Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Csw2016 julien moinard-hardsploit

1,915 views

Published on

CanSecWest2016

Published in: Internet
  • Be the first to comment

Csw2016 julien moinard-hardsploit

  1. 1. HARDSPLOIT Framework for Hardware Security Audit a bridge between hardware & a so0ware pentester
  2. 2. Who am I ? •  Julien Moinard -  Electronic engineer @opale-security (French company) -  Security consultant, Hardware & SoDware pentester -  Team project leader of Hardsploit -  DIY enthusiast 16/03/2016 2
  3. 3. Opale Security in 1 slide 16/03/2016 3
  4. 4. Internet of Things & Privacy concern ? •  Any IoT object could reveal informa@on about individuals •  Wearable Technology: clothes, watches, contact lenses with sensors, microphones with cameras embedded and so on •  Quan@fied Self: pedometers, sleep monitors, and so on •  Home Automa@on: connected households using smart fridges, smart ligh<ng and smart security systems, and so on •  … 16/03/2016 4
  5. 5. Internet of Things & Privacy concern ? •  Last news : (you can update this slide every week L) Firmware can be read without any problem (SPI memory) VTech was hacked in November, exposing millions of accounts. In response, the firm took some essen<al services offline, meaning products could not be registered on Christmas Day. 16/03/2016 5
  6. 6. Iot Eco-system (20000 feet view) •  Privacy Risk level : Where? HF communica<on (ISM Band) + Wifi + 3G-5G , Bluetooth, Sigfox, Lora etc.. Classical wired connec<ons Central servers, User Interface, API, Backoffice etc. IoT devices 16/03/2016 6
  7. 7. SOFTWARE To secure it: •  Security products (Firewall, An<virus, IDS,…) •  Security services (Pentest, Audit, …) •  Tools (Uncountable number of them) HARDWARE To secure it: •  Few or unimplemented solu<ons (Encryp<on with key in a secure area, an<-replay mechanisms, readout protec<on, …) Security speaking, hardware is the new soDware ? 16/03/2016 7
  8. 8. •  1/ Open it •  2/ Fingerprint all the component if you can else automa@c brute forcing •  3/ Use those that may contain data (Online / Offline analysis ?) •  4/ Perform read | write opera@on on them •  5/ Reverse engineering, find vulnerabili<es and exploit them Hardsploit & hardware hacking basic procedure 16/03/2016 8
  9. 9. Global Purpose 16/03/2016 9
  10. 10. Why ? •  Because chips contain interes<ng / private data •  Passwords •  File systems •  Firmware •  … 16/03/2016 10
  11. 11. How ? •  A hardware pentester need to know electronic buses and he need to be able to interact with them 1-Wire JTAG / SWD UART CAN PARALLEL Custom 16/03/2016 11
  12. 12. Hardsploit framework Same hardware but a sofware update is needed to add a new protocols Hardsploit IoT target Input / Output database Module (SWD, SMBus, I2C, SPI, etc..) 16/03/2016 12
  13. 13. Hardsploit bus indenSficaSon & scanner (in progress, not published yet) Hardsploit IoT target Input / Output Database of pagerns Database of components Module (I2C, SPI, etc..) IO hardware mixer Scanner 16/03/2016 13
  14. 14. Tool of trade FUNCTIONALITIES BUSPIRATE JTAGULATOR GOODFET HARDSPLOIT UART Bus iden<fica<on SPI PARALLEL I2C JTAG / SWD Bus iden<fica<on MODULARITY Microcontroller Microcontroller Microcontroller uC / FPGA EASE OF USE Cmd line + datasheet Command line Command line Official GUI / API / DB I/O NUMBER < 10 24 < 14 64 (plus power) WIRING TEXT (but MOSI = SDA J) TEXT / AUTOMATIC iden<fica<on TEXT LED / TEXT/ AUTOMATIC iden<fica<on 16/03/2016 14
  15. 15. Hardsploit: CommunicaSon 16/03/2016 15
  16. 16. Prototype making •  Applying soldering paste (low budget style) 16/03/2016 16
  17. 17. Prototype making •  Manual reflow oven (DIY style) 16/03/2016 17
  18. 18. Prototype V0.1 aka The Green Goblin J 16/03/2016 18
