SlideShare a Scribd company logo

Bsides Puerto Rico-2017

P
Price McDonald

BSides Puerto Rico 2018 - Insecure Obsolete and Trivial : The Real IOT

Technology
1 of 43
Download to read offline
Insecure Obsolete and Trivial The Real IOT BSides Puerto Rico 2017(18) Price McDonald
#USERID 0,0 pkm • 10 years InfoSec Experience • Manager, Rapid7 Global Services • Certifications: • GPEN, GREM, GWAPT, GXPN, OSCP • Enjoys long walks to Microcenter, Competitive Shooting and Reverse Engineering.
Current State of Hardware Security O’RLY?
Current State of Hardware Security Ok, So Hardware Security sucks… But why focus on the hardware?
Get the “Things” on the Cheap • Beta Programs • https://www.betabound.com/tp-link-router-private-beta/ • https://beta.linksys.com/ • https://www.beta.netgear.com/signup/ • Flea Markets • Ebay • Craigslist • Garage Sales
Test Dummy
Tamper Resistance and Detection
Component Identification
Component Identification(2) • EOL 802.11G router SoC (System on Chip) • 200 Mhz MIPS32 core • Supports Serial or Parallel Flash • One JTAG and two UART Ports • 336 ball FBGA (Fine-pitch Ball Grid Array) • 32M-BIT Parallel NOR Flash Memory • 3V only • 48-pin TSOP (Thin Small Outline Package) • CMOS DDR400 RAM • 66-pin TSOP II
Component Identification Tips and Trick
Arts and Crafts Time
Finding Ground • Using the Multi-Meter we can figure out which of the pins on our headers connect to ground and which have voltage. Ground Voltage Specifically 3.3v • Got Ground?
Physical Counter Measures
Common Interface Types • UART - Universal Asynchronous Receiver/Transmitter • SPI – Serial Peripheral Interface • I2C – Inter Integrated Circuit • JTAG – Joint Test Action Group – Hardware Debugging Interface • CAN – Controller Area Network (Cars/ATM/etc) • RS232- Serial Interface used on many legacy devices
Pinout Reversing • Saleae Logic Analyzer • ~100 Bucks on the low end @ https://www.saleae.com • Also, EDU discounts available up to 50% depending on model. • Keep in mind that logic analyzers are sampling which can cause artificial data depending on the sampling rate and thresholds. • Works for I2C, UART, SPI, JTAG, CAN, etc, etc
Saleae Logic UI • Using the Saleae logic analyzer we can watch the pins during boot to check for voltage spikes during. This is a good indication of either a UART, I2C or SPI connection.
Saleae Logic Decoders Given that we suspect Async Serial (UART) we will select that analyzer
Saleae Logic - Decoding Among small embedded devices 115200 is a very common bit rate so it is an easy guess. But we will also cover a more automated way of determining bit rate.
Saleae Logic - Decoding(2) We must also ensure we are configuring the device to analyze the appropriate channel (which are color coded as long as you connect them correctly)
Saleae Logic - Output As you can see we are successfully decoding the output from the UART serial connection on our Broadcom chip.
Connecting to Interfaces • Bus Pirate • Less of a learning curve • Slower transfer speeds • Supports UART, SPI, I2C and JTAG • Shikra • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C and JTAG • TIAO USB Multiprotocol Adapter • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C, JTAG, RS-232 • Supports multiple connections from same device • Slightly less reliable in my experience
Using the Shikra http://int3.cc/products/the-shikra
Connecting to UART The command used to connect to a UART serial adapter will vary by device and OS but will generally be similar to the command below. sudo screen /dev/[device id] baud rate Or the the case of the Device ID below for the Shikra: sudo screen /dev/ttyUSB0 115200
NOW WE HAVE A SHELL! But what’s next? AND THEN?
Shell is only the beginning
No Tech Hacking
File System Fiddling • MTD is a "Memory Technology Device. • Unix traditionally only knew block devices and character devices. Character devices were things like keyboards or mice, that you could read current data from, but couldn't be seek-ed and didn't have a size. Block devices had a fixed size and could be seek-ed. • A mtdblock is a block device emulated over an mtd device.
Hiding in Plain Sight Often times embedded device manufacturers leave important file systems unmounted. Another good Resource: http://wiki.in-circuit.de/index.php5?title=Flashfilesystem_UBIFS
Pilfering But, How do we get the file system off of the target device?
Accidental Footprints
So what Happens if that doesn’t work? • JTAG stands for (Joint Test Action Group) which was formed in 1985. • The following pins are required for JTAG use: • TDI (Test Data In) • TDO (Test Data Out) • TCK (Test Clock) • TMS (Test Mode Select) • The TCK Pin (Test Clock) is what keeps the clock for the state machine. • THE TMS Pin (Test Mode Select) is what determines when and how the State Machine advances depending on it’s relative position during each clock cycle.
JTAG ADAPTERS Good Better Best $45 $60-$600 $5000-$20000
Have you heard of the JTAGulator? • Created by Joe Grand @ http://www.grandideastudio.com • ~180-200 Bucks
HOW TO CONNECT WITH OPENOCD The command to initiate openocd is : openocd –f interface –f target But now what? There are errors and stuff!!!!! #openocd on Freenode
HOW TO CONNECT WITH OPENOCD(2) Silly openocd! That’s more like it J
Cereal
Reverse Engineering • Binary Ninja • Free version available • Limited Architecture Support • Learn one IL to reverse them all • Ida Pro • Paid Version required for disassembly • ARM decompiler available but $$$$ • Also very good debugger • Radare2 • Free multiplatform support • No decompiler available
Radare2
IDA Pro
No Shell No Problem
Peripheral interfaces
Contact Information Contact information twitter: @PriceMcdonald Linkedin: linkedin.com/pricemcdonald Email: pricemcdonald@gmail.com

