O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.
HARDWARE HACKING CHRONICLES
IOT HACKING FOR OFFENCE AND DEFENCE
Fatih Ozavci
Managing Consultant – Context Information Sec...
2
Fatih Ozavci, Managing Consultant
VoIP & phreaking
Mobile applications and devices
Network infrastructure
CPE, hard...
3
Subscriber services and IoT
Hardware hacking chronicles
Hacking broadband devices
Hacking office devices
Improving ...
May'16
Everything is connected
Broadband services
Smart modems
IPTV equipment
Office devices
3g/4g modems
IP phones...
5May'16
6May'16
Broadband & 3G/4G
IPTV/Satellite Broadcasting & VoD
Home & Office Equipment
7
Combining testing skills
Design reviews do not show business
logic issues
Tech must be tested for various
perspective...
8
Testing methodology must be flexible
Various devices – ARM vs MIPS, Phone vs Modem
Various OSes – Android vs Linux vs...
HARDWARE HACKING
CHRONICLES
Configuration
Edit & Re-Upload
May'16
Secret Handshake
to Enable Telnet
Physical
Interfaces
10
May'16 11
12
Weaknesses are already known
Configuration dump for credentials
Editing the conf to enable a feature
Vulnerabilitie...
Console Debugging
TX, RX, GND, V
May'16
Debugging On-Chip
Debug TDI, TDO,
TCK…
Access to Flash
Read/Write Data
SCK, MOSI, ...
May'16
Bus Pirate
Bus Blaster
Shikra
HydraBus
Jtagulator
GoodFet/GreatFet
Logic Analyser
SOIC8/16 Clips
14
May'16 15
May'16 16
May'16 17
May'16 18
19
Usually 4 PINs
TX, RX, GND, Voltage
Provides device access
Bootloader, console access
Real-time debugging
Access ...
Find the ground
Find the voltage
Set the target voltage
Try to send/receive
TX vs RX
Various baud rates
Analyse the...
May'16 21
Debugging and logging
Intercepting boot
sequence
Boot parameters
CFE access
Getting console access
E.g. Netgear CG31...
May'16 23
May'16
Stop the boot process
UART/Serial connection
Possibilities
Re-flash for OpenWRT
Get information
 Credentials?...
May'16 25
26
Debugging standard
Everything depends on the vendor
Device or system testing
Daisy-chained JTAG
TDI (Test Data In)...
May'16 27
28
Internal communication interface
Direct connection to the flashes
Logic signals
SCLK : Serial Clock
MOSI : Master ...
CUSTOMER PREMISES
EQUIPMENT
30
Broadband, IPTV, Satellite…
Devices are
connected to the infrastructure
managing by service provider
in the consum...
31
Various vendors in a pool
Device provisioning
Software & configuration
management
Call centre connections
Generic ...
Call Centre
May'16 32
Service Provider
ACS SIP
Provisioning Pool
BYOD
TR-069
DOCSIS RADIUS
May'16 33
IPTV STB
DVB STB
VOD
Streaming
DRM WEB
Services
VOD, Licenses, Keys, Billing
VOD, Licenses, Keys, Billing
CLOUD
...
May'16 34
Service Provider
ACS SIP
TR-069 / DOCSIS
RADIUSVOIP (SIP + RTP)
PSTN
PSTN
Service Provider
MSAN/MGW
Distributor
...
May'16 35
3G Telecom Network
3G SIP
IPSEC VPN RADIUS
3G
3G
3G
Femtocell Pool
Base Station
TR-069
May'16 36
Debugging
Gathering
Information
Attacking
Server
Service network
Clients connected
ACS
TR-069
Modem
ACS on...
37
Dumping device memory
X.509 certificates for IPSEC Auth
PINs, passwords and config data
Broadcasting and DRM keys
...
OFFICE DEVICES
39
Backdoors on devices are common
Open source, distribution, vendors…
Expensive to replicate the attack
Red teaming e...
40
3G/4G Modems
 WiFi models with services and features
 USB models require drivers
 Internal storage and card reader
...
41
Keysweeper by SamyKamkar
Arduino/Teensy based sniffer
Sniffing Microsoft Wireless Keyboard
Mousejack by Bastille Se...
42
Efficient for persistent access
Raspberry Pi, Arduino
Can fit in many devices
Find a suitable device to backdoor
F...
May'16 43
RJ45 Connection Pins
May'16 44
Speaker Power
Patch the Cat5 cable
DEFENSE AND OFFENSE
46
Enforcing vendors to
Disable physical interfaces
Use encryption and access keys
Follow a security standard
Network...
47
Devices are IN SCOPE
Think different and combine skills
Everything is a target
Home automation, CCTV, phones…
Test...
48
Focuses on all components
Devices, infrastructure, software…
Focuses on exploitable issues
Combines various discipl...
49
Context Information Security
http://www.contextis.com
AusCERT
https://www.auscert.org.au
IoT Security Wiki
https://i...
QUESTIONS?
THANKS!
Próximos SlideShares
Carregando em…5
×

