Pentesting Embedded   Introduction
ThesisEverything is insecureWe should hack insecure thingsWe should hack everything
Summary• Show why embedded security  doesn’t exist• Attack vectors (real world and  theoretical)• Mitigations• Tools used ...
Embedded Security• The security features built into a  device or circuit  – i.e. Juke Box Remote controls, router circuit ...
Risk     Risk = Threat x Exploitability x Cost• Threat: how likely the attack occurs based on its  frequency in the “real”...
Attackers Perspective•   Theft-of-service – getting something for free•   IP Theft – cloning and idea and remaking it    (...
Attack Surface• Cases and enclosures – to prevent  attackers from accessing internals• Circuit board• Firmware
External Interfaces Attacks• JTAG, USB, interfaces, Bluetooth, WIFI, RF*• Accessing debug/diag operation modes• Cut traces...
Mitigations• Diag/debug modes should be disabled  at the circuit level• JTAG should be removed ideally from  production el...
Mitigations: Tamper Protections• Tamper Resistant: difficult to access components   – One-way screws, steel case, epoxy on...
Circuit Board Attacks• Reverse engineer components and gather information    – PCB hooking – access traces and test points...
Mitigations• Remove ID’s from Ics (“black topping”)• Hide vias and test points when possible• Epoxy critical areas• Implem...
Cryptographic Attacks• No matter what algorithm or key size  you use, a static key must be stored  somewhere on the device...
Firmware Attacks• Extracting the firmware is the first  step to exploitation• Reversing the firmware usually  means death•...
Mitigations• Be a good programmer :)• Limit attack vectors - remove  unnecessary components• Protect firmware from being e...
Tools For Attack• Standard hardware hacking components  – DMM, O-Scope, dremel, hobby knife, soldering iron, wire    strip...
Insane Tools• Scanning electron microscope• Voltage contrast microscopy• Focused Ion Beam (FIB)
Attack In Practice• Passive Recon – learn about the device, manuals, data sheets• Active Recon – perform the initial inspe...
Defense In Practice• Make breaking into the device cost  more than the value of the result• Built in vs Bolt On later (sam...
No questionsI don’t know the     answer
Upcoming SlideShare
Loading in...5
×

Pentesting embedded

1,196

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,196
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Pentesting embedded

  1. 1. Pentesting Embedded Introduction
  2. 2. ThesisEverything is insecureWe should hack insecure thingsWe should hack everything
  3. 3. Summary• Show why embedded security doesn’t exist• Attack vectors (real world and theoretical)• Mitigations• Tools used for identification of issues in a product
  4. 4. Embedded Security• The security features built into a device or circuit – i.e. Juke Box Remote controls, router circuit board, TV’s, mobile phones• AKA Hardware Hacking
  5. 5. Risk Risk = Threat x Exploitability x Cost• Threat: how likely the attack occurs based on its frequency in the “real” world• Exploitability: how likely is it that it will work• Cost: How much it’s going to hurt when it gets popped• The amount of security invested into an embedded device is directly influenced by risk• The lack of these attacks being exploited in the wild, and the skills required to exploit them, keep the risk level appearing low
  6. 6. Attackers Perspective• Theft-of-service – getting something for free• IP Theft – cloning and idea and remaking it (China)• Information disclosure – find the secrets hidden on a device• Spoofing – horizontal privilege escalation• DoS – causing un-servicable issues means loss of revenue
  7. 7. Attack Surface• Cases and enclosures – to prevent attackers from accessing internals• Circuit board• Firmware
  8. 8. External Interfaces Attacks• JTAG, USB, interfaces, Bluetooth, WIFI, RF*• Accessing debug/diag operation modes• Cut traces able to be repaired• Fuzzing the interface to deobfuscate the protocol• Sensitive information disclosure (encryption, server side info)• EMI emissions leak info
  9. 9. Mitigations• Diag/debug modes should be disabled at the circuit level• JTAG should be removed ideally from production else disabled• Protect against malformed communication• EMI shielding• Tamper protections
  10. 10. Mitigations: Tamper Protections• Tamper Resistant: difficult to access components – One-way screws, steel case, epoxy on Ics• Tamper Evident: If access happens, it is easily identifiable – Sealed cases, glues, tapes• Tamper Detection: the hardware knows when it’s been tainted – Pressure switches, temperature sensors, puncture detection• Tamper Response: the hardware reacts when tainted (like detection but with a counter-measure) – Flash memory, self destruct with explosive charge
  11. 11. Circuit Board Attacks• Reverse engineer components and gather information – PCB hooking – access traces and test points• Probe boards• Delid chips• Access memory: EEPROMS, RAM• Simple and Differential Power Analysis• EMI attacks• Clock/Timing attacks – muck with the clock to cause issues• Epoxy removal – dremel or chemical based• Use an X-ray to determine location of components
  12. 12. Mitigations• Remove ID’s from Ics (“black topping”)• Hide vias and test points when possible• Epoxy critical areas• Implement probe detection on unused pins• Add digital watermarks that uniquely ID your product• Noise generators to defend against power analysis
  13. 13. Cryptographic Attacks• No matter what algorithm or key size you use, a static key must be stored somewhere on the device. Find it• Algorithm mis-implementations are exploitable• Custom crypto means custom pwning• Side-channel attacks (power analysis, etc)
  14. 14. Firmware Attacks• Extracting the firmware is the first step to exploitation• Reversing the firmware usually means death• Bad programming flaws cause exploitation
  15. 15. Mitigations• Be a good programmer :)• Limit attack vectors - remove unnecessary components• Protect firmware from being easily extracted
  16. 16. Tools For Attack• Standard hardware hacking components – DMM, O-Scope, dremel, hobby knife, soldering iron, wire strippers, microscope, logic analyzer• Probe adapter: – emulation.com, advintcorp.com, ironwoodelectronics.com• RF Analysis – SDR like USRP,• USB: SnoopyPro, Facedancer, Bus Pirate• JTAG – GoodFET,
  17. 17. Insane Tools• Scanning electron microscope• Voltage contrast microscopy• Focused Ion Beam (FIB)
  18. 18. Attack In Practice• Passive Recon – learn about the device, manuals, data sheets• Active Recon – perform the initial inspection. – Can you see ICs? Components? Tamper protections?• Risk Assessment – determine threats, risky areas, loot to focus your time on. – Make sure your end goal is either an exploit or more information (skip time wasters)• Collect necessary tools for attack• Probe and interface: Connect to serial interfaces, hook vias or test points, use a probe board• Extract and reverse firmware or sensitive information
  19. 19. Defense In Practice• Make breaking into the device cost more than the value of the result• Built in vs Bolt On later (same old story)• Test your own security (at least the basics)• When in doubt, epoxy (but know that if you do this, you are dead to me)
  20. 20. No questionsI don’t know the answer
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×