoi I have have access to a huge uh data set of three billion devices with that's a rest Milestone we have reach that I use to do thread hunting to get additional information that I can retrofit into our solution and made it better well we are very iot focused we provide a solution that runs in the end user household it's you know usually the router that gives you the

the highest speed is a very low power device so we have to be very efficient how we provide that solution what can we run on device what needs to run on the cloud and one of the main focus of our investigations is bot Nets because that's what targets the the iot devices so what I'm going to do I'm going to try to put you first in the point of in set of mind that I have when I'm working I'm going to try to describe the environment I'm trying to try to describe an example of my work and then how things work and then arrive to the point and what things can we do to to make things better so

first inside of the thread actors this is probably for most of you this is nothing new at least I hope so if not if you're here just because you're a hobbyist then learn this is very B B stuff there are three types of threat actors they are State sponsor they are the financially motivator and they are the activist the state sponsor you know every government that is worth to call himself a government has some Elite group of hackers that they infiltrate every single big Corporation or every single asset of possible adversaries and they are the most difficult to track to prevent that they hack you they are the 0.5% even less of the of the hackers in the in the internet then

they are the financially motivated that sadly this is growing more and more because has become very lucrative to be a hacker on the internet I'm not saying that anyone of you should leave your cyber security job and go to be a hacker but if you do there is money behind and then the hacker is they are the people that they are doing this because they believe in something or at least they claim that they believe in something then in the real world the lines are not that clearly defined usually the same group might be financially motivated but at the same time is sponsored by uh State and at the same time they are claiming that they

are doing this because they are good citizens and they are activist case study a couple of years ago when the whole Russia Ukraine war started this group Kil net was on the news all the time this is a representation of the boss of the team since I did this uh case study actually the leader of the team has been doxed and I don't know if he's in jail now but that was in December uh last year and their activities had stopped one of the things that said kill net will launch powerful attacks Europeans and American enterpris which will indirectly lead to casualties so just to Showcase uh that the digital part is not just digital

anymore it has real effects real people people die on live because things that happen on the internet now let's compare the kind of data that I have access to with the activities that have been reported on the news uh regarding the the killet group The Spikes so there are uh iot indication of compromise infrastructure that have been reported uh related to the Kil net group and those are spikes on the network activity of iot devices of the isps that we have access to we have clear uh correlations from the iot devices uh ESP spyon security events and reported activity in the in the news there is this one specific really big spike this are really even more

interesting because if there is nothing reported and we have this big uh there what they were doing that which entity didn't report this then these are real numbers from households remon events for the period of a day at least 15% of households have successful remote access connections by successful remote access connection I mean a connection that has been initiated on the internet towards a household a specific device and successfully has established uh a connection 15% of 3 billion devices is a lot what devices are usually the targeted focusing just on iot devices the big ones H set of boxes that's the typical Roku whatever you use to use to watch Netflix at house the routers uh NASA

storage uh IP cameras is a big one whatever it has some kind of network connectivity are targeted then what's the problem with that why do we care about that if you are not in your household why do you care if you work in a corporation if you work in a bank if you work in a electric company why do you care that the mom on pop setup box get hacked because of bod Nets bod Nets usually in the news we see boness appear because of distributed denial of service those are the big ones that turns to go into the newspapers and but boldness is being used by the threat actors for all kinds of of

activity basically a B net for a threat actor is a free Cloud it's like the Amazon or Aur that you use but for them they have all these Sue of iot devices that easy hackable and they use it for all kinds of things they are use it for disg where they are uh located once they are in the in the network they will use your infrastructure to perform all other kinds of attacks to hack your network to ex steal your money and when you are working in a big Corporation and then you are trying to defend your perimeter and attacks are coming from regular households in North America America in Europe is very difficult to uh defend against those a

typical uh attack credential stuffing you can put as a security as a threat Hunter sock analyst you can put a rule that if a single Source stries more than two three credentials then just stop because there some suspicious there but what if you distribute that credential stuffing among 3 million different devices how you distinguish what's real from what's aactor activity so now that we saw all this you may think why if I bring a device to my house a set of box why this is reachable for a hacker to to attack and that's what I was scratching my head in the end is this is because of upm universal plag and play before we go in into details of

problems let's go into why is awesome upm I don't know if many people here was around before upm was widely distributed but before if you had a home network you basically need to needed to be a network engineer to make things talk to each other or talk to the internet or be able to access them uh through the internet regarding the protocol itself we go to the Autoport forwarding it UPnP has many modules and lot of them over the year has been detected to have lot of security problems so without even going to the auto port forwarding the protocol itself has a lot of problems that have been uh discovered just because of this it should be the

commission okay basic networking I just have this here just to level up the field how does it work there are a limited number of ip4 uh addresses and usually you get a public IP per households and inside of your household you might have one 10 thousand devices each one of the internal devices has a private IP and all of them are accessed uh through the through the public IP in the old times if you wanted to access uh whatever IP camera that you had in your internal Network you needed to log into the router and program one of these uh rules saying if a connection is coming to this public IP address to where this specific Port