  19. 19. Prototype making (with a budget) •  The rebirth 16/03/2016 19
  20. 20. The board – Final version •  64 I/O channels •  ESD Protec<on •  Target voltage: 3.3 & 5V •  Use a Cyclone II FPGA •  USB 2.0 •  20cm x 9cm 16/03/2016 20
  21. 21. Hardsploit organizaSon 16/03/2016 21
  22. 22. Chip management •  Search •  Create •  Modify •  Interact 16/03/2016 22
  23. 23. Wiring helper Datasheet representa<on Hardsploit Wiring module representa<on GUI <–> Board interac<on 16/03/2016 23
  24. 24. Se[ngs 16/03/2016 24
  25. 25. Command editor 16/03/2016 25
  26. 26. What are available on github (Open) ? •  Microcontroller (c) •  API (ruby) •  GUI (ruby) •  Create your own Hardsploit module : VHDL & API (ruby) 16/03/2016 26
  27. 27. Already available (github) Parallel non mul<plexed memory dump •  32 bits for address •  8/16 bits for data Helping wiring I2C 100Khz 400Khz and 1 Mhz •  Addresses scan •  Read, write, automa<c full and par<al dump SPI mode 0,1,2,3 up to 25 Mhz •  Read, write, automa<c full and par<al dump SWD interface (like JTAG but for ARM core) •  Dump and write firmware of most ARM CPU GPIO interact / bitbanging (API only for the moment) •  Low speed < 500Hz read & write opera<ons on 64 bits 16/03/2016 27
  28. 28. More to come (see online roadmap)… •  Automa<c bus inden<fica<on & Scanner (@30%) •  Component & commands sharing platorm (@90%) •  TTL UART Module with automa<c detec<on speed (@80%) •  Parallel communica<on with mul<plexed memory •  I2C sniffing (shot of 4000 bytes up to 1 Mhz) •  SPI sniffing (shot of 8000 / 4000 byte half / full up to 25Mhz) •  RF Wireless transmission training plateform (Nordic NRF24, 433Mhz, 868Mhz transcievers) •  Metasploit integra<on (module) ?? •  JTAG •  1 Wire •  CanBUS (with hardware level adapter) •  … 16/03/2016 28
  29. 29. Concrete case •  An electronic lock system •  4 characters pin code A – B – C – D •  Good combinaison – Door opens, green L.E.D turn on •  Wrong combinaison – Door closes, red L.E.D turn on 16/03/2016 29
  30. 30. Concrete case: Open it 16/03/2016 30
  31. 31. Concrete case: Fingerprint I2C MEMORIES 24LC64 STM32F103RBT6 SPI MEMORY 25LC08 16/03/2016 31
  32. 32. Concrete case: Online / Offline analysis ? 16/03/2016 32
  33. 33. Concrete case: hardsploit scenario 1.  Open Hardsploit to create the component (if not exist) 2.  Connect the component to Hardsploit (wiring helping) 3.  Enter and save the component seungs (if not exist) 4.  Dump the content of the memories (1 click) 5.  Change the door password by using commands (few clicks) 6.  Try the new password on the lock system (enjoy) 16/03/2016 33
  34. 34. Concrete case: Read | Write operaSon, I2C, SPI, SWD … •  Time for a live demo ? 16/03/2016 34
  35. 35. Parallel bus memory 16/03/2016 35
  36. 36. Concrete case: Fingerprint 16/03/2016 36
  37. 37. Concrete case: Offline analysis 16/03/2016 37
  38. 38. Concrete case: Ready to dump the content 16/03/2016 38
  39. 39. Conclusion •  IoT Device are (also) prone to vulnerabili<es help you to find them •  Security policy need to be adpated, nowadays, it is not so difficult to extract data on IoT •  Designers need to design with security in mind •  Skills related to pentest a hardware device is mandatory for Security Experts (but training exist) •  Industry need to take care about device security 16/03/2016 39
  40. 40. Thank you ! Hardsploit board is available at shop-hardsploit.com (250 € / 277 USD / 370 CAD excluding VAT) To learn more about Hardsploit and follow the development Hardsploit.io & Opale-Security.com •  Yann ALLAIN (CEO) •  yann.allain@opale-security.com •  +33 6 45 45 33 81 Hardware & Sofware, Pentest, Audit, Training •  Julien MOINARD (Project leader of Hardsploit) •  julien.moinard@opale-security.com •  +33 9 72 43 87 07 16/03/2016 40

×