©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber…...
-
Upload
sean-freeland -
Category
Documents
-
view
215 -
download
0
Transcript of ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber…...
![Page 1: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/1.jpg)
©2013 Check Point Software Technologies Ltd.
Physical (In)security:
It’s not all about Cyber…
Inbar RazMalware & Security Research ManagerCheck Point Software Technologies
![Page 2: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/2.jpg)
2©2013 Check Point Software Technologies Ltd.
Background
Who am I?– I like to reverse things – software, hardware, ideas, rules.– I like to find problems and have them fixed (by others…)
What do I do?– Run Malware & Security Research at Check Point– Create Responsible Disclosures– Concentrate on “little to no-skills needed”
– Easier to demonstrate and convince
![Page 3: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/3.jpg)
3©2013 Check Point Software Technologies Ltd.
Example #1: Movie Ticket Kiosk
On-site Kiosk
Touch Screen
Credit CardReader
Ticket Printer
No peripherals,No interfaces
![Page 4: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/4.jpg)
4©2013 Check Point Software Technologies Ltd.
The Attack
Improper interface settingsallow the opening of menuoptions.
Menus can be used tobrowse for a new printer.
![Page 5: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/5.jpg)
5©2013 Check Point Software Technologies Ltd.
A limited Windows Exploreris not restricted enough.
A right-click can be used…
To open a full, unrestrictedWindows Explorer.
The Attack
![Page 6: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/6.jpg)
6©2013 Check Point Software Technologies Ltd.
The Attack
Browsing through thefile system revealsinteresting directory names…
And even more interestingfile names.
![Page 7: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/7.jpg)
7©2013 Check Point Software Technologies Ltd.
The Attack
Bingo: Credit Card Data(Unencrypted!)
Tools of the trade: Notepad
We can use the ticketprinter to take it home
![Page 8: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/8.jpg)
8©2013 Check Point Software Technologies Ltd.
The Attack
But that’s not all:RSA Keys and Certificatesare also found on the drive!
Which we can print, takehome and then use afree OCR software to read…
![Page 9: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/9.jpg)
9©2013 Check Point Software Technologies Ltd.
The Attack
The result:
RSA Keys used tobill credit cards.
![Page 10: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/10.jpg)
10©2013 Check Point Software Technologies Ltd.
Example #1: Summary
Device purpose: Print purchased Movie Tickets
Data on device: Credit Card data and Encryption Keys
Method used to hack: 1 finger
![Page 11: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/11.jpg)
11©2013 Check Point Software Technologies Ltd.
Example #2: Point-of-Sale Device
Point-Of-Sale devicesare all around you.
![Page 12: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/12.jpg)
12©2013 Check Point Software Technologies Ltd.
The Attack
PoS Device located outside business during the day
At the end of the day, it is locked inside the business
![Page 13: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/13.jpg)
13©2013 Check Point Software Technologies Ltd.
The Attack
But one thing is left outside, in the street:
![Page 14: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/14.jpg)
14©2013 Check Point Software Technologies Ltd.
The Attack
In the past – play hacker/script kiddie with BackTrack.
Today: Fire up wireshark, discover IPs of live machines.
![Page 15: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/15.jpg)
15©2013 Check Point Software Technologies Ltd.
The Attack
In the past – play hacker/script kiddie with BackTrack.
Today: Fire up wireshark, discover IPs of live machines.
Detected IP addresses:– 192.168.0.1– 192.168.0.2– 192.168.0.4– 192.168.0.250– 192.168.0.254
Confirm by ping (individual and broadcast)
![Page 16: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/16.jpg)
16©2013 Check Point Software Technologies Ltd.
The Attack
Evidence of SMB (plus prior knowledge) leads to the next step:
And the response:
![Page 17: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/17.jpg)
17©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Things to do with an open share
#1: Look around– Establish possible attack vectors
![Page 18: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/18.jpg)
18©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Things to do with an open share
#1: Look around– Establish possible attack vectors
#2: Create a file list– Not like stealing data, but very helpful
![Page 19: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/19.jpg)
19©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
The mystery of 192.168.0.250
Answers a ping, but no SMB.