then routed to this internal uh IP address and that's how you uh would control the access from external to inside that had the good part that it was an intention you had to know what you were doing at at least you had to take the effort and go and map that there then UPnP came and everything magically started to work you just had to plug that in that your device into the network the device would be clever enough to talk to the router and say hey I'm a new device I'm a camera I work with this uh Port can you please every connection that comes to you redirect it to me and the rouer will say of course

and they could go and it would open it and everything will work and everything is great and never but ever happen again not true what happen with this is awesome in work is great when things works transparently but then this remove the user awareness most users don't know that this happen at all most users even if they're not going to use the network capability of that device in the moment that they connected to the local network it gets exposed to the internet and they don't know about it potential abuse I wouldn't say potential I should say that it's almost certain that it's going to be abused and then the big one is not just upm is

problematic is that is it is enabled by default in most routers then when I right to that realization that upm is enabled by default we all I think think as a Security Experts we tend to it's this general knowledge that upm is enabled by default right because you had the anecdotal anecdotal experience that you went to your router and up PMP is enable but when I went to the internet trying to search for a white paper actually checking saying the numbers behind this I didn't really find anything so I went myself and okay let's collect some numbers I went two ways to collecting numbers one through questionnaire just directly ask people right the first one just these questions

they were performed internally in my company and through social media so it's not really fair the numbers that we get here is really sated towards security cons people people will regarding the question I made several questions these are the two more relevant was the UPnP or not PMP that's another version of uh of another protocol that allows Autoport forwarding enable at factory settings 24% says yes 43% said no but but is more worrying regarding the population who answered this question 33% said don't know they didn't even check and then from those how many actually changed the setting back to to now 90% didn't and just 10% wor it then another thing that I did in

collaboration with the vulnerability research lab in in kuo they were gracious enough to provide me a population of firmwares from routers that the isps deploys in user households I went and actually check configurations this comes from 101 different fwes from 20 different isps they are mainly European when I extracted the actual configuration from the rouers 88% of those had UPnP enabled by default 9% disabled and even worse 3% had it uh enabled and then secure more disabled that's an special model for upm that restricts a bit what kind of up request can you do so yeah okay again another example why that matters rent upm I don't know if how many of you were following the news this

was month month and a half ago it appear for uh vulnerabilities uh it were disclosed vulnerabilities that were targeting LG webos TVs these vulnerabilities as you can see they were marked 2023 they waited almost a year to make it publicly available so ALG have plenty of time to patch this but what happened in the moment that this were disclosed on the internet you could see you could go a place like sodan and see that immediately 70,000 different televisions were ready and G to to be uh to create a new a new net why oh why my television needs to be available internet in the internet to anybody to hack it because LG decided to create an application that from your

phone you could remote your your TV you can control it all from your phone but in their own wisdom they decided that the TV also made a upm request to the router because the user might want to need to control its television from the other side of the world because why not okay now that we saw how dear the situation is let's try to see some solutions and here there are solutions uh if you are I hopefully is people from all kinds of backgrounds in here if you are a developer of any new application any new device or you are in a board that is going to advise security about new device usually try to Advocate either not to

have remote access through the internet if it's not 100% necessary for your solution and to if that's necessary there are other ways to to to do it because usually how they would go with the why do they use upm why do they open a port on your Edge router is the cheapest way that they can do it without expending money in Cloud infrastructure the device opens the port then it publish your public IP address into some Dynamic DNS service and then when you are outside of your house then you open the application the application does the resolution of the Dynamic DNS get your public IP then connects directly into your household the problem of that is

because it's allowing everybody what you can do if you r on cloud Solutions you can do this is an specific example using a u ID is not perfect but in this scenario this is an example of how raing camera uh work your specific device has assigned a uid and the connection is initiated from your device to the cloud environment of the of the service yes still there is a hall but there is not a direct door window open into your househ hole for everybody still there is a single point of failure and it could be other Solutions like bpn into your house I'm not going to go into all the uh different uh possibilities but definitely

upm is one of the wor then we go for an additional problem first that yes upm is activated by default this is just a couple of examples of um configurations from house routers I don't know if you notice something here before that yes upm enabled by default but surrounded that configuration point there is nothing explaining what is actually doing yes Universal PL emplo supports peer-to-peer PL uh PL and play fun it for network devices or the other doesn't even say even that it doesn't say something like this this is one of the advocacy at the very list it should have a big red warning label are you 100% sure that you're are going to this

explaining exactly I know fearmongering I don't know how many people as well was around in Windows Vista time that people got tired at warning doing this is going to break your computer War doing this you're this is not the same this is a single thing that the user at the very least should be aware of what's going on because yes that's one of the main things okay what's the time half an hour good I started early okay so in this slide I wanted to make the case that automated forwarding is just bad and should be abandoned if possible I understand the reasoning why is there people need things to work and make things smooth but in the moment that