de

Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 1 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 2 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 3 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 4 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 5 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 6 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 7 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 8 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 9 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 10 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 11 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 12 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 13 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 14 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 15 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 16 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 17 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 18 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 19 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 20 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 21 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 22 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 23 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 24 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 25 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 26 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 27 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 28 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 29 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 30 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 31 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 32 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 33 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 34 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 35 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 36 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 37 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 38 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 39 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 40 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 41 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 42 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 43 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 44 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 45 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 46 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 47 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 48 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 49 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 50 Hardware Hacking Chronicles: IoT Hacking for Offence and Defence Slide 51
Próximos SlideShares
VoIP Wars: Destroying Jar Jar Lync (Unfiltered version)
Avançar
Transfira para ler offline e ver em ecrã inteiro.

4 gostaram

Compartilhar

Baixar para ler offline

Hardware Hacking Chronicles: IoT Hacking for Offence and Defence

Baixar para ler offline

Enterprise companies are using consumer and IoT devices to complete (or expand) their services such as broadband, IPTV, media streaming, satellite, voice and 3G/4G services. Although the devices are owned by the service providers, subscribers have limited (or full) access to them with service agreements. In addition to that, some of consumer devices also have roles on corporate communications, environment security or employee services. Consumer devices are located at subscriber premises; therefore, the traditional security testing approach only covers backend services security, not the devices.

Consumer and IoT devices are susceptible to hardware hacking based attacks such as firmware dumping, re-flashing with a custom firmware, and getting low level access using the physical management interfaces such as SPI, JTAG and UART. Low level access obtained can be used to modify device behaviours or their initial states. This helps attackers to debug consumer devices and operator services, to find new vulnerabilities, and to obtain the device configuration which may contain credentials for the service infrastructure.

Embedded device and hardware hacking is a rising skill set for penetration testers. It is required to understand targeted attacks which may include hardware implants, modified hardware attacking their own infrastructure or compromised devices that target the human factor. Some of advanced testing examples to be discussed are preparing a custom hardware for persistent access during a red teaming exercise, preparing a compromised consumer device for human factor pen-testing, attacking TR-069 services of a provider using smart home modems or altering the security controls of a device to abuse the service.

The presentation focuses on how the existing security testing techniques should be evolved with hardware and IoT hacking, and how service providers can make their infrastructure secure for cutting-edge attacks. Essential hardware hacking information, identifying and using physical management interfaces, hardware hacking toolset, well-known hardware attacks and hardware testing procedure will be presented in a road map for consumer devices security testing. Also a security testing approach will be explained to develop new security testing services and to improve existing ones such as red teaming, human factor pen-testing and infrastructure pen-testing.