Recommended

BSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the ThingsBSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the ThingsPrice McDonald
 
BSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode EnabledBSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode Enabledpricemcdonald
 
Thotcon 0x8 - Hardware Hacking on a Budget
Thotcon 0x8 - Hardware Hacking on a BudgetThotcon 0x8 - Hardware Hacking on a Budget
Thotcon 0x8 - Hardware Hacking on a BudgetPrice McDonald
 
Insecure Obsolete and Trivial - The Real IOT
Insecure Obsolete and Trivial - The Real IOTInsecure Obsolete and Trivial - The Real IOT
Insecure Obsolete and Trivial - The Real IOTPrice McDonald
 
Jtag
JtagJtag
JtagTELE-audiovision eng
 
FSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGFSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGDobrica Pavlinušić
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootYashin Mehaboobe
 
Intro to Hardware Firmware Hacking
Intro to Hardware Firmware HackingIntro to Hardware Firmware Hacking
Intro to Hardware Firmware HackingAndrew Freeborn
 

Recommended

BSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the ThingsBSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the ThingsPrice McDonald
 
BSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode EnabledBSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode Enabledpricemcdonald
 
Thotcon 0x8 - Hardware Hacking on a Budget
Thotcon 0x8 - Hardware Hacking on a BudgetThotcon 0x8 - Hardware Hacking on a Budget
Thotcon 0x8 - Hardware Hacking on a BudgetPrice McDonald
 
Insecure Obsolete and Trivial - The Real IOT
Insecure Obsolete and Trivial - The Real IOTInsecure Obsolete and Trivial - The Real IOT
Insecure Obsolete and Trivial - The Real IOTPrice McDonald
 
Jtag
JtagJtag
JtagTELE-audiovision eng
 
FSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGFSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGDobrica Pavlinušić
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootYashin Mehaboobe
 
Intro to Hardware Firmware Hacking
Intro to Hardware Firmware HackingIntro to Hardware Firmware Hacking
Intro to Hardware Firmware HackingAndrew Freeborn
 
Hardware hacking 101
Hardware hacking 101Hardware hacking 101
Hardware hacking 101Tiago Henriques
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkYashin Mehaboobe
 
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGA BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGSilvio Cesare
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devicesYashin Mehaboobe
 
Hardware Hacking
Hardware HackingHardware Hacking
Hardware HackingAndrew Brockhurst
 
Arduino Forensics
Arduino ForensicsArduino Forensics
Arduino ForensicsSteve Watson
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyNiek Timmers
 
Deploy Small IoT Embedded SOC Devices and a Back-End Platform with Java, usin...
Deploy Small IoT Embedded SOC Devices and a Back-End Platform with Java, usin...Deploy Small IoT Embedded SOC Devices and a Back-End Platform with Java, usin...
Deploy Small IoT Embedded SOC Devices and a Back-End Platform with Java, usin...Kynetics
 