you're basically allowing a random visitor in your house arriving and opening all your windows opening your door and leave it there because he feels like it should be that way and the worst of that is that you don't know for you the doors are closed okay now convenience versus security is a more General problem in the IT world when you work in cyber security there is the classical example there is nothing more secure that a black box closed you put the user inside he gets no air he gets no water he's going to be perfectly safe inside doing nothing then the other part is that you leave that open completely free everybody the world is fantastic

nobody's a threat nobody is trying to hurt each other you have to find a balance between making things work and making things secure in there we go from the point of view of uh ID support or Security Professionals this is an this is directly extracted from the Xbox Microsoft uh frequently asks questions of what to do if your Xbox not working just explain in detail how you can go to your router and disable all the security that you can and enable up PMP because it's very important to play your game but not explaining everything that you are opening by doing this so going back to user visibility when depending on the neighborhood that you live you put the

security in your household depend matching the threat that is running if you live in a very bad neighborhood you will put bars on your on your windows you would put a big thick door you put put a guard dog maybe you will hire a security company the thing on the internet everybody lives on the same neighborhood and the internet is a very very very shitty neighborhood so the least the last thing you want to do is leave the door open not having any security at all and yes regard just one last Point regarding the the visibility imagine typical grandfather has been all day working in his farm it sits in front of the of the TV after long day and

little does he know that that box that is sitting under the TV is doing a proxy relay for a russan hacker that is attacking some Spanish Embassy or is consuming half of his Broadband challenging a Doos traffic that is attacking a web page that is an anti gay rights or something like this this visibility is not there the future this is how things are now but the internet is changing new things are coming first If Ever I don't know IPv6 has been promised for years we run out of of IBB before 10 years ago that if eventually so just a bit of History we talked before about IP before the limit am amount of ips available there

initially the not Network translation was designed to be able to feed in a growing World in a growing internet the more more devices are are coming into into to the network but was never meant that as a security measure that was just an afterthought that just happened to to happen the more if actually IPv6 will come into into play every single device is going to have their own IP it's going to be just direct device to device uh connection that brings into the picture firewalls isps regular routers are going to actually have to implement at least some very basic versions of firewalls to stop all this stop all connectivity every single connectivity that happens to your

household has to happen with knowledge of somebody inside of the of the network as well it's coming M on threat this is specifically uh targeting iot devices in the end of the day it's just going to be a separate Network inside of your network and colleagues of mine in in kuo could tell you way more about this but in the end the conclusions are the same network security is really poor and we have to uh pay attention to this another thing 5G 5G is coming and household networks are becoming less and less relevant in certain parts of the world so we are not even going to have an edge router to to pay attention to so having good defense

good Network defense in place is very very important and not just for the household but for all the corporations the whole cber security Community should be pushing to reinforce the household Network because that infrastructure is being used against you okay so finishing with this almost call to action we've been through lot of things let's do a quick summary of the subjects that we touched internet is dangerous yes internet is full of all kinds of people that is trying to uh benefit uh either from your infrastructure your money whatever you have to offer they will try to to take it from you households are very coded resources I don't know how many of you are in charge of uh of your Cloud cost

of your company and how expensive is to have uh buckets in AWS or assure imagine if you can get all that for free I should include here a mem a meme about this is free real estate it will really fit security disabled by default very sad but yes from one point of view I understand that companies will try to disable security because that makes less call h less calls to the uh service to support if you connect your new Xbox you are not really Tech iy and it doesn't work by default you will call your it your ISP company and that cost money as well convenience sober security that's relaying on the on the same and their

educated users at the very least everybody is king of his own castle right but at least they should know what they are doing they should be educated if I open a door I want to know that I'm opening a door and then that the the future is uncertain we'll see what is come it's all up to you guys now a task for you depend how you are if you're a developer if you uh work for an ISP and suggesting uh the new security measures I'm giving you task for every single one of you at least in one of these points you are going to be able to do something about it don't advise to lower security we all if you're in a

forum if you are in whatever place your family member ask about something don't by default disable security and if you have to because whatever that is very important for that person is to work at least he needs to understand what's happening if you are working in a software or a device put clear disclaimer disclaimers and warnings when user is doing something about it run a firewall I bet high percentage of you at your own house don't have a run in firewall you believe because you have n and you have upm uh disabled is enough no put a proper firewall in place alternative for remote access as I explained before if you're developer you have your hand in something that will

require access to a household try to think of something else that is not directly Port connection to to the household router if you can never no a to P forwarding at all if it's necessary go all way map it manually there is the problem that the dynamic uh DHCP server at your home can change the IP of the specific device try to put that in it's not easy but security is not easy and the last point at the very least if anything else here matter because in the end of the day money there are already paths on the way at the very least very least UPnP should be disabled by default just this little change good cat significant significant

part of the resources that the threat actors have to work with conclusion this is all up to you I hope that I brought light to some subject that may be obvious for all of you that you might thought about it at certain point but there is not enough noise about this talk about this about first go to your household check the setting if it's enable disable it talk about this with colleagues talk about this with whoever you believe that is necessary to talk about these two okay so that was it I hope that there is some kind of Hope in the future that something might change the cynic of me thinks not but we will

see okay that's all any questions so please show your appreciation for aelio