First guess: the ADSL Modem.
Try to access the Web-UI:
![Page 20: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/20.jpg)
20©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
The mystery of 192.168.0.250
Use the full URL:
![Page 21: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/21.jpg)
21©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Reminder: We actually had this information.
Going for the ADSL router
![Page 22: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/22.jpg)
22©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Going for the ADSL router
Naturally, there is access control:
Want to guess?
![Page 23: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/23.jpg)
23©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Example #2: Summary
Device purpose: Cash Register and Local Server
Data on device: Credit Card data, Customer Database
Method used to hack: MacBook Pro, Free Software
![Page 24: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/24.jpg)
24©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Other opportunities
A Medical Clinic in Tel-Aviv– Complete disregard for
attendance systems
![Page 25: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/25.jpg)
25©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Other opportunities
A Hospital in Tel-Aviv
![Page 26: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/26.jpg)
26©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Other opportunities
An ATM at a shopping mall
![Page 27: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/27.jpg)
27©2013 Check Point Software Technologies Ltd.
Example #3: Hospital Smart TV
Features– Watch TV– Listen to music– VOD– Browse the Internet
Peripherals:– Touch Screen– Credit Card Reader– Earphones
And…
– USB…
![Page 28: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/28.jpg)
28©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
The Attack
Start with a USB Keyboard– Numlock works– Nothing else does
Power off, Power on, F11
![Page 29: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/29.jpg)
29©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Our options are opening up.
Let’s boot something else
BackTrack (kali):Never leave homewithout it
![Page 30: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/30.jpg)
30©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Even though I’m set to DHCP, I have no IP address.
An examination of the config files reveals the problem:
But I’m facing a problem
# The loopback interface, this is the default configuration:auto loiface lo inet loopback
pre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autoneg offpre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autoneg off
# The first network interface.# In this case we want to receive an IP-address through DHCP:auto eth0iface eth0 inet dhcp
# In this case we have a wired network:wpa-driver wired
# Tell the system we want to use WPA-Supplicant # with our configuration file:wpa-conf /etc/wpa_supplicant.confpre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autoneg off
![Page 31: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/31.jpg)
31©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Even though I’m set to DHCP, I have no IP address.
An examination of the config files reveals the problem.
But this is linux, everything is in text files
But I’m facing a problem
network={ key_mgmt=IEEE8021X eap=TTLS MD5 identity="a*****c“ anonymous_identity="a*****c“ password=“*****“ phase1="auth=MD5“ phase2="auth=PAP password=*****“ eapol_flags=0}
![Page 32: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/32.jpg)
32©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Even though I’m set to DHCP, I have no IP address.
An examination of the config files reveals the problem.
But this is linux, everything is in text files
I copy the files, and try again.
But I’m facing a problem
![Page 33: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/33.jpg)
33©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
What next?
Find out where we are (external IP)
Proof-of-Concept: Open reverse shell
![Page 34: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/34.jpg)
34©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Further analysis of files reveals a lead:
http://192.168.0.250/client/
This is the actual User Interface:
But it’s not enough…
![Page 35: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/35.jpg)
35©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
So the next logical step is…
![Page 36: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/36.jpg)
36©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
So what’s next?
We lost access to the devices– At least easy access
Complete the report and go for disclosure
However…
Turns out other hospitals have the same device– So now we wait for someone to get sick…
![Page 37: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/37.jpg)
37©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Example #3: Summary
Device purpose: Smart TV for Hospital Patients
Data on device: Network Encryption Keys, Possible access to other networks
Method used to hack: USB Drive, Free Software, Keyboard, Mouse
![Page 38: ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.](https://reader037.fdocuments.net/reader037/viewer/2022110304/551a1d73550346a4248b4e6d/html5/thumbnails/38.jpg)
38©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Questions?