War Texting Weaponizing Machine 2 Machine

8/2/2019 War Texting Weaponizing Machine 2 Machine

1/85

War TextingWeaponizing Machine 2 Machine

@DonAndrewBaileydonb@isecpartners.com
mailto:donb@isecpartners.commailto:donb@isecpartners.com


2/85

whois donb?
mailto:donb@isecpartners.com


3/85

whatis iSEC Partners?


4/85

whyare we here?


5/85

No, really.

Cellular enabled pill bottles

Track pill usage remotely

Email alerts when

Pill count is low

Pills havent been taken

When its time to take your pill
mailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.com


6/85

Wait. That sounds bad.


7/85

But, its helping people.

Alzheimers patients

Children with severe diseases

Physically disabled patients

Overworked security consultants
mailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.com


8/85

Wait. That soundsgood.
mailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.com


9/85


10/85


11/85

Everything will be a computer
mailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.com


12/85

Examples?

Medical devices (personal, industrial)

Industrial monitoring

Automated Teller Machines

Industrial/Commercial Alarm Systems

Home Alarm Systems

Car security systems
mailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.com


13/85

I would have owned ATMs, but


14/85


15/85

Elegant Attacks Against M2M


16/85

Attack methods

Firmware Over The Air (FOTA)

Long Range Baseband Compromise

Access Point Name (APN) Private Networkcompromise
mailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.com


17/85

FOTA Hacking?


18/85

FOTA

A methodology for

Devising a firmware patch/update

Securely packaging the patch/update

Shipping it OTA to be applied


19/85

FOTA Attacks Benefits

Elegant

Mass compromise of multiple types of devices Multiple vendors use the same baseband

Negatives Very chip specific

Impacts the update lifecycle Requires specialized firmware Corner cases = potential detection FOTA compromise != Application compromise FOTA may not be used in specific M2M deployments
mailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.com


20/85

FOTA Conclusion?


21/85


22/85

So you thought baseband attacks were

local only, eh?


23/85

Long Range Baseband Compromise Yep, Basebands have TCP/IP stacks Oh, and these too

HTTP FTP DNS ICMP

TCP client/server UDP client/server POP3 SMTP
mailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.com


24/85

Long Range Baseband Attacks Benefits

Elegant

Mass persistent compromise Doesnt mess up firmware updates Backdoors are light weight Potential detection is slim to none

Negatives Very chip specific Requires zero-day Large time to deployment Target could be Java VM, could be C/C++
mailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.com


25/85

Long Range Baseband Conclusion?


26/85


27/85

APN Private Network Attacks?


28/85

APN Private Network Attacks

Benefits

None

Negatives

Uninteresting

Boring Pointless

Repetitive

The Grugq would laugh at me
mailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.com


29/85

You dont need to see a conclusion for

this one.


30/85

So, what shouldwe do?
mailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.com


31/85

Common M2M Example from Microchip


32/85

Find Architectural Commonalities Baseband

modules must be approved

The approved list ispublic fewfeatures cant driveApplication Logic

Microcontrollers Small RAM Small Code Space (flash) Minimal security surface (if any)
mailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.com


33/85

Find Architectural Commonalities Communication

Network Comm = Baseband

Peripheral Comm = uC

Comm between Baseband & uC = UART

Cryptographic Capability Onlysome Basebands provide HTTPS/SSL Usually only Java VM capable

uC is usually baked (or non-existent)
mailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.com


34/85

Basebands Accept Hayes AT For network requests

AT+UHTTPC

AT^SISS

AT^USORF

For Incoming/Outgoing SMS AT+CMGL

AT^SMGL
mailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.com


35/85

The PayloadMayBe Encrypted If the payload is encrypted

Finite ways the Application can generate a key

IMSI

GSM Timestamp

IMEI

Static Secret

Value from Network (Data or SMS)

Some applications dont even encrypt


36/85

If encrypted, how do we analyze?


37/85

How do we extract it? Use datasheet to find pins

Dont have the uC datasheet?

Most baseband datasheets are public

Use multimeter to

trace baseband UART -> uC UART

Trace VCC, VSS = Now you know 4 pins on your unknown uC

Scan leftovers for JTAG/etc


38/85

How do we extract it? Logic Analyzer

Tap the UART pins

Find test pads, if available

Solder only when necessary (limit damage)

Most basebands will only talk

Async Serial 9600 8N1 Async Serial 115200 8N1

Process data at both speeds


39/85


40/85


41/85

Next, we reverse.


42/85

Its not always easy Difficult to determine crypto keys

Protocol may be dynamic

Nonces may get in the way
mailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.com


43/85

Some light Hardware Hacking?


44/85

Nothing too new Simple/Differential Power Analysis

Extract keys

Glitching Extract firmware

Bypass fuses to set DEBUG mode

Blue wire fixes Enable DEBUG mode

Add/remove resistors

Enable DEBUG mode


45/85

Revenge (REVerse ENGinEering) uC are easy

Small code base

Predictable vectors Simple opcode architecture

Typicallyno MMU (used)
mailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.com


46/85

The STM8 example stm8s207xx

24MHz clock

6KB RAM 128KB Flash

96 assembly instructions
mailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.com


47/85


48/85


49/85


50/85

Disassembling & Emulating = Easy Few registers (X, Y, PC, SP, A, C)

Instructions are easy to decode

A common bit represents a type of memory access

No Store, just Load

Emulation requirements are minimal

Inject interrupts as desired Managing the Clock isnt complex

Simple buffer for UART bytes
mailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.com


51/85


52/85

Releasable Tools GPLv2 License

This week

STM8 disassembler

STM8 emulator

At HITB KL

STM8 SWIM for GoodFET


53/85

Point of Reverse Engineering? Determine vectors for communication

SMS

Internet Voice calls

Extract messages for Comm Channels Develop Protocol APIs


54/85

With comm channel Identify commands

Build payloads

Assess delivery mechanisms

Essentially: Build a strategy for attack
mailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.com


55/85

Building a Fingerprint


56/85

Device Profiling Network fingerprint

Which network provider?