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Takeda Pharmaceuticals
 
Java Card Security
Java Card SecurityJava Card Security
Java Card SecurityRiscure
 
Cheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerCheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerDobrica Pavlinušić
 
Hardware Hacking Primer
Hardware Hacking PrimerHardware Hacking Primer
Hardware Hacking PrimerYashin Mehaboobe
 
Raspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsRaspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsDobrica Pavlinušić
 
The Baseband Playground
The Baseband PlaygroundThe Baseband Playground
The Baseband Playgroundslides_luis
 
Company overview
Company overview Company overview
Company overview Jessika Remolona
 
Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA Premier Farnell
 
Musclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and UnlocksMusclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and UnlocksMike Webb
 
GATTacking Bluetooth Smart
GATTacking Bluetooth SmartGATTacking Bluetooth Smart
GATTacking Bluetooth SmartOWASP
 
Geek Pic-Nic Master Class
Geek Pic-Nic Master ClassGeek Pic-Nic Master Class
Geek Pic-Nic Master ClassMediaTek Labs
 
Asia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-canAsia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-caninjenerzntu
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaYogesh Ojha
 

More Related Content

What's hot

PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkYashin Mehaboobe
 
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGA BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGSilvio Cesare
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devicesYashin Mehaboobe
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyNiek Timmers
 
Deploy Small IoT Embedded SOC Devices and a Back-End Platform with Java, usin...
Deploy Small IoT Embedded SOC Devices and a Back-End Platform with Java, usin...Deploy Small IoT Embedded SOC Devices and a Back-End Platform with Java, usin...
Deploy Small IoT Embedded SOC Devices and a Back-End Platform with Java, usin...Kynetics
 
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Takeda Pharmaceuticals
 
Java Card Security
Java Card SecurityJava Card Security
Java Card SecurityRiscure
 
Cheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerCheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerDobrica Pavlinušić
 
Raspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsRaspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsDobrica Pavlinušić
 
The Baseband Playground
The Baseband PlaygroundThe Baseband Playground
The Baseband Playgroundslides_luis
 
Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA Premier Farnell
 
Musclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and UnlocksMusclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and UnlocksMike Webb
 
GATTacking Bluetooth Smart
GATTacking Bluetooth SmartGATTacking Bluetooth Smart
GATTacking Bluetooth SmartOWASP
 
Geek Pic-Nic Master Class
Geek Pic-Nic Master ClassGeek Pic-Nic Master Class
Geek Pic-Nic Master ClassMediaTek Labs
 

What's hot (20)

Hardware hacking 101
Hardware hacking 101Hardware hacking 101
Hardware hacking 101
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis framework
 
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGA BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
 
Hardware Hacking
Hardware HackingHardware Hacking
Hardware Hacking
 
Arduino Forensics
Arduino ForensicsArduino Forensics
Arduino Forensics
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot Securely
 
Deploy Small IoT Embedded SOC Devices and a Back-End Platform with Java, usin...
Deploy Small IoT Embedded SOC Devices and a Back-End Platform with Java, usin...Deploy Small IoT Embedded SOC Devices and a Back-End Platform with Java, usin...
Deploy Small IoT Embedded SOC Devices and a Back-End Platform with Java, usin...
 
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
 
Java Card Security
Java Card SecurityJava Card Security
Java Card Security
 
Cheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerCheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component tester
 
Hardware Hacking Primer
Hardware Hacking PrimerHardware Hacking Primer
Hardware Hacking Primer
 
Raspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsRaspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needs
 
The Baseband Playground
The Baseband PlaygroundThe Baseband Playground
The Baseband Playground
 
Company overview
Company overview Company overview
Company overview
 
Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA
 
Musclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and UnlocksMusclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and Unlocks
 
GATTacking Bluetooth Smart
GATTacking Bluetooth SmartGATTacking Bluetooth Smart
GATTacking Bluetooth Smart
 
Geek Pic-Nic Master Class
Geek Pic-Nic Master ClassGeek Pic-Nic Master Class
Geek Pic-Nic Master Class
 