Hardware Hacking Chronicles: IoT Hacking for Offence and Defence

  1. 1. HARDWARE HACKING CHRONICLES IOT HACKING FOR OFFENCE AND DEFENCE Fatih Ozavci Managing Consultant – Context Information Security
  2. 2. 2 Fatih Ozavci, Managing Consultant VoIP & phreaking Mobile applications and devices Network infrastructure CPE, hardware and IoT hacking Author of Viproy and VoIP Wars Public speaker and trainer  Blackhat, Defcon, HITB, AusCert, Troopers May'16
  3. 3. 3 Subscriber services and IoT Hardware hacking chronicles Hacking broadband devices Hacking office devices Improving defense and offense May'16
  4. 4. May'16 Everything is connected Broadband services Smart modems IPTV equipment Office devices 3g/4g modems IP phones Keyboards & mouse Why should we evolve? 4
  5. 5. 5May'16
  6. 6. 6May'16 Broadband & 3G/4G IPTV/Satellite Broadcasting & VoD Home & Office Equipment
  7. 7. 7 Combining testing skills Design reviews do not show business logic issues Tech must be tested for various perspectives Traditional tests do not cover Devices’ firmware and hardware Management in a protected network Very limited days for testing May'16
  8. 8. 8 Testing methodology must be flexible Various devices – ARM vs MIPS, Phone vs Modem Various OSes – Android vs Linux vs VxWorks Testing must always focus on the device’s roles May'16
  9. 9. HARDWARE HACKING CHRONICLES
  10. 10. Configuration Edit & Re-Upload May'16 Secret Handshake to Enable Telnet Physical Interfaces 10
  11. 11. May'16 11
  12. 12. 12 Weaknesses are already known Configuration dump for credentials Editing the conf to enable a feature Vulnerabilities are public and easy Telnet authentication bypass Sagem: https://www.exploit-db.com/exploits/17670 Netgear: https://wiki.openwrt.org/toh/netgear/telnet.console E.g. admin password leak wget http://1.1.1.1/password.html -t 1 -q -O - | grep pwd May'16
  13. 13. Console Debugging TX, RX, GND, V May'16 Debugging On-Chip Debug TDI, TDO, TCK… Access to Flash Read/Write Data SCK, MOSI, MISO... 13
  14. 14. May'16 Bus Pirate Bus Blaster Shikra HydraBus Jtagulator GoodFet/GreatFet Logic Analyser SOIC8/16 Clips 14
  15. 15. May'16 15
  16. 16. May'16 16
  17. 17. May'16 17
  18. 18. May'16 18
  19. 19. 19 Usually 4 PINs TX, RX, GND, Voltage Provides device access Bootloader, console access Real-time debugging Access without a password May'16
  20. 20. Find the ground Find the voltage Set the target voltage Try to send/receive TX vs RX Various baud rates Analyse the output Jtagulator May'16 20
  21. 21. May'16 21
  22. 22. Debugging and logging Intercepting boot sequence Boot parameters CFE access Getting console access E.g. Netgear CG3100D May'16 22
  23. 23. May'16 23
  24. 24. May'16 Stop the boot process UART/Serial connection Possibilities Re-flash for OpenWRT Get information  Credentials? Dump the firmware Eg. Sagemcom 3864v2 ADSL & NBN 24
  25. 25. May'16 25
  26. 26. 26 Debugging standard Everything depends on the vendor Device or system testing Daisy-chained JTAG TDI (Test Data In) TDO (Test Data Out) TCK (Test Clock) TMS (Test Mode Select) TRST (Test Reset) May'16
  27. 27. May'16 27
  28. 28. 28 Internal communication interface Direct connection to the flashes Logic signals SCLK : Serial Clock MOSI : Master Output, Slave Input MISO : Master Input, Slave Output SS : Slave Select May'16 Image: https://en.wikipedia.org/wiki/Serial_Peripheral_Interface_Bus
  29. 29. CUSTOMER PREMISES EQUIPMENT
  30. 30. 30 Broadband, IPTV, Satellite… Devices are connected to the infrastructure managing by service provider in the consumer promises Relying on vendors for security Default configuration Legacy or unpatched software Management interfaces May'16
  31. 31. 31 Various vendors in a pool Device provisioning Software & configuration management Call centre connections Generic information in the wild Custom software (e.g OpenWRT) Bypassing controls is common BYOD on subscriber services May'16
  32. 32. Call Centre May'16 32 Service Provider ACS SIP Provisioning Pool BYOD TR-069 DOCSIS RADIUS
  33. 33. May'16 33 IPTV STB DVB STB VOD Streaming DRM WEB Services VOD, Licenses, Keys, Billing VOD, Licenses, Keys, Billing CLOUD SERVICE PROVIDER ACS BROADCAST RADIUS TR-069
  34. 34. May'16 34 Service Provider ACS SIP TR-069 / DOCSIS RADIUSVOIP (SIP + RTP) PSTN PSTN Service Provider MSAN/MGW Distributor VOIP (SIP + RTP) MANAGEMENT
  35. 35. May'16 35 3G Telecom Network 3G SIP IPSEC VPN RADIUS 3G 3G 3G Femtocell Pool Base Station TR-069
  36. 36. May'16 36 Debugging Gathering Information Attacking Server Service network Clients connected ACS TR-069 Modem ACS on Modem TCP/7676 ACS on Server TCP/443 ACS Connection Intercepted Modified Attacking ContentOriginal Content
  37. 37. 37 Dumping device memory X.509 certificates for IPSEC Auth PINs, passwords and config data Broadcasting and DRM keys Dump device firmware Reverse engineering, exploit dev Driving a consumer device Fake base station, billing bypass Altering VoD content, security bypass May'16
  38. 38. OFFICE DEVICES
  39. 39. 39 Backdoors on devices are common Open source, distribution, vendors… Expensive to replicate the attack Red teaming engagements Putting a Raspberry Pi in everything Collecting keyboard & mouse input Human factor pen-testing Sending backdoored devices May'16
  40. 40. 40 3G/4G Modems  WiFi models with services and features  USB models require drivers  Internal storage and card reader Unauthorised access via services Firmware operations  Dumping and reversing the firmware  Backdooring the firmware Using their shelves for USB duckies May'16
  41. 41. 41 Keysweeper by SamyKamkar Arduino/Teensy based sniffer Sniffing Microsoft Wireless Keyboard Mousejack by Bastille Security RF keyboard & mouse receivers Force pairing vulnerability Force pairing a remote keyboard May'16
  42. 42. 42 Efficient for persistent access Raspberry Pi, Arduino Can fit in many devices Find a suitable device to backdoor Find a power source Find a network connection Solder and connect the pieces Broadcast the network connected Advanced implants take time May'16
  43. 43. May'16 43 RJ45 Connection Pins
  44. 44. May'16 44 Speaker Power Patch the Cat5 cable
  45. 45. DEFENSE AND OFFENSE
  46. 46. 46 Enforcing vendors to Disable physical interfaces Use encryption and access keys Follow a security standard Network isolation for subscribers Tailored research for Vendor product vulnerabilities CPE management services Backdoor analysis May'16
  47. 47. 47 Devices are IN SCOPE Think different and combine skills Everything is a target Home automation, CCTV, phones… Testing service operator networks Test services through devices Extract information from devices Access and fuzz tests through devices May'16
  48. 48. 48 Focuses on all components Devices, infrastructure, software… Focuses on exploitable issues Combines various disciplines Embedded systems, mobile, network… Closes the gap between offense and defense May'16
  49. 49. 49 Context Information Security http://www.contextis.com AusCERT https://www.auscert.org.au IoT Security Wiki https://iotsecuritywiki.com May'16
  50. 50. QUESTIONS?
  51. 51. THANKS!
  • AhmedSakr104