Is it allocated an MSISDN? Is voice allowed? Is SMS allowed? Caller ID? NPA NXX? HLR?

Physical fingerprint Recognizable SIM Baseband Capabilities


57/85

Why Device Profile? SMS is Noisy

Hundreds of thousands of MSISDN

Decrease cost Evade SMS SPAM filters

Dont tip off your Target
mailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.com


58/85

Simple Profiling Tools Scripts by donb and NickDE!

Hello, Carmen Sandiego :)

Snarf Caller ID Scan HLR

Build MSC databases


59/85


60/85

Quick Example: iPad on AT&T Provider?

AT&T (MCC: 310, MNC: 410)

Caller ID? Billable name BAILEY DON

MSISDN & MSC

MSC location != NPA NXX Voice capability

Error
mailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.com


61/85

Phew! Thats a lot of stuff!


62/85

Overall Strategy? Identify target industry

Build doc library

Intercept initial command set

Attack hardware

Reverse engineer firmware

Extract commands Identify command channels

Devise network fingerprint

Attack!


63/85

Case Study: Zoombak Tracking Device


64/85

Zoombak Advanced GPS Tracker Sold in over 12,500 stores in USA

Smart Phone App (iPhone, Android, Blackberry)

2x as big as your 6th Generation iPod Nano Track your

Car

Family Pet

Valuables
mailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.com


65/85

Zoombak Architecture Renesas SH microprocessor

Cinterion Wireless MC56

GR-520 GPS Module
mailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.com


66/85

Intercept Initial AT Command Set Accepts SMS commands

Uploads data to Internet

Retrieves IMSI, IMEI, Network Timestamp, etc Monitors Base Station Info (RSSI, LAC, CI, etc)


67/85


68/85


69/85

Zoombak Communication Channel Comm Vectors

SMS

Internet

Control Channel

Use SMSsubmit to ship the SMS via Kannel

Callbacks

SIM in GSM Modem


70/85

Zoombak Network Fingerprint HLR

Caller ID

Voice capability MSC vs. MSISDN

Specialized SMS


71/85


72/85

Fingerprint Result? 72% Success Rate

Several hundred Zoombak
mailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.commailto:donb@isecpartners.com


73/85

Zoombak Overall Result?


74/85


75/85


76/85

Case Study: Car Security Module


77/85

Strategy Target industry

Doc library

Intercept initial command set Attack hardware

RevEng firmware

Identify command channels Devise network fingerprint

Attack!


78/85

Car Security Overall Result?


79/85


80/85


81/85

Embedded Security is Hard.


82/85

Dont make it harder Increase crypto usage

Ensure APN security

Use Nonces/Tokens Dont embed IP addresses in SMS ;)

Dont push insecure architecture

Require PKI/SSL Decrease Prices of Security uC

Atmel

ST


83/85

All tools can be downloaded https://wartexting.org/

Simple Zoombak Scanner FindMe HLR/MSC snarfer

WhoIs Caller ID client

Soon to come (end of next week) STM8 Disassembler

STM8 Emulator


84/85

Thanks to iSEC Partners, NCC Group, and Alex Stamos Mat Solnik Joe Gratz Nick DePetrillo Mike Ossmann Travis Goodspeed Patrick McCanna

Justine Osborne Heidi Cuda David Munson Robot insect image Mike Libby


85/85

Even if my collar bones crush or crumble.

- Eminem

War Texting Weaponizing Machine 2 Machine

Documents

Transcript of War Texting Weaponizing Machine 2 Machine

Tweeting and Texting

Weaponizing the Windows API with Metasploit's Railgun

Texting pp!

Weaponizing Femtocells: The Effect of Rogue Devices on ... · Weaponizing Femtocells: The Effect of Rogue Devices on Mobile Telecommunication Nico Golde, Ke´vin Redon, Ravishankar

#LHLW365 Texting for Health - neafcs.memberclicks.net€¦ · Current Texting Results 89% indicated they benefited from the texting Nearly 100% would sign up again for texting 55%

Weaponizing Space: Technologies and Policy Choices

Texting Test

Texting slideshow

Weaponizing Weather To Attack The U.S. Electric Power Grid

SNAP_R Weaponizing Data Science for Social Engineering

Weaponizing Tear Gas: Bahrainâ€™s Unprecedented Use of Toxic

Colorado WIC Breastfeeding Peer Counseling Texting Program ... · Colorado WIC Breastfeeding Peer Counseling Texting Program do WI C BF PC Texting/Phone Program Thru texting, anytime,

Weaponizing Your Money with a Salt and Light Approach

Weaponizing Lady GaGa PsychoSonic Attacks - … · Weaponizing Lady GaGa PsychoSonic Attacks Brad (theNURSE) Smith Private Practice Informatics Nurse

Weaponizing Femtocells: The Effect of Rogue Devices on ...people.cs.georgetown.edu/~clay/classes/fall2014/... · Weaponizing Femtocells: The Effect of Rogue Devices on Mobile Telecommunication

Texting girls

Badass Texting

The Costs of Weaponizing Emancipatory Politics ...spectrumjournal.net/wp-content/uploads/2017/05/Naeem-Inayatullah... · The Costs of Weaponizing Emancipatory Politics: Constituting

Texting poster

Texting While Driving