Structural Analysis and Design of Foundations: A Comprehensive Handbook for S...
A trial investigation system for vulnerability on M2M network
1. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 1
A Trial Investigation System
for Vulnerability on M2M Network
ETNET2015(2015/3/5-6)
KA-LAB
Kiyotaka ATSUMI
2. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 2
Contents
● Backgrounds
● The systems which was proposed in the past
● The system which I propose
● Sample of running this system
● Problems
3. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 3
Contents
● Backgrounds
● The systems which was proposed in the past
● The system which I propose
● Sample of running this system
● Problems
4. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 4
Machine to Machine(M2M) networks
● MCU's performance become powerful more and more.
It's similar to a personal computer a few years ago.
● Network reachability by USB, Ethernet, ZigBee,
Bluetooth, Wifi, and so on.
● Many IoT device's softwares are built in a black box or
in a gray box.
● Building, Updating, Expanding, Recovering are
automatically performed among machines on M2M
networks
● Weak certifications each other
5. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 5
Terminology
● Integration Test
– Connected all MCU and sensor units
– Checking every transition every state
– investigating into behavior according to specifications.
● Vulnerability Investigation (Including Confidentiality,
Integrity, Availability)
– Mixed noises, Broken connection
– Tampering for communications
– Injecting mal-codes
We do not care its difference of above.
6. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 6
Condition of the investigation
● It's impossible to define all transition among
states in the system.
● IoT devices sometimes implemented by a black
box and/or by a gray box.
● Some problems don't re-appearance by simply
simulations. (It's difficult to use Metasploit)
7. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 7
Target System(External)
Target1(host) Target2(device)
USB Cabling
To the Internet
8. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 8
To the Internet
Target System
(The structure of software modules)
Display
Management
of Audio and
Visual
Management
of State
And so on...
Controller
Navigation
Application
Others
Application
Target1 Target2
9. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 9
Characters of the System
● Target1 and Target2 is connected by TCP/IP on USB.
● Target1 and Target2 provide service ports.
● At least 1 port number on Target2 is dynamically
changed when they are initialized.
● They use TCP/IP and other Layer1/Layer2 protocol
such USB.
● Controller of Target1 handle all communications on the
System.
● We'd like to mainly investigate to Target2.
10. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 10
Contents
● Backgrounds
● The systems which was proposed in the past
● The system which I propose
● Sample of running this system
● Problems
11. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 11
A Sample of Structure (1)
(Such Metasploit)
Display
Management
of Audio and
Visual
Management
of State
And so on...
Vulnerabilities
Scanner
Target1 Target2
12. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 12
Problems of Sample (1)
● Vulnerabilities scanner can rarely simulate Target1.
● It's difficult to dynamically adapt to various situation.
● It can carry out only investigations determined
beforehand.
13. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 13
To the Internet
A Sample of Structure (2)
(Like USBProxy)
Display
Management
of Audio and
Visual
Management
of State
And so on...
Controller
Navigation
Application
Others
Application
Target1 Target2
USB MitM
Controller
14. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 14
Problems of Sample (2)
● Software relaying is very slow.
(30Mbps → 2Mbps)
● It's difficult to follow many various USB
configurations.
Especially, sometimes some smartphones are
dramatic changed to another device.
● It needs to handle USB connections in
Electrical and in Physical.
15. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 15
Contents
● Backgrounds
● The systems which was proposed in the past
● The system which I propose
● Sample of running this system
● Problems
16. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 16
To the Internet
Proposed Structure
Display
Management
of Audio and
Visual
Management
of State
And so on...
Controller
Navigation
Application
Others
Application
Target1 Target2
iptables
ka-mitm
17. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 17
ka-mitm and iptables
● Target1 and ka-mitm are connected by Wifi.
● ka-mitm perform like generic proxy. It can watch
data streams and modify them.
● iptables is set that ka-mitm is a transparent
proxy only specified tcp ports
(It's similar to NAPT and WAF.)
18. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 18
Advantage of ka-mitm
● Perfoming Turing machine handling input / output
data.
● Handling multiple protocols at the same time.
● It's so easy to watch stream data.
● Transferring speed is faster than USBProxy. (about
1 of 4 speed of Wifi).
● It can continuity investigate by automatically
recovering function on M2M networks when their
sessions are broken by this investigation system.
19. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 19
Disadvantage of ka-mitm
● Too free. We can't define good grammar for
injection scripts.
● Only TCP/IP.
● Target1 must set iptables or similar function.
● Sometimes M2M automatically recovering
function does not work when it just reset on
TCP.
20. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 20
How to run
1. Define meta-scripts beforehand.
2. Get stream data passing in ka-mitm.
3. Generate individual scripts (scripts for short)
from meta-scripts and stream data
4. Continue to investigate by number of scripts
resetting connections.
5. Get results.
21. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 21
Contents
● Backgrounds
● The systems which was proposed in the past
● The system which I propose
● Sample of running this system
● Problems
23. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 23
Results of Meta-Scripts (1)
(No precondition)
Server->Client: RFB003.008nRFB002.008n
(No answer from client)
(Break in force)
…
(No precondition)
Server->Client: RFB003.008nRFB003.008000000...000n
Client->Server: RFB003.008n
(Continue to run in normal?)
(Break in force)
26. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 26
Results of Meta-Script (3)
Server->Client: RFB003.008n
Client->Server: RFB003.008nRFB002.008n
(No answer from server)
(Break in force)
…
Server->Client: RFB003.008n
Client->Server: RFB003.008nRFB003.008000000...000n
(Continue to run in normal)
(Break in force)
30. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 30
Results of Meta-Script (4) -2
server->client: RFB 003.008
client->server: RFB 003.008
server->client:
client->server: x05x00x01x02x05x06x0F
server->client: !not supported Authentication Type
(Automatically reset the connection)
server->client: RFB 003.008
client->server: RFB 003.008
server->client:
client->server:
server->client:
client->server:
server->client: � ��� TMDesktop
(Continue to run in normal)
(Break in force)
31. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 31
Results of Sample (4) -3
server->client: RFB 003.008
client->server: RFB 003.008
server->client:
client->server:
x01x00xFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFx
FFxFFxFFxFFxFFxFFxFFxFxFFxFFxFFxFFxFFxFFxFFxFFxFFx...
server->client:
server->client: !not supported Authentication Type
(Automatically reset the connection)
server->client: RFB 003.008
client->server: RFB 003.008
server->client:
client->server:
server->client:
(Continue to run in normal?)
(Break in force)
32. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 32
Contents
● Backgrounds
● The systems which was proposed in the past
● The system which I propose
● Sample of running this system
● Problems
33. ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 33
Problems of proposed system
● Expression ability of the grammar for meta-
scripts is not enough.
● It's impossible to write meta-scripts handling
multiple protocols at the same time.
● Unable to reset connection completely.
● Unable to directly handle other protocols such
USB
This software is released as a alpha version.
https://github.com/kalab1998e/ka-mitm