Strange and Radiant Machines in the PHY Layer - Hackito Ergo
70
Strange and Radiant Machines in the PHY Layer Travis Goodspeed Sergey Bratus Neighbors for the Liberation of Weird Machines April 12, 2012 Goodspeed/Bratus HES2012 PHY Layer Exploits 1
Transcript of Strange and Radiant Machines in the PHY Layer - Hackito Ergo
Strange and Radiant Machinesin the
PHY Layer
Travis Goodspeed Sergey Bratus
Neighbors for the Liberation of Weird Machines
April 12, 2012
Goodspeed/Bratus HES2012 PHY Layer Exploits 1
Goodspeed/Bratus HES2012 PHY Layer Exploits 2
Goodspeed/Bratus HES2012 PHY Layer Exploits 3
Goodspeed/Bratus HES2012 PHY Layer Exploits 4
Introduction
Goodspeed/Bratus HES2012 PHY Layer Exploits 5
Introduction
Goodspeed/Bratus HES2012 PHY Layer Exploits 6
Introduction
Goodspeed/Bratus HES2012 PHY Layer Exploits 7
Introduction
Goodspeed/Bratus HES2012 PHY Layer Exploits 8
Introduction
Goodspeed/Bratus HES2012 PHY Layer Exploits 9
Phrack 49:19
• strcat() overwrite the return pointer.• foo() returns to the wrong place.• Some of the string is executed as code.
Goodspeed/Bratus HES2012 PHY Layer Exploits 10
Nowadays, you need more tricks.
• Heap Feng Shui to control heap alignment.• Jit Spraying to produce shellcode in executable region.• Return-Oriented-Programming to repurpose existing code.
• None of these are useful in isolation.• None of these were useful in 1996.• All of these are useful in 2012.
Goodspeed/Bratus HES2012 PHY Layer Exploits 11
Nowadays, you need more tricks.
• Heap Feng Shui to control heap alignment.• Jit Spraying to produce shellcode in executable region.• Return-Oriented-Programming to repurpose existing code.
• None of these are useful in isolation.• None of these were useful in 1996.• All of these are useful in 2012.
Goodspeed/Bratus HES2012 PHY Layer Exploits 11
Fingerprinting to Attack Hardware
• Just like software, hardware has bugs.• Unlike software, these bugs are poorly understood.• Document everything strange, find what’s useful later.
Goodspeed/Bratus HES2012 PHY Layer Exploits 12
Goodspeed/Bratus HES2012 PHY Layer Exploits 13
Goodspeed/Bratus HES2012 PHY Layer Exploits 14
Goodspeed/Bratus HES2012 PHY Layer Exploits 15
Goodspeed/Bratus HES2012 PHY Layer Exploits 16
Goodspeed/Bratus HES2012 PHY Layer Exploits 17
Goodspeed/Bratus HES2012 PHY Layer Exploits 18
Goodspeed/Bratus HES2012 PHY Layer Exploits 19
Goodspeed/Bratus HES2012 PHY Layer Exploits 20
Goodspeed/Bratus HES2012 PHY Layer Exploits 21
Goodspeed/Bratus HES2012 PHY Layer Exploits 22
Goodspeed/Bratus HES2012 PHY Layer Exploits 23
Goodspeed/Bratus HES2012 PHY Layer Exploits 24
Fingerprinting to Attack Hardware
• Just like software, hardware has bugs.• Unlike software, these bugs are poorly understood.• Document everything strange, find what’s useful later.
Goodspeed/Bratus HES2012 PHY Layer Exploits 25
Strange and Radiant Machines
• Strange Machines:• Might not be useful.• ANYTHING and EVERYTHING unexpected qualifies.
• Radiant Machines:• Were useful once in writing one exploit.• Most of these seem useless out of context.
Goodspeed/Bratus HES2012 PHY Layer Exploits 26
Strange and Radiant Machines
• Strange Machines:• Might not be useful.• ANYTHING and EVERYTHING unexpected qualifies.
• Radiant Machines:• Were useful once in writing one exploit.• Most of these seem useless out of context.
Goodspeed/Bratus HES2012 PHY Layer Exploits 26
Radiant Machines
• The OSI Model gives attacker control of inside of packet.
