0
Physical (In)security

Inbar Raz
Malware & Security Manager
Check Point Software Technologies
©2013 Check Point Software T...
Types of Vulnerability Disclosures
 Responsible Disclosure:
– Contact the vendor only and inform them of the vulnerabilit...
Disclosure #1
 Vendor: An Online Movie Ticket Service
 Field: Online shopping and entertainment
 Affected Product: On-s...
Disclosure Details
 On-site Kiosk
 Touch Screen
 Credit Card
Reader

 Ticket Printer
 No peripherals,
No interfaces

...
Disclosure Details
 Improper interface settings
allow the opening of menu
options.

 Menus can be used to
browse for a n...
Disclosure Details
 A limited browser is not
restricted enough.

 A right-click can be used…
 To open a full, unlimited...
Disclosure Details
 Browsing through the
file system reveals
indicative directory names…

 And even more indicative
file...
Disclosure Details
 Bingo: Credit Card Data
(Unencrypted!)
Tools of the trade: Notepad

 We can use the ticket
printer t...
Disclosure Details
 But that’s not all:
RSA Keys and Certificates
are also found on the drive!

 Which we can print, tak...
Disclosure Details
 The result:
RSA Keys used to
bill credit cards.

©2013 Check Point Software Technologies Ltd.

10
Disclosure #2
 Vendor: Point-of-Sale Manufacturer and Users
 Field: Network Security
 Vulnerability: Improper physical ...
Disclosure Details
 Point-Of-Sale devices
are all around you.

©2013 Check Point Software Technologies Ltd.

12
Disclosure Details
 Location: A bar in Tel-Aviv
 During working hours – tables, chair and PoS outside
 During afterhour...
Attack Vector
 In the past – play hacker/script kiddie with BackTrack.
 Today: Fire up wireshark, discover IPs of live m...
Attack Vector
 In the past – play hacker/script kiddie with BackTrack.
 Today: Fire up wireshark, discover IPs of live m...
Attack Vector
 Evidence of SMB (plus prior knowledge) lead to the next
step:

 And the response:

©2013 Check Point Soft...
Things to do with an open share
 #1: Look around

[Restricted] ONLY for designated groups and individuals

©2013 Check Po...
Things to do with an open share
 #1: Look around
 #2: Create a file list

[Restricted] ONLY for designated groups and in...
The mystery of 192.168.0.250
 Answers a ping, but no SMB.
 First guess: the ADSL Modem.
 Try to access the Web-UI:

[Re...
The mystery of 192.168.0.250
 Use the full URL:

[Restricted] ONLY for designated groups and individuals

©2013 Check Poi...
Going for the ADSL router
 Reminder: We actually had this information.

[Restricted] ONLY for designated groups and indiv...
Going for the ADSL router
 Naturally, there is access control:

 Want to guess?

[Restricted] ONLY for designated groups...
Unlocked Achievements
 Best for me, worst for them: Credit card data.
 Database files (yet to be analyzed).
 The progra...
Next Steps
 Create a Responsible Disclose document for the PoS
manufacturer

 Send an Advisory to businesses

©2013 Chec...
IMPORTANT NOTICE
 The bar operation was with full cooperation and consent.
 DOING THIS ON YOUR OWN IS ILLEGAL.

[Restric...
Upcoming SlideShare
Loading in...5
×

Inbar Raz - Physical (In)Security – it’s not –ALL– about Cyber

533

Published on

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
533
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
13
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Inbar Raz - Physical (In)Security – it’s not –ALL– about Cyber"