Similar to Bsides Puerto Rico-2017

Asia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-canAsia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-caninjenerzntu
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaYogesh Ojha
 
Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...Alexander Bolshev
 
FPGA_prototyping proccesing with conclusion
FPGA_prototyping proccesing with conclusionFPGA_prototyping proccesing with conclusion
FPGA_prototyping proccesing with conclusionPersiPersi1
 
Shodan- That Device Search Engine
Shodan- That Device Search EngineShodan- That Device Search Engine
Shodan- That Device Search EngineInMobi Technology
 
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...ST_World
 
JTAG Interface (Intro)
JTAG Interface (Intro)JTAG Interface (Intro)
JTAG Interface (Intro)Nitesh Bhatia
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2PacSecJP
 
Hacking a Xiami Mi Vacuum Robot
Hacking a Xiami Mi Vacuum RobotHacking a Xiami Mi Vacuum Robot
Hacking a Xiami Mi Vacuum RobotPaul Terrasi
 
Tools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalTools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalPriyanka Aash
 
Architectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud PlatformsArchitectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud PlatformsRoshan Kulkarni
 
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2Bhavin Chandarana
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
 
Intel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology OverviewIntel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology OverviewMichelle Holley
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
S2C China ICCAD 2010 Presentation
S2C China ICCAD 2010 PresentationS2C China ICCAD 2010 Presentation
S2C China ICCAD 2010 Presentationsrpollock
 
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOLGETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOLMinh237839
 

Similar to Bsides Puerto Rico-2017 (20)

Asia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-canAsia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-can
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
 
Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...
 
Prezentare tcs2011
Prezentare tcs2011Prezentare tcs2011
Prezentare tcs2011
 
FPGA_prototyping proccesing with conclusion
FPGA_prototyping proccesing with conclusionFPGA_prototyping proccesing with conclusion
FPGA_prototyping proccesing with conclusion
 
Shodan- That Device Search Engine
Shodan- That Device Search EngineShodan- That Device Search Engine
Shodan- That Device Search Engine
 
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
 
JTAG Interface (Intro)
JTAG Interface (Intro)JTAG Interface (Intro)
JTAG Interface (Intro)
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
 
No[1][1]
No[1][1]No[1][1]
No[1][1]
 
Hacking a Xiami Mi Vacuum Robot
Hacking a Xiami Mi Vacuum RobotHacking a Xiami Mi Vacuum Robot
Hacking a Xiami Mi Vacuum Robot
 
Tools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalTools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade Final
 
Architectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud PlatformsArchitectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud Platforms
 
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
 
Intel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology OverviewIntel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology Overview
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
S2C China ICCAD 2010 Presentation
S2C China ICCAD 2010 PresentationS2C China ICCAD 2010 Presentation
S2C China ICCAD 2010 Presentation
 
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOLGETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
 

Recently uploaded

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 

Recently uploaded (20)

Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 

Bsides Puerto Rico-2017

  • 1. Insecure Obsolete and Trivial The Real IOT BSides Puerto Rico 2017(18) Price McDonald
  • 2. #USERID 0,0 pkm • 10 years InfoSec Experience • Manager, Rapid7 Global Services • Certifications: • GPEN, GREM, GWAPT, GXPN, OSCP • Enjoys long walks to Microcenter, Competitive Shooting and Reverse Engineering.
  • 3. Current State of Hardware Security O’RLY?
  • 4. Current State of Hardware Security Ok, So Hardware Security sucks… But why focus on the hardware?
  • 5. Get the “Things” on the Cheap • Beta Programs • https://www.betabound.com/tp-link-router-private-beta/ • https://beta.linksys.com/ • https://www.beta.netgear.com/signup/ • Flea Markets • Ebay • Craigslist • Garage Sales
  • 9. Component Identification(2) • EOL 802.11G router SoC (System on Chip) • 200 Mhz MIPS32 core • Supports Serial or Parallel Flash • One JTAG and two UART Ports • 336 ball FBGA (Fine-pitch Ball Grid Array) • 32M-BIT Parallel NOR Flash Memory • 3V only • 48-pin TSOP (Thin Small Outline Package) • CMOS DDR400 RAM • 66-pin TSOP II
  • 12. Finding Ground • Using the Multi-Meter we can figure out which of the pins on our headers connect to ground and which have voltage. Ground Voltage Specifically 3.3v • Got Ground?
  • 14. Common Interface Types • UART - Universal Asynchronous Receiver/Transmitter • SPI – Serial Peripheral Interface • I2C – Inter Integrated Circuit • JTAG – Joint Test Action Group – Hardware Debugging Interface • CAN – Controller Area Network (Cars/ATM/etc) • RS232- Serial Interface used on many legacy devices
  • 15. Pinout Reversing • Saleae Logic Analyzer • ~100 Bucks on the low end @ https://www.saleae.com • Also, EDU discounts available up to 50% depending on model. • Keep in mind that logic analyzers are sampling which can cause artificial data depending on the sampling rate and thresholds. • Works for I2C, UART, SPI, JTAG, CAN, etc, etc
  • 16. Saleae Logic UI • Using the Saleae logic analyzer we can watch the pins during boot to check for voltage spikes during. This is a good indication of either a UART, I2C or SPI connection.
  • 17. Saleae Logic Decoders Given that we suspect Async Serial (UART) we will select that analyzer
  • 18. Saleae Logic - Decoding Among small embedded devices 115200 is a very common bit rate so it is an easy guess. But we will also cover a more automated way of determining bit rate.
  • 19. Saleae Logic - Decoding(2) We must also ensure we are configuring the device to analyze the appropriate channel (which are color coded as long as you connect them correctly)
  • 20. Saleae Logic - Output As you can see we are successfully decoding the output from the UART serial connection on our Broadcom chip.
  • 21. Connecting to Interfaces • Bus Pirate • Less of a learning curve • Slower transfer speeds • Supports UART, SPI, I2C and JTAG • Shikra • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C and JTAG • TIAO USB Multiprotocol Adapter • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C, JTAG, RS-232 • Supports multiple connections from same device • Slightly less reliable in my experience
  • 23. Connecting to UART The command used to connect to a UART serial adapter will vary by device and OS but will generally be similar to the command below. sudo screen /dev/[device id] baud rate Or the the case of the Device ID below for the Shikra: sudo screen /dev/ttyUSB0 115200
  • 24. NOW WE HAVE A SHELL! But what’s next? AND THEN?
  • 25. Shell is only the beginning
  • 27. File System Fiddling • MTD is a "Memory Technology Device. • Unix traditionally only knew block devices and character devices. Character devices were things like keyboards or mice, that you could read current data from, but couldn't be seek-ed and didn't have a size. Block devices had a fixed size and could be seek-ed. • A mtdblock is a block device emulated over an mtd device.
  • 28. Hiding in Plain Sight Often times embedded device manufacturers leave important file systems unmounted. Another good Resource: http://wiki.in-circuit.de/index.php5?title=Flashfilesystem_UBIFS
  • 29. Pilfering But, How do we get the file system off of the target device?
  • 31. So what Happens if that doesn’t work? • JTAG stands for (Joint Test Action Group) which was formed in 1985. • The following pins are required for JTAG use: • TDI (Test Data In) • TDO (Test Data Out) • TCK (Test Clock) • TMS (Test Mode Select) • The TCK Pin (Test Clock) is what keeps the clock for the state machine. • THE TMS Pin (Test Mode Select) is what determines when and how the State Machine advances depending on it’s relative position during each clock cycle.
  • 32. JTAG ADAPTERS Good Better Best $45 $60-$600 $5000-$20000
  • 33. Have you heard of the JTAGulator? • Created by Joe Grand @ http://www.grandideastudio.com • ~180-200 Bucks
  • 34. HOW TO CONNECT WITH OPENOCD The command to initiate openocd is : openocd –f interface –f target But now what? There are errors and stuff!!!!! #openocd on Freenode
  • 35. HOW TO CONNECT WITH OPENOCD(2) Silly openocd! That’s more like it J
  • 37. Reverse Engineering • Binary Ninja • Free version available • Limited Architecture Support • Learn one IL to reverse them all • Ida Pro • Paid Version required for disassembly • ARM decompiler available but $$$$ • Also very good debugger • Radare2 • Free multiplatform support • No decompiler available
  • 40. No Shell No Problem
  • 42.
  • 43. Contact Information Contact information twitter: @PriceMcdonald Linkedin: linkedin.com/pricemcdonald Email: pricemcdonald@gmail.com