Dan Demeter

Security Researcher at Kaspersky Lab Romania

Dan graduated from Imperial College London and holds a Master of Engineering in Software Engineering. He joined Kaspersky Lab in 2014 and currently holds the position of Security Researcher. His work focuses on developing threat intelligence systems, processing big data and creating new technologies to fight advanced persistent threats. When not meddling around with network cables or bricking routers he can be found playing board games and snowboarding the slopes across the world.

Back to the IoT Future: Where Marty controls all your routers

The talk is focused on the latest trends and attacks made against devices connected on networks serviced by large Romanian ISPs so the research might be relevant to some of the people in the audience.
“Those that fail to learn from history, are doomed to repeat it.” — Winston Churchill
By 2020, Gartner expects the number of IoT devices to explode to almost 21 billion connected devices. By it is not the future we should be looking for when trying to predict the (in)security of some of these devices. Lessons learned from the past show us that internet worms will most likely attempt to infect unprotected or poorly managed devices. Examples are plenty: from the famous Morris worm (1988) to the nowadays widespread Mirai backdoor (2016).
History repeats itself: all these IoT devices have in common insecure default configurations and/or running software with bugs. Instead of trying to infect users’ machines with malware, cybercriminals realized that sometimes it is easier to just hijack connections to high traffic websites such as Facebook for instance. This is done by changing the device’s DNS settings to point to a rogue server. Intercepting these high traffic websites, the rogue DNS servers will silently redirect the websites to attacker-controlled web servers. From there, the possibilities are endless.
This attack method is generally undetected by the average user, thus allowing the attackers to keep their campaigns under the radar for a longer time. During the last 2 years we have monitored the DNS hijacking attacks against IoT devices and researched how these devices remain in compromised state for long periods of time. The second part of our research was identifying the websites that were hijacked by the rogue DNS servers. By following the attacker’s footsteps we dive into the world of DNS hijacking, exposing the aftermath of Operation Ghost Click. Sadly, their attack vector increases daily, as more and more insecure IoT devices are being connected to the grid.
This presentation will cover:
* Building and running an IoT honeypot for researching attacks
* Collecting DNS changing attacks
* Analysing rogue DNS servers
* How criminals make money
* Connections with clickjacking attacks
* Increasing the security of future IoT devices

Presentation @DefCamp 2017