Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
-
Upload
fatih-ozavci -
Category
Technology
-
view
857 -
download
9
Transcript of Hardware Hacking Chronicles: IoT Hacking for Offence and Defence
HARDWARE HACKING CHRONICLESIOT HACKING FOR OFFENCE AND DEFENCE
Fatih Ozavci
Managing Consultant – Context Information Security
2
Fatih Ozavci, Managing ConsultantVoIP & phreaking
Mobile applications and devices
Network infrastructure
CPE, hardware and IoT hacking
Author of Viproy and VoIP Wars
Public speaker and trainer Blackhat, Defcon, HITB, AusCert, Troopers
May'16
3
Subscriber services and IoT
Hardware hacking chronicles
Hacking broadband devices
Hacking office devices
Improving defense and offense
May'16
May'16
Everything is connected
Broadband servicesSmart modems
IPTV equipment
Office devices3g/4g modems
IP phones
Keyboards & mouse
Why should we evolve?
4
7
Combining testing skillsDesign reviews do not show business logic issues
Tech must be tested for various perspectives
Traditional tests do not coverDevices’ firmware and hardware
Management in a protected network
Very limited days for testing
May'16
8
Testing methodology must be flexibleVarious devices – ARM vs MIPS, Phone vs Modem
Various OSes – Android vs Linux vs VxWorks
Testing must always focus on the device’s roles
May'16
12
Weaknesses are already knownConfiguration dump for credentials
Editing the conf to enable a feature
Vulnerabilities are public and easyTelnet authentication bypassSagem: https://www.exploit-db.com/exploits/17670
Netgear:https://wiki.openwrt.org/toh/netgear/telnet.console
E.g. admin password leakwget http://1.1.1.1/password.html -t 1 -q -O - | grep pwd
May'16
Console Debugging
TX, RX, GND, V
May'16
Debugging On-Chip
Debug TDI, TDO,
TCK…
Access to Flash
Read/Write Data
SCK, MOSI, MISO...
13
May'16
Bus Pirate
Bus Blaster
Shikra
HydraBus
Jtagulator
GoodFet/GreatFet
Logic Analyser
SOIC8/16 Clips
14
19
Usually 4 PINsTX, RX, GND, Voltage
Provides device accessBootloader, console access
Real-time debugging
Access without a password
May'16
Find the ground
Find the voltage
Set the target voltage
Try to send/receiveTX vs RX
Various baud rates
Analyse the output
Jtagulator
May'16 20
Debugging and logging
Intercepting boot sequenceBoot parameters
CFE access
Getting console access
E.g. Netgear CG3100D
May'16 22
May'16
Stop the boot processUART/Serial connection
PossibilitiesRe-flash for OpenWRT
Get information Credentials?
Dump the firmware
Eg. Sagemcom 3864v2ADSL & NBN
24
26
Debugging standard
Everything depends on the vendor
Device or system testing
Daisy-chained JTAGTDI (Test Data In)
TDO (Test Data Out)
TCK (Test Clock)
TMS (Test Mode Select)
TRST (Test Reset)
May'16
28
Internal communication interface
Direct connection to the flashes
Logic signalsSCLK : Serial Clock
MOSI : Master Output, Slave Input
MISO : Master Input, Slave Output
SS : Slave Select
May'16
Image: https://en.wikipedia.org/wiki/Serial_Peripheral_Interface_Bus
30
Broadband, IPTV, Satellite…
Devices areconnected to the infrastructure
managing by service provider
in the consumer promises
Relying on vendors for securityDefault configuration
Legacy or unpatched software
Management interfaces
May'16
31
Various vendors in a poolDevice provisioning
Software & configuration management
Call centre connections
Generic information in the wildCustom software (e.g OpenWRT)
Bypassing controls is common
BYOD on subscriber services
May'16
May'16 33
IPTV STB
DVB STB
VODStreaming
DRM WEBServices
VOD, Licenses, Keys, Billing
VOD, Licenses, Keys, Billing
CLOUD
SERVICE PROVIDER
ACS
BROADCAST
RADIUS
TR-069
May'16 34
Service Provider
ACS SIP
TR-069 / DOCSIS
RADIUSVOIP (SIP + RTP)PSTN
PSTNService Provider
MSAN/MGWDistributor
VOIP (SIP + RTP)MANAGEMENT
May'16 36
Debugging
Gathering Information
AttackingServer
Service network
Clients connected
ACS
TR-069
Modem
ACS on Modem TCP/7676
ACS on Server TCP/443
ACS Connection Intercepted
Modified Attacking ContentOriginal Content
37
Dumping device memoryX.509 certificates for IPSEC Auth
PINs, passwords and config data
Broadcasting and DRM keys
Dump device firmwareReverse engineering, exploit dev
Driving a consumer deviceFake base station, billing bypass
Altering VoD content, security bypass
May'16
39
Backdoors on devices are commonOpen source, distribution, vendors…
Expensive to replicate the attack
Red teaming engagementsPutting a Raspberry Pi in everything
Collecting keyboard & mouse input
Human factor pen-testingSending backdoored devices
May'16
40
3G/4G Modems WiFi models with services and features
USB models require drivers
Internal storage and card reader
Unauthorised access via services
Firmware operations Dumping and reversing the firmware
Backdooring the firmware
Using their shelves for USB duckies
May'16
41
Keysweeper by SamyKamkarArduino/Teensy based sniffer
Sniffing Microsoft Wireless Keyboard
Mousejack by Bastille SecurityRF keyboard & mouse receivers
Force pairing vulnerability
Force pairing a remote keyboard
May'16
42
Efficient for persistent accessRaspberry Pi, Arduino
Can fit in many devices
Find a suitable device to backdoorFind a power source
Find a network connection
Solder and connect the pieces
Broadcast the network connected
Advanced implants take time
May'16
46
Enforcing vendors toDisable physical interfaces
Use encryption and access keys
Follow a security standard
Network isolation for subscribers
Tailored research for Vendor product vulnerabilities
CPE management services
Backdoor analysis
May'16
47
Devices are IN SCOPE
Think different and combine skills
Everything is a targetHome automation, CCTV, phones…
Testing service operator networksTest services through devices
Extract information from devices
Access and fuzz tests through devices
May'16
48
Focuses on all componentsDevices, infrastructure, software…
Focuses on exploitable issues
Combines various disciplinesEmbedded systems, mobile, network…
Closes the gap between offense and defense
May'16
49
Context Information Securityhttp://www.contextis.com
AusCERThttps://www.auscert.org.au
IoT Security Wiki https://iotsecuritywiki.com
May'16