A trial investigation system for vulnerability on M2M network

ETNET2015 (c) 2015 kiyotaka@ka-lab.jp 1
A Trial Investigation System
for Vulnerability on M2M Network
ETNET2015(2015/3/5-6)
　　KA-LAB
Kiyotaka ATSUMI

Contents
● Backgrounds
● The systems which was proposed in the past
● The system which I propose
● Sample of running this system
● Problems

Contents
● Backgrounds
● Problems

Machine to Machine(M2M) networks
● MCU's performance become powerful more and more.
It's similar to a personal computer a few years ago.
● Network reachability by USB, Ethernet, ZigBee,
Bluetooth, Wifi, and so on.
● Many IoT device's softwares are built in a black box or
in a gray box.
● Building, Updating, Expanding, Recovering are
automatically performed among machines on M2M
networks
● Weak certifications each other

Terminology
● Integration Test
– Connected all MCU and sensor units
– Checking every transition every state
– investigating into behavior according to specifications.
● Vulnerability Investigation (Including Confidentiality,
Integrity, Availability)
– Mixed noises, Broken connection
– Tampering for communications
– Injecting mal-codes
We do not care its difference of above.

Condition of the investigation
● It's impossible to define all transition among
states in the system.
● IoT devices sometimes implemented by a black
box and/or by a gray box.
● Some problems don't re-appearance by simply
simulations. (It's difficult to use Metasploit)

Target System(External)
Target1(host) Target2(device)
USB Cabling
To the Internet

To the Internet
Target System
(The structure of software modules)
Display
Management
of Audio and
Visual
Management
of State
And so on...
Controller
Navigation
Application
Others
Application
Target1 Target2

Characters of the System
● Target1 and Target2 is connected by TCP/IP on USB.
● Target1 and Target2 provide service ports.
● At least 1 port number on Target2 is dynamically
changed when they are initialized.
● They use TCP/IP and other Layer1/Layer2 protocol
such USB.
● Controller of Target1 handle all communications on the
System.
● We'd like to mainly investigate to Target2.

Contents
● Backgrounds
● Problems

A Sample of Structure (1)
(Such Metasploit)
Display
Management
of Audio and
Visual
Management
of State
And so on...
Vulnerabilities
Scanner
Target1 Target2

Problems of Sample (1)
● Vulnerabilities scanner can rarely simulate Target1.
● It's difficult to dynamically adapt to various situation.
● It can carry out only investigations determined
beforehand.

To the Internet
A Sample of Structure (2)
(Like USBProxy)
Display
Management
of Audio and
Visual
Management
of State
And so on...
Controller
Navigation
Application
Others
Application
Target1 Target2
USB MitM
Controller

Problems of Sample (2)
● Software relaying is very slow.
(30Mbps → 2Mbps)
● It's difficult to follow many various USB
configurations.
Especially, sometimes some smartphones are
dramatic changed to another device.
● It needs to handle USB connections in
Electrical and in Physical.

Contents
● Backgrounds
● Problems

To the Internet
Proposed Structure
Display
Management
of Audio and
Visual
Management
of State
And so on...
Controller
Navigation
Application
Others
Application
Target1 Target2
iptables
ka-mitm

ka-mitm and iptables
● Target1 and ka-mitm are connected by Wifi.
● ka-mitm perform like generic proxy. It can watch
data streams and modify them.
● iptables is set that ka-mitm is a transparent
proxy only specified tcp ports
(It's similar to NAPT and WAF.)

Advantage of ka-mitm
● Perfoming Turing machine handling input / output
data.
● Handling multiple protocols at the same time.
● It's so easy to watch stream data.
● Transferring speed is faster than USBProxy. (about
1 of 4 speed of Wifi).
● It can continuity investigate by automatically
recovering function on M2M networks when their
sessions are broken by this investigation system.

Disadvantage of ka-mitm
● Too free. We can't define good grammar for
injection scripts.
● Only TCP/IP.
● Target1 must set iptables or similar function.
● Sometimes M2M automatically recovering
function does not work when it just reset on
TCP.

How to run
1. Define meta-scripts beforehand.
2. Get stream data passing in ka-mitm.
3. Generate individual scripts (scripts for short)
from meta-scripts and stream data
4. Continue to investigate by number of scripts
resetting connections.
5. Get results.

