• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Pentesting embedded
 

Pentesting embedded

on

  • 1,245 views

 

Statistics

Views

Total Views
1,245
Views on SlideShare
754
Embed Views
491

Actions

Likes
0
Downloads
2
Comments
0

4 Embeds 491

http://www.antitree.com 485
http://antitree.com 3
http://106.187.47.155 2
http://3m2iticdotnrmfuu.onion 1

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Pentesting embedded Pentesting embedded Presentation Transcript

    • Pentesting Embedded Introduction
    • ThesisEverything is insecureWe should hack insecure thingsWe should hack everything
    • Summary• Show why embedded security doesn’t exist• Attack vectors (real world and theoretical)• Mitigations• Tools used for identification of issues in a product
    • Embedded Security• The security features built into a device or circuit – i.e. Juke Box Remote controls, router circuit board, TV’s, mobile phones• AKA Hardware Hacking
    • Risk Risk = Threat x Exploitability x Cost• Threat: how likely the attack occurs based on its frequency in the “real” world• Exploitability: how likely is it that it will work• Cost: How much it’s going to hurt when it gets popped• The amount of security invested into an embedded device is directly influenced by risk• The lack of these attacks being exploited in the wild, and the skills required to exploit them, keep the risk level appearing low
    • Attackers Perspective• Theft-of-service – getting something for free• IP Theft – cloning and idea and remaking it (China)• Information disclosure – find the secrets hidden on a device• Spoofing – horizontal privilege escalation• DoS – causing un-servicable issues means loss of revenue
    • Attack Surface• Cases and enclosures – to prevent attackers from accessing internals• Circuit board• Firmware
    • External Interfaces Attacks• JTAG, USB, interfaces, Bluetooth, WIFI, RF*• Accessing debug/diag operation modes• Cut traces able to be repaired• Fuzzing the interface to deobfuscate the protocol• Sensitive information disclosure (encryption, server side info)• EMI emissions leak info
    • Mitigations• Diag/debug modes should be disabled at the circuit level• JTAG should be removed ideally from production else disabled• Protect against malformed communication• EMI shielding• Tamper protections
    • Mitigations: Tamper Protections• Tamper Resistant: difficult to access components – One-way screws, steel case, epoxy on Ics• Tamper Evident: If access happens, it is easily identifiable – Sealed cases, glues, tapes• Tamper Detection: the hardware knows when it’s been tainted – Pressure switches, temperature sensors, puncture detection• Tamper Response: the hardware reacts when tainted (like detection but with a counter-measure) – Flash memory, self destruct with explosive charge
    • Circuit Board Attacks• Reverse engineer components and gather information – PCB hooking – access traces and test points• Probe boards• Delid chips• Access memory: EEPROMS, RAM• Simple and Differential Power Analysis• EMI attacks• Clock/Timing attacks – muck with the clock to cause issues• Epoxy removal – dremel or chemical based• Use an X-ray to determine location of components
    • Mitigations• Remove ID’s from Ics (“black topping”)• Hide vias and test points when possible• Epoxy critical areas• Implement probe detection on unused pins• Add digital watermarks that uniquely ID your product• Noise generators to defend against power analysis
    • Cryptographic Attacks• No matter what algorithm or key size you use, a static key must be stored somewhere on the device. Find it• Algorithm mis-implementations are exploitable• Custom crypto means custom pwning• Side-channel attacks (power analysis, etc)
    • Firmware Attacks• Extracting the firmware is the first step to exploitation• Reversing the firmware usually means death• Bad programming flaws cause exploitation
    • Mitigations• Be a good programmer :)• Limit attack vectors - remove unnecessary components• Protect firmware from being easily extracted
    • Tools For Attack• Standard hardware hacking components – DMM, O-Scope, dremel, hobby knife, soldering iron, wire strippers, microscope, logic analyzer• Probe adapter: – emulation.com, advintcorp.com, ironwoodelectronics.com• RF Analysis – SDR like USRP,• USB: SnoopyPro, Facedancer, Bus Pirate• JTAG – GoodFET,
    • Insane Tools• Scanning electron microscope• Voltage contrast microscopy• Focused Ion Beam (FIB)
    • Attack In Practice• Passive Recon – learn about the device, manuals, data sheets• Active Recon – perform the initial inspection. – Can you see ICs? Components? Tamper protections?• Risk Assessment – determine threats, risky areas, loot to focus your time on. – Make sure your end goal is either an exploit or more information (skip time wasters)• Collect necessary tools for attack• Probe and interface: Connect to serial interfaces, hook vias or test points, use a probe board• Extract and reverse firmware or sensitive information
    • Defense In Practice• Make breaking into the device cost more than the value of the result• Built in vs Bolt On later (same old story)• Test your own security (at least the basics)• When in doubt, epoxy (but know that if you do this, you are dead to me)
    • No questionsI don’t know the answer