2016 - The Year of IoT and Taking Down the Internet

Tony Su

Kernel Panic Linux User Group

San Diego Computer Society

November 10, 2016

Embedded Linux

Can a lay person recognise an IoT device?

  • Small
  • Something that "just works"
  • Plugged in to a network
  • Wireless
  • Not itself visible, inside something else
  • Requires its own power connection

What do vulnerabile devices look like?

The following are "typical" but never a requirement

Embedded Linux

Common vulnerable devices

  • All phones, particularly "smart" and Android phones
  • All bluetooth and Wifi enabled devices
  • All "smart" televisions with a network connection
  • All "smart" switches

A device is anything, no matter big or small, in a case or not, visible or not

Busybox - The core of almost all embedded devices

  • A single binary (approx 8MB)
  • Stripped down, but retaining all functionality for practical use
  • Supports all ordinary Linux OS and application namespaces using sym or hard links
  • No common way to update or upgrade


The Mirai and Bashlight botnet attacks

  • Typically do not write to storage, compromise exists only in running memory (no problem, re-infection probability can be high) so a reboot can often remove the malware completely
  • Access the device using default or common Username/Password
  • May not need to elevate permissions although doing so opens new possibilities to the intruder
  • Tens, hundreds and perhaps millions of thousands potential nodes. Compare with the biggest spam malware botnets of a few years ago, largest was less than 500 compromised machines

Common characteristics


One of two main/major botnet malware (Mirai and Bashlight)

61 (Some lists are 66) common username/passwords


Krebs Security attack September 2016

Oct 21 2016 Dyn attack (consequences Github, Twitter, Reddit, Netflix, Airbnb, more)

DDOS is simple, prepends a random string in front of a valid domain name. Note is different than, and far simpler than for instance a DNS amplification attack

Source Code - https://github.com/jgamblin/Mirai-Source-Code

Dirty Cow - CVE-2016-5195

Threat Level - Critical

Threat consequence - Elevates code to Root/system equivalent

Scope - All systems using an unpatched kernel since 2007

Difficulty to exploit - Easy to moderate

Exploit code in the Wild - Yes


Dirty Cow - CVE-2016-5195

Technical Description

Although a memory page may be marked both read-only and copy-on-write for special instances like running in a debugger (which allows breakpoints to be inserted into the running process).

Although normally a read-only memory page doesn't use the copy-on-write mapping, a malicious exploit can take advantage of it. A special "-force" instruction can over-ride normal read-only to modify and insert malicious code.

When the "-force" instruction is implemented, then it opens up 3 possible attack vectors

  • The ptrace() system call’s PTRACE_POKEDATA operation, which is explicitly meant to be used by debuggers, often for the purpose of setting breakpoints.
  • Writes to /proc//mem. It’s unclear why this code uses force – possibly it was a mistake.
  • Various drivers, which are also probably using the flag by mistake.


Kenton Varda Oct 25, 2016




2016 - The Year of IoT and Taking Down the Internet

By Tony Su

2016 - The Year of IoT and Taking Down the Internet

  • 1,348
Loading comments...

More from Tony Su