Contents
● Backgrounds
● Problems

Sample of Meta-Script (1)
[
{
"sort": ["VNC", "Handshake"],
"port": "/59[0-9][0-9]/",
"lead": [],
"trigger": ["to_client","/^RFB 003.00[3578]n$/"],
"injections": [ [["RFB 002.008n"], [""]],
[["RFB 003.001n"], [""]],
[["RFB 003.009n"], [""]],
[["RFB 004.008n"], [""]],
[["RFB 003.00800000...00000n"], [""]]],
"enable": true
},...
]

Results of Meta-Scripts (1)
(No precondition)
Server->Client: RFB003.008nRFB002.008n
(No answer from client)
(Break in force)
…
(No precondition)
Server->Client: RFB003.008nRFB003.008000000...000n
Client->Server: RFB003.008n
(Continue to run in normal?)
(Break in force)

{
"port": "/59[0-9][0-9]/",
"lead": [["to_client", "/^RFB 003.003n$/"]],
"trigger": ["to_server","/^RFB 003.003n$/"],
"injections": [ [["RFB 002.008n"], [""]],
[["RFB 003.001n"], [""]],
[["RFB 003.007n"], [""]],
[["RFB 003.008n"], [""]],
[["RFB 003.009n"], [""]],
[["RFB 004.008n"], [""]],
[["RFB 003.0030000000000000000000000000000...0n"], [""]]],
"enable": true
},
This is unused.

Sample of Meta-Scripts (3)
{
"port": "/59[0-9][0-9]/",
"lead": [["to_client", "/^RFB 003.008n$/"]],
"trigger": ["to_server", "/^RFB 003.00[378]n$/"],
"injections": [ [["RFB 002.008n"], [""]],
[["RFB 003.001n"], [""]],
[["RFB 003.009n"], [""]],
[["RFB 004.008n"], [""]],
[["RFB 003.008000000000000000000000000...00000n"], [""]]],
"enable": true
},

Results of Meta-Script (3)
Server->Client: RFB003.008n
Client->Server: RFB003.008nRFB002.008n
(No answer from server)
(Break in force)
…
Server->Client: RFB003.008n
Client->Server: RFB003.008nRFB003.008000000...000n
(Continue to run in normal)
(Break in force)

{
"port": "/59[0-9][0-9]/",
"lead": [["to_client", "/^RFB 003.00[78]n$/"],
["to_server", "/^RFB 003.00[78]n$/"]],
"trigger": ["to_server","/^[x01-x05].*$/"],
"injections": [[["x00","x00x00x00x01AAAAAAAAAAAAAAA...A"], [""]],
[["x05x00x01x02x05x06x0F"], [""]],
[["x01x00xFFxFFxFFxFFxFFxFFxFF...xFFxFF"],[""]]],
"enable": true
},

Results of Meta-Script (4) -1
server->client: RFB 003.008
client->server: RFB 003.008
server->client: ^A^A^M
client->server: x00
client->server:
x00x00x00x01AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAA
server->client: !not supported Authentication Type
(Automatically reset the connection)

server->client:
client->server:
server->client:
client->server:
server->client: � �� TMDesktop
client->server: !��
server->client: ��
client->server: ?
client->server: � �
server->client: enusenus � ��
client->server: enusenus {� �
(Break in force)

server->client:
client->server: x05x00x01x02x05x06x0F
server->client:
client->server:
server->client:
client->server:
server->client: � �� TMDesktop
(Continue to run in normal)
(Break in force)

Results of Sample (4) -3
server->client:
client->server:
x01x00xFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFxFFx
FFxFFxFFxFFxFFxFFxFFxFxFFxFFxFFxFFxFFxFFxFFxFFxFFx...
server->client:
server->client:
client->server:
server->client:
(Break in force)

Contents
● Backgrounds
● Problems

Problems of proposed system
● Expression ability of the grammar for meta-
scripts is not enough.
● It's impossible to write meta-scripts handling
multiple protocols at the same time.
● Unable to reset connection completely.
● Unable to directly handle other protocols such
USB
This software is released as a alpha version.
https://github.com/kalab1998e/ka-mitm

A trial investigation system for vulnerability on M2M network

Recommended

Recommended

More Related Content

Similar to A trial investigation system for vulnerability on M2M network

Similar to A trial investigation system for vulnerability on M2M network (20)

More from Mocke Tech

More from Mocke Tech (14)

Recently uploaded

Recently uploaded (20)

A trial investigation system for vulnerability on M2M network