HARDWARE HACKING CHRONICLESIOT HACKING FOR OFFENCE AND DEFENCE

Fatih Ozavci

Managing Consultant – Context Information Security

2

Fatih Ozavci, Managing ConsultantVoIP & phreaking

Mobile applications and devices

Network infrastructure

CPE, hardware and IoT hacking

Author of Viproy and VoIP Wars

Public speaker and trainer Blackhat, Defcon, HITB, AusCert, Troopers

May'16

3

Subscriber services and IoT

Hardware hacking chronicles

Hacking broadband devices

Hacking office devices

Improving defense and offense

May'16

May'16

Everything is connected

Broadband servicesSmart modems

IPTV equipment

Office devices3g/4g modems

IP phones

Keyboards & mouse

Why should we evolve?

4

5May'16

6May'16

Broadband & 3G/4G

IPTV/Satellite Broadcasting & VoD

Home & Office Equipment

7

Combining testing skillsDesign reviews do not show business logic issues

Tech must be tested for various perspectives

Traditional tests do not coverDevices’ firmware and hardware

Management in a protected network

Very limited days for testing

May'16

8

Testing methodology must be flexibleVarious devices – ARM vs MIPS, Phone vs Modem

Various OSes – Android vs Linux vs VxWorks

Testing must always focus on the device’s roles

May'16

HARDWARE HACKING CHRONICLES

Configuration Edit & Re-Upload

May'16

Secret Handshake to Enable Telnet

Physical Interfaces

10

May'16 11

12

Weaknesses are already knownConfiguration dump for credentials

Editing the conf to enable a feature

Vulnerabilities are public and easyTelnet authentication bypassSagem: https://www.exploit-db.com/exploits/17670

Netgear:https://wiki.openwrt.org/toh/netgear/telnet.console

E.g. admin password leakwget http://1.1.1.1/password.html -t 1 -q -O - | grep pwd

May'16

Console Debugging

TX, RX, GND, V

May'16

Debugging On-Chip

Debug TDI, TDO,

TCK…

Access to Flash

Read/Write Data

SCK, MOSI, MISO...

13

May'16

Bus Pirate

Bus Blaster

Shikra

HydraBus

Jtagulator

GoodFet/GreatFet

Logic Analyser

SOIC8/16 Clips

14

May'16 15

May'16 16

May'16 17

May'16 18

19

Usually 4 PINsTX, RX, GND, Voltage

Provides device accessBootloader, console access

Real-time debugging

Access without a password

May'16

Find the ground

Find the voltage

Set the target voltage

Try to send/receiveTX vs RX

Various baud rates

Analyse the output

Jtagulator

May'16 20

May'16 21

Debugging and logging

Intercepting boot sequenceBoot parameters

CFE access

Getting console access

E.g. Netgear CG3100D

May'16 22

May'16 23

May'16

Stop the boot processUART/Serial connection

PossibilitiesRe-flash for OpenWRT

Get information Credentials?

Dump the firmware

Eg. Sagemcom 3864v2ADSL & NBN

24

May'16 25

26

Debugging standard

Everything depends on the vendor

Device or system testing

Daisy-chained JTAGTDI (Test Data In)

TDO (Test Data Out)

TCK (Test Clock)

TMS (Test Mode Select)

TRST (Test Reset)

May'16

May'16 27

28

Internal communication interface

Direct connection to the flashes

Logic signalsSCLK : Serial Clock

MOSI : Master Output, Slave Input

MISO : Master Input, Slave Output

SS : Slave Select

May'16

Image: https://en.wikipedia.org/wiki/Serial_Peripheral_Interface_Bus

CUSTOMER PREMISES EQUIPMENT

30

Broadband, IPTV, Satellite…

Devices areconnected to the infrastructure

managing by service provider

in the consumer promises

Relying on vendors for securityDefault configuration

Legacy or unpatched software

Management interfaces

May'16

31

Various vendors in a poolDevice provisioning

Software & configuration management

Call centre connections

Generic information in the wildCustom software (e.g OpenWRT)

Bypassing controls is common

BYOD on subscriber services

May'16

Call Centre

May'16 32

Service Provider

ACS SIP

Provisioning Pool

BYOD

TR-069

DOCSISRADIUS

May'16 33

IPTV STB

DVB STB

VODStreaming

DRM WEBServices

VOD, Licenses, Keys, Billing

VOD, Licenses, Keys, Billing

CLOUD

SERVICE PROVIDER

ACS

BROADCAST

RADIUS

TR-069

May'16 34

Service Provider

ACS SIP

TR-069 / DOCSIS

RADIUSVOIP (SIP + RTP)PSTN

PSTNService Provider

MSAN/MGWDistributor

VOIP (SIP + RTP)MANAGEMENT

May'16 35

3G Telecom Network

3G SIPIPSEC VPN

RADIUS

3G

3G

3G

Femtocell Pool

Base Station

TR-069

May'16 36

Debugging

Gathering Information

AttackingServer

Service network

Clients connected

ACS

TR-069

Modem

ACS on Modem TCP/7676

ACS on Server TCP/443

ACS Connection Intercepted

Modified Attacking ContentOriginal Content

37

Dumping device memoryX.509 certificates for IPSEC Auth

PINs, passwords and config data

Broadcasting and DRM keys

Dump device firmwareReverse engineering, exploit dev

Driving a consumer deviceFake base station, billing bypass

Altering VoD content, security bypass

May'16

OFFICE DEVICES

39

Backdoors on devices are commonOpen source, distribution, vendors…

Expensive to replicate the attack

Red teaming engagementsPutting a Raspberry Pi in everything

Collecting keyboard & mouse input

Human factor pen-testingSending backdoored devices

May'16

40

3G/4G Modems WiFi models with services and features

USB models require drivers

Internal storage and card reader

Unauthorised access via services

Firmware operations Dumping and reversing the firmware

Backdooring the firmware

Using their shelves for USB duckies

May'16

41

Keysweeper by SamyKamkarArduino/Teensy based sniffer

Sniffing Microsoft Wireless Keyboard

Mousejack by Bastille SecurityRF keyboard & mouse receivers

Force pairing vulnerability

Force pairing a remote keyboard

May'16

42

Efficient for persistent accessRaspberry Pi, Arduino

Can fit in many devices

Find a suitable device to backdoorFind a power source

Find a network connection

Solder and connect the pieces

Broadcast the network connected

Advanced implants take time

May'16

May'16 43

RJ45 Connection Pins

May'16 44

Speaker Power

Patch the Cat5 cable

DEFENSE AND OFFENSE

46

Enforcing vendors toDisable physical interfaces

Use encryption and access keys

Follow a security standard

Network isolation for subscribers

Tailored research for Vendor product vulnerabilities

CPE management services

Backdoor analysis

May'16

47

Devices are IN SCOPE

Think different and combine skills

Everything is a targetHome automation, CCTV, phones…

Testing service operator networksTest services through devices

Extract information from devices

Access and fuzz tests through devices

May'16

48

Focuses on all componentsDevices, infrastructure, software…

Focuses on exploitable issues

Combines various disciplinesEmbedded systems, mobile, network…

Closes the gap between offense and defense

May'16

49

Context Information Securityhttp://www.contextis.com

AusCERThttps://www.auscert.org.au

IoT Security Wiki https://iotsecuritywiki.com

May'16

QUESTIONS?

THANKS!