• Radio receivers suffer false positives, false negatives.• Instructions have maximum clock frequencies.• Flash has different voltage tolerances than RAM or ROM.• Regions of a chip have different power supplies.
Goodspeed/Bratus HES2012 PHY Layer Exploits 27
Radiant Machines
• The OSI Model gives attacker control of inside of packet.• Radio receivers suffer false positives, false negatives.
• Instructions have maximum clock frequencies.• Flash has different voltage tolerances than RAM or ROM.• Regions of a chip have different power supplies.
Goodspeed/Bratus HES2012 PHY Layer Exploits 27
Radiant Machines
• The OSI Model gives attacker control of inside of packet.• Radio receivers suffer false positives, false negatives.• Instructions have maximum clock frequencies.
• Flash has different voltage tolerances than RAM or ROM.• Regions of a chip have different power supplies.
Goodspeed/Bratus HES2012 PHY Layer Exploits 27
Radiant Machines
• The OSI Model gives attacker control of inside of packet.• Radio receivers suffer false positives, false negatives.• Instructions have maximum clock frequencies.• Flash has different voltage tolerances than RAM or ROM.
• Regions of a chip have different power supplies.
Goodspeed/Bratus HES2012 PHY Layer Exploits 27
Radiant Machines
• The OSI Model gives attacker control of inside of packet.• Radio receivers suffer false positives, false negatives.• Instructions have maximum clock frequencies.• Flash has different voltage tolerances than RAM or ROM.• Regions of a chip have different power supplies.
Goodspeed/Bratus HES2012 PHY Layer Exploits 27
PHY-Layer Exploits
Goodspeed/Bratus HES2012 PHY Layer Exploits 28
Packet in Packet
Goodspeed/Bratus HES2012 PHY Layer Exploits 29
Radiant Machines of Packet in Packet
• The OSI Model gives attacker control of inside of packet.• Radio receivers suffer false positives, false negatives.
• For the Zigbee/802.15.4 implementation,• Packets length may vary.• The same symbol set is used for payload and headers.
Goodspeed/Bratus HES2012 PHY Layer Exploits 30
Radiant Machines of Packet in Packet
• The OSI Model gives attacker control of inside of packet.• Radio receivers suffer false positives, false negatives.
• For the Zigbee/802.15.4 implementation,• Packets length may vary.• The same symbol set is used for payload and headers.
Goodspeed/Bratus HES2012 PHY Layer Exploits 30
Packet in Packet
Goodspeed/Bratus HES2012 PHY Layer Exploits 31
Packet in Packet
Goodspeed/Bratus HES2012 PHY Layer Exploits 32
Packet in Packet
Goodspeed/Bratus HES2012 PHY Layer Exploits 33
Packet in Packet
Goodspeed/Bratus HES2012 PHY Layer Exploits 34
Packet in Packet
Goodspeed/Bratus HES2012 PHY Layer Exploits 35
Packet in Packet
Goodspeed/Bratus HES2012 PHY Layer Exploits 36
Packet in Packet
Goodspeed/Bratus HES2012 PHY Layer Exploits 37
Radiant Machines of Packet in Packet
• The OSI Model gives attacker control of inside of packet.• Radio receivers suffer false positives, false negatives.
• For the Zigbee/802.15.4 implementation,• Packets length may vary.• The same symbol set is used for payload and headers.
Goodspeed/Bratus HES2012 PHY Layer Exploits 38
Packet Out of Packet
Goodspeed/Bratus HES2012 PHY Layer Exploits 39
Packet Out of Packet
Goodspeed/Bratus HES2012 PHY Layer Exploits 40
Packet Out of Packet
Keykeriki 2.0, http://www.remote-exploit.org/Max Moser and Thorsten Schroeder
Goodspeed/Bratus HES2012 PHY Layer Exploits 41
Packet Out of Packet
Goodspeed/Bratus HES2012 PHY Layer Exploits 42
Packet Out of Packet
• Keykeriki needed custom hardware to sniff at 2Mbps.• Couldn’t match in hardware because SYNC is unknown.