    Sep. 20, 2019
  • MilanSen2

    Dec. 18, 2018
  • juliodellaflora

    Oct. 25, 2017
  • CemOnatK

    Aug. 7, 2017

Enterprise companies are using consumer and IoT devices to complete (or expand) their services such as broadband, IPTV, media streaming, satellite, voice and 3G/4G services. Although the devices are owned by the service providers, subscribers have limited (or full) access to them with service agreements. In addition to that, some of consumer devices also have roles on corporate communications, environment security or employee services. Consumer devices are located at subscriber premises; therefore, the traditional security testing approach only covers backend services security, not the devices. Consumer and IoT devices are susceptible to hardware hacking based attacks such as firmware dumping, re-flashing with a custom firmware, and getting low level access using the physical management interfaces such as SPI, JTAG and UART. Low level access obtained can be used to modify device behaviours or their initial states. This helps attackers to debug consumer devices and operator services, to find new vulnerabilities, and to obtain the device configuration which may contain credentials for the service infrastructure. Embedded device and hardware hacking is a rising skill set for penetration testers. It is required to understand targeted attacks which may include hardware implants, modified hardware attacking their own infrastructure or compromised devices that target the human factor. Some of advanced testing examples to be discussed are preparing a custom hardware for persistent access during a red teaming exercise, preparing a compromised consumer device for human factor pen-testing, attacking TR-069 services of a provider using smart home modems or altering the security controls of a device to abuse the service. The presentation focuses on how the existing security testing techniques should be evolved with hardware and IoT hacking, and how service providers can make their infrastructure secure for cutting-edge attacks. Essential hardware hacking information, identifying and using physical management interfaces, hardware hacking toolset, well-known hardware attacks and hardware testing procedure will be presented in a road map for consumer devices security testing. Also a security testing approach will be explained to develop new security testing services and to improve existing ones such as red teaming, human factor pen-testing and infrastructure pen-testing.

Vistos

Vistos totais

1.621

No Slideshare

0

De incorporações

0

Número de incorporações

180

Ações

Baixados

57

Compartilhados

0

Comentários

0

Curtir

4

×