  1. 1. Physical (In)security Inbar Raz Malware & Security Manager Check Point Software Technologies ©2013 Check Point Software Technologies Ltd.
  2. 2. Types of Vulnerability Disclosures  Responsible Disclosure: – Contact the vendor only and inform them of the vulnerability – If asked, work with the vendor – After 3-6 months, proceed to Full Disclosure  Full Disclosure: – Publish all information, including POC – Sometimes – only a video of POC ©2013 Check Point Software Technologies Ltd. 2
  3. 3. Disclosure #1  Vendor: An Online Movie Ticket Service  Field: Online shopping and entertainment  Affected Product: On-site Ticket Kiosk  Vulnerability: Multiple vulnerabilities cause the compromise of both customer and company data ©2013 Check Point Software Technologies Ltd. 3
  4. 4. Disclosure Details  On-site Kiosk  Touch Screen  Credit Card Reader  Ticket Printer  No peripherals, No interfaces  And the journey begins… ©2013 Check Point Software Technologies Ltd. 4
  5. 5. Disclosure Details  Improper interface settings allow the opening of menu options.  Menus can be used to browse for a new printer. ©2013 Check Point Software Technologies Ltd. 5
  6. 6. Disclosure Details  A limited browser is not restricted enough.  A right-click can be used…  To open a full, unlimited Windows Explorer. Now the sky is the limit… ©2013 Check Point Software Technologies Ltd. 6
  7. 7. Disclosure Details  Browsing through the file system reveals indicative directory names…  And even more indicative file names. ©2013 Check Point Software Technologies Ltd. 7
  8. 8. Disclosure Details  Bingo: Credit Card Data (Unencrypted!) Tools of the trade: Notepad  We can use the ticket printer to take it home  ©2013 Check Point Software Technologies Ltd. 8
  9. 9. Disclosure Details  But that’s not all: RSA Keys and Certificates are also found on the drive!  Which we can print, take home and then use a free OCR software to read… ©2013 Check Point Software Technologies Ltd. 9
  10. 10. Disclosure Details  The result: RSA Keys used to bill credit cards. ©2013 Check Point Software Technologies Ltd. 10
  11. 11. Disclosure #2  Vendor: Point-of-Sale Manufacturer and Users  Field: Network Security  Vulnerability: Improper physical security allows access to insecure PoS devices during afterhours. ©2013 Check Point Software Technologies Ltd. 11
  12. 12. Disclosure Details  Point-Of-Sale devices are all around you. ©2013 Check Point Software Technologies Ltd. 12
  13. 13. Disclosure Details  Location: A bar in Tel-Aviv  During working hours – tables, chair and PoS outside  During afterhours – everything is locked inside the facility  But the Ethernet port remains hot – In public space… ©2013 Check Point Software Technologies Ltd. 13
  14. 14. Attack Vector  In the past – play hacker/script kiddie with BackTrack.  Today: Fire up wireshark, discover IPs of live machines. ©2013 Check Point Software Technologies Ltd. 14
  15. 15. Attack Vector  In the past – play hacker/script kiddie with BackTrack.  Today: Fire up wireshark, discover IPs of live machines.  Detected IP addresses: – 192.168.0.1 – 192.168.0.2 – 192.168.0.4 – 192.168.0.250 – 192.168.0.254  Confirm by ping (individual and broadcast) ©2013 Check Point Software Technologies Ltd. 15
  16. 16. Attack Vector  Evidence of SMB (plus prior knowledge) lead to the next step:  And the response: ©2013 Check Point Software Technologies Ltd. 16
  17. 17. Things to do with an open share  #1: Look around [Restricted] ONLY for designated groups and individuals ©2013 Check Point Software Technologies Ltd. 17
  18. 18. Things to do with an open share  #1: Look around  #2: Create a file list [Restricted] ONLY for designated groups and individuals ©2013 Check Point Software Technologies Ltd. 18
  19. 19. The mystery of 192.168.0.250  Answers a ping, but no SMB.  First guess: the ADSL Modem.  Try to access the Web-UI: [Restricted] ONLY for designated groups and individuals ©2013 Check Point Software Technologies Ltd. 19
  20. 20. The mystery of 192.168.0.250  Use the full URL: [Restricted] ONLY for designated groups and individuals ©2013 Check Point Software Technologies Ltd. 20
  21. 21. Going for the ADSL router  Reminder: We actually had this information. [Restricted] ONLY for designated groups and individuals ©2013 Check Point Software Technologies Ltd. 21
  22. 22. Going for the ADSL router  Naturally, there is access control:  Want to guess? [Restricted] ONLY for designated groups and individuals ©2013 Check Point Software Technologies Ltd. 22
  23. 23. Unlocked Achievements  Best for me, worst for them: Credit card data.  Database files (yet to be analyzed).  The program files of the billing system.  Potential attack through the internet. [Restricted] ONLY for designated groups and individuals ©2013 Check Point Software Technologies Ltd. 23
  24. 24. Next Steps  Create a Responsible Disclose document for the PoS manufacturer  Send an Advisory to businesses ©2013 Check Point Software Technologies Ltd. 24
  25. 25. IMPORTANT NOTICE  The bar operation was with full cooperation and consent.  DOING THIS ON YOUR OWN IS ILLEGAL. [Restricted] ONLY for designated groups and individuals ©2013 Check Point Software Technologies Ltd. 25
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×