• With a trick similar to PIP, we can do it on cheap hardware.• First, cause false-positive matches before the packet.• Second, disable the CRC.
Goodspeed/Bratus HES2012 PHY Layer Exploits 43
Packet Out of Packet
Goodspeed/Bratus HES2012 PHY Layer Exploits 44
Packet Out of Packet
Goodspeed/Bratus HES2012 PHY Layer Exploits 45
Packet Out of Packet
Goodspeed/Bratus HES2012 PHY Layer Exploits 46
Packet Out of Packet
Goodspeed/Bratus HES2012 PHY Layer Exploits 47
Radiant Machines of POOP
• Radio receivers suffer false positives, false negatives.
• For the MSKB implementation,• Address length is arbitrary on the receiver.• Checksums can be disabled.• The preamble is predictable.• Preamble damage is not fatal to reception.
Goodspeed/Bratus HES2012 PHY Layer Exploits 48
Power Supply Attacks
Goodspeed/Bratus HES2012 PHY Layer Exploits 49
Radiant Machines in Power Supplies
• Flash has different voltage tolerances than RAM or ROM.• Regions of a chip have different power supplies.
Goodspeed/Bratus HES2012 PHY Layer Exploits 50
Power Supply Attacks
Goodspeed/Bratus HES2012 PHY Layer Exploits 51
Power Supply Attacks
Goodspeed/Bratus HES2012 PHY Layer Exploits 52
Power Supply Attacks
Goodspeed/Bratus HES2012 PHY Layer Exploits 53
Power Supply Attacks
Goodspeed/Bratus HES2012 PHY Layer Exploits 54
Power Supply Attacks
Goodspeed/Bratus HES2012 PHY Layer Exploits 55
Power Supply Attacks
Goodspeed/Bratus HES2012 PHY Layer Exploits 56
Radiant Machines in Power Supplies
• Flash has different voltage tolerances than RAM or ROM.• Regions of a chip have different power supplies.
Goodspeed/Bratus HES2012 PHY Layer Exploits 57
Other Vulnerabilities
Goodspeed/Bratus HES2012 PHY Layer Exploits 58
Read the Fucking Papers
• Packets in Packets:Orsen Welles’ In-Band Signaling Attack for Digital Radioshttp://packetsinpackets.org/
• Promiscuity is the NRF24L01+’s Dutyhttp://travisgoodspeed.blogspot.com/
• Freescale MC13224 Memory Extractionhttp://travisgoodspeed.blogspot.com/
• Language-Theoretic Securityhttp://langsec.org/
Goodspeed/Bratus HES2012 PHY Layer Exploits 59
Read the Fucking Papers
• Packets in Packets:Orsen Welles’ In-Band Signaling Attack for Digital Radioshttp://packetsinpackets.org/
• Promiscuity is the NRF24L01+’s Dutyhttp://travisgoodspeed.blogspot.com/
• Freescale MC13224 Memory Extractionhttp://travisgoodspeed.blogspot.com/
• Language-Theoretic Securityhttp://langsec.org/
Goodspeed/Bratus HES2012 PHY Layer Exploits 59
Read the Fucking Papers
• Packets in Packets:Orsen Welles’ In-Band Signaling Attack for Digital Radioshttp://packetsinpackets.org/
• Promiscuity is the NRF24L01+’s Dutyhttp://travisgoodspeed.blogspot.com/
• Freescale MC13224 Memory Extractionhttp://travisgoodspeed.blogspot.com/
• Language-Theoretic Securityhttp://langsec.org/
Goodspeed/Bratus HES2012 PHY Layer Exploits 59
Read the Fucking Papers
• Packets in Packets:Orsen Welles’ In-Band Signaling Attack for Digital Radioshttp://packetsinpackets.org/
• Promiscuity is the NRF24L01+’s Dutyhttp://travisgoodspeed.blogspot.com/
• Freescale MC13224 Memory Extractionhttp://travisgoodspeed.blogspot.com/
• Language-Theoretic Securityhttp://langsec.org/
Goodspeed/Bratus HES2012 PHY Layer Exploits 59
Questions
Goodspeed/Bratus HES2012 PHY Layer Exploits 60
