Making and breaking security in embedded devices

Понравилась презентация – покажи это...

Слайд 0

Making and breaking security in embedded devices Yashin Mehaboobe SDR Engineer, Bastille Networks

Слайд 1

#whoami Security enthusiast SDR Engineer @ Bastille Networks Hardware tinkerer Speaker: C0C0n 2013, Nullcon V, HITB Amsterdam and Kaspersky Cyberconference Organiser, Defcon Kerala twitter.com/YashinMehaboobe github.com/sp3ctr3 http://www.linkedin.com/pub/yashin-mehaboobe/38/a2/367

Слайд 2

Why embedded? Large numbers Critical infrastructure dependent on embedded devices Network devices (both enterprise and SOHO) Even if it’s not critical: Botnet fodder Pivoting Storage for the bad guys On the internet and unsecured (Mostly)

Слайд 3

But…..why?! REPRODUCTION: Understand how the product works by reverse engineering it Build a similar product $$$$$Profit$$$$$$$$ FREE STUFF!: Bypass restrictions Get premium services UNLOCKING FEATURES: Ex:Install dd-wrt Don’t have to pay extra

Слайд 4

But…..why?! ACCESS TO OTHERWISE SECURE NETWORKS No one expects the embedded inquisition! SOHO/Enterprise routers are not audited most times No one checks the firmware

Слайд 5

TOOLS OF THE TRADE Choose your weapons!

Слайд 6

Слайд 7

A word about equipment Good equipment = $$$$ Use open source equipment such as the bus pirate, hackRF, OpenBench etc… Commercial tools work better in most of the cases Would be a good investment Have at least one each of the separate categories of tools Logic Analyzer RF Spectrum Analyzer Oscilloscope JTAG debugger Etc……

Слайд 8

LOGIC ANALYZERS Monitor communication Decode protocols Replay (in some cases) Cheap (44$ to 500$++) Open source ones: Open Bench Bus Pirate

Слайд 9

Слайд 10

RF Analysis tools For scanning the RF frequencies Recognizing signals Storing and replay SDRs are your friends! Example: RFExplorer RTL-SDR HackRF/BladeRF/USRP

Слайд 11

Oscilloscope Digital/Analog Useful for noting timing Can also help in recognition of communication protocol Very much needed

Слайд 12

Debug Ports

Слайд 13

Debug ports FTW Ports setup to allow developer/engineer access during testing/repairing Loved by hackers because of the access it provides Different types: JTAG Serial LPC (Xbox/TPM) Allow access to boot messages Allows you to log in without authentication Sometimes you can even access bash

Слайд 14

Debug ports identification Identify the ports Connect the debugger/communication device Profit! First step is the most complex Methodology varies from protocol to protocol Number of points is a good indication

Слайд 15

Identifying Serial ports Serial has 4 lines: Vcc Ground Rx Tx Identify ground pin with a multimeter continuity test Find vcc by powering up and checking vcc + ground with multimeter Tx will be the pin with high activity Rx will be the other Identify baudrate by trial and error JTAGulator has support for serial

Слайд 16

JTAG ports Joint Test Action Group Used for debugging, updating firmware etc… Running homebrew on Xbox Dumping firmware Use JTAGulator for finding JTAG ports OpenOCD has support for a large number of JTAG debuggers

Слайд 17

Defending against debug port attacks Disable unneeded ports Use authentication for the debug ports Shell access should not be given without authentication Unfortunately these defenses may not be practical in some cases

Слайд 18

Electronic bus attacks

Слайд 19

SPI,UART and I2C SPI, UART and I2c are some of the more commonly used protocols in embedded devices There is no authentication or authorization It is trivial to sniff traffic Very easy to replay attacks Bus pirate would be a good tool Hardware hackers swiss army knife Developed by Dangerous Prototypes

Слайд 20

Radio communication

Слайд 21

Sniffing radio signals Use to be hard and expensive With the arrival of SDRs the situation changed Now you can RX and TX with hardware ranging from 20$ RTL SDR to 1000$ devices Most signals aren’t encrypted Some rely on FHSS (Not a good idea)

Слайд 22

Tools used For most radio communication attacks an SDR would suffice Mainly because they can TX and RX in a wide range of frequencies Some examples are USRP B210 HackRF BladeRF RTLSDR You can also use RFCat (cc1111 based attack toolkit) Ubertooth One can be used for Bluetooth sniffing OR sniff the buses of the transmitter

Слайд 23

RF attacks Jamming Basically DoS at RF level Decreases SNR Techniques differ Some even disrupt handshakes Replay Capture signal Store it Replay at some other time

Слайд 24

Defenses against RF attacks FHSS is effective against jamming Use of encryption will defeat most sniffing attacks Encryption is built into most transmitters Unfortunately it is not used as much as it should be Rolling code system is a good defense against replay attack

Слайд 25

Flash memory forensics

Слайд 26

Flash memory Nonvolatile Used to store data Firmware is usually stored in flash memory Usually uses SPI for communication Usually does not have any protection

Слайд 27

Extracting data from flash memory In circuit: Don’t remove the chip Use a chip programmer or bus pirate to read data Desoldering The chip should be removed by desoldering it. It is then accessed using a chip programmer to get the data Firmware can be extracted in this manner

Слайд 28

Defenses against Flash memory forensics OTP memory protection bits Doesn’t allow the modification of flash memory Only useful against modification attacks Encryption Storing the firmware/data encrypted would defeat memory forensics Also not storing confidential info on the chip

Слайд 29

Firmware/Code Analysis

Слайд 30

(In)Security Code is outdated in most devices Routers are the worst transgressors Most are internet facing Have more vulns than a CTF challenge Code is available for us to check and find vulns

Слайд 31

Firmware Almost always linux Bootloader is usually Uboot Serial output usually gives you hints about the device Some may be obfuscated Can be obtained by either: JTAG dump Flash dump via Serial Flash dump via chip desoldering From the company website

Слайд 32

Analysing firmware Usually various sections wrapped into one bin file You can use dd to separate Best option is to use binwalk Binwalk is a tool by Craig (of devttys0 blog(great resource for hw reversing)) Automatically analyze and extract firmware files

Слайд 33

Слайд 34

Defenses Review your code! Obfuscate your firmware Review your code again!

Слайд 35

Invasive attacks

Слайд 36

Invasion of chips Pretty easy to notice Chips will be desoldered and/or destroyed in the process Processors are mapped using microscopes Very complicated attacks Usually done for replication of chips

Слайд 37

Resources Stuff that helped me and may help you

Слайд 38

Blogs http://www.devttys0.com/ http://www.bunniestudios.com/ http://travisgoodspeed.blogspot.com http://www.grandideastudio.com/

Слайд 39

Thanks! Questions?