This document discusses a 16-bit rootkit and second generation Zigbee chips. It describes how the rootkit works by proxying a microcontroller's interrupt vector table to gain control of incoming packets. It also examines vulnerabilities in early Zigbee chips like the EM250 and CC2430 that exposed cryptographic keys due to debug interfaces and memory layout issues. Later generations of chips aim to address these security flaws.
Data Recovery Course
After years of doing data recovery for our inhouse service centre CHIPMENTOR, we have decided to start this data recovery course for all . Like our other courses , CHIPTRONIKS has designed an easy to learn data recovery course which will not only multiply the revenue of repairing engineers around the world but will also help them in meeting Customers requirement.
Our Data Recovery Course is hands-on practical course with focus on practical problems faced. Many companies tries to hide the way data is recovered, and like our other training , we believe we can make this country more advanced only if we share more ideas and knowledge. So we will unearth all the myths and the various tools used in data recovery business. Due to our innovatice training ,we have helped build strong laptop repairing community in India .
Ls catalog thiet bi tu dong gm e_0908_dienhathe.vnDien Ha The
Khoa Học - Kỹ Thuật & Giải Trí: http://phongvan.org
Tài Liệu Khoa Học Kỹ Thuật: http://tailieukythuat.info
Thiết bị Điện Công Nghiệp - Điện Hạ Thế: http://dienhathe.org
ZigBee Smart Energy Security Securing The HAN NetworkZin Kyaw
Provides an overview of the security mechanisms of the ZigBee Smart Energy profile. From Metering America/World Meter Design Congress, San Diego, CA, March 2010
DefCon 2012 - Power Smart Meter HackingMichael Smith
"When you look at a Smart Meter, it practically winks at you. Their Optical Port calls to you. It calls to criminals as well. But how do criminals interact with it? We will show you how they look into the eye of the meter. More specifically, this presentation will show how criminals gather information from meters to do their dirty work. From quick memory acquisition techniques to more complex hardware bus sniffing, the techniques outlined in this presentation will show how authentication credentials are acquired. Finally, a method for interacting with a meter's IR port will be introduced to show that vendor specific software is not necessary to poke a meter in the eye."
Data Recovery Course
After years of doing data recovery for our inhouse service centre CHIPMENTOR, we have decided to start this data recovery course for all . Like our other courses , CHIPTRONIKS has designed an easy to learn data recovery course which will not only multiply the revenue of repairing engineers around the world but will also help them in meeting Customers requirement.
Our Data Recovery Course is hands-on practical course with focus on practical problems faced. Many companies tries to hide the way data is recovered, and like our other training , we believe we can make this country more advanced only if we share more ideas and knowledge. So we will unearth all the myths and the various tools used in data recovery business. Due to our innovatice training ,we have helped build strong laptop repairing community in India .
Ls catalog thiet bi tu dong gm e_0908_dienhathe.vnDien Ha The
Khoa Học - Kỹ Thuật & Giải Trí: http://phongvan.org
Tài Liệu Khoa Học Kỹ Thuật: http://tailieukythuat.info
Thiết bị Điện Công Nghiệp - Điện Hạ Thế: http://dienhathe.org
ZigBee Smart Energy Security Securing The HAN NetworkZin Kyaw
Provides an overview of the security mechanisms of the ZigBee Smart Energy profile. From Metering America/World Meter Design Congress, San Diego, CA, March 2010
DefCon 2012 - Power Smart Meter HackingMichael Smith
"When you look at a Smart Meter, it practically winks at you. Their Optical Port calls to you. It calls to criminals as well. But how do criminals interact with it? We will show you how they look into the eye of the meter. More specifically, this presentation will show how criminals gather information from meters to do their dirty work. From quick memory acquisition techniques to more complex hardware bus sniffing, the techniques outlined in this presentation will show how authentication credentials are acquired. Finally, a method for interacting with a meter's IR port will be introduced to show that vendor specific software is not necessary to poke a meter in the eye."
ZigBee is the name of a specification for a suite of high level communication protocols using small, low-power digital radios based on the IEEE 802.15.4-2006 standard for wireless personal area networks (WPANs), such as wireless headphones connecting with cell phones via short-range radio. The technology is intended to be simpler and less expensive than other WPANs, such as Bluetooth. ZigBee is targeted at radio-frequency (RF) applications that require a low data rate, long battery life, and secure networking.
Abstract A wireless sensor network (WSN) consists of sensors which are densely distributed to monitor physical or environmental conditions, such as temperature, sound, pressure, etc. The sensor data is transmitted to network coordinator which is heart of the wireless personal area network. In the modern scenario wireless networks contains sensors as well as actuators. ZigBee is newly developed technology that works on IEEE standard 802.15.4, which can be used in the wireless sensor network (WSN). The low data rates, low power consumption, low cost are main features of ZigBee. WSN is composed of ZigBee coordinator (network coordinator), ZigBee router and ZigBee end device. The sensor nodes information in the network will be sent to the coordinator, the coordinator collects sensor data, stores the data in memory, process the data, and route the data to appropriate node. Index Terms: WSN, ZigBee.
Mihai Gheza's BSc Diploma Project at "Transilvania" University of Brasov, Romania
A prototype of RTLS (Real Time Location System) using the ZigBee wireless mesh networking protocol, Received Signal Strength (RSS) for distance estimation and Trilateration for positioning.
Studied with a Texas Instruments CC2420 Development Kit.
Zigbee based intelligent helemet for coal miners pptVenkatesh Kaduru
This one is the useful project for embedded students..and it is the real time project ...
so guys u can download and implement with your useful thoughts ...
Fear and Loathing on your Desk: BadUSB, and what you should do about it
Presented at Kiwicon 9, 10-11 December 2015, Wellington New Zealand.
For over 15 years USB has been the universal computing peripheral interface. In simpler times the host computer and the USB device trusted each other, and so USB implementations historically placed little emphasis on security issues. But what if malicious firmware were loaded into a USB device? How can you protect yourself from BadUSB?
This talk will review public implementations of BadUSB, and (the distinct lack of) available defensive techniques. A hardware gadget will then be presented to make most of your problems...disappear.
Controlling USB Flash Drive Controllers: Expose of Hidden Featuresxabean
Video here, thanks to archive.org:
https://archive.org/details/ShmooCon2014_Controlling_USB_Flash_Drive_Controllers
With stories of "BadBIOS" infecting PCs simply by connecting a malicious USB flash drive to a PC, it's time we learned about flash drives and their controllers. Consumer USB flash drives are cheap, growing in capacity and shrinking in physical size. There are only around 15 prominent controller chip manufacturers whom you have never heard of, but OEM for all the popular and respected "name brands" on the market. These flash controllers have capabilities that aren't mentioned on product packaging, and can be enabled with programming you will learn during this presentation. These flash controllers can be *reprogrammed entirely* via software to do whatever you want.
Turn an old flash drive into an emulated CDROM or a CDROM + flash drive. Update the controller's firmware, disassemble it, etc. This talk will touch on the various controller manufacturers, features, and show you how to leverage them for yourself. Why spend $100 on an old SanDisk[tm] U3 Cruiser when you can spend $4 for the same features?
Richard Harman is an incident responder at SRA International's internal Security Operations Center, where he slings Perl code supporting incident response and performs analysis & reverse engineering of targeted attack malware samples. He writes and releases scripts in support of his work on github at http://github.com/warewolf. Outside of his day job, he can be found hacking on projects at the Reston, VA hackerspace Nova Labs http://www.nova-labs.org.
This presentations introduces some common protocols used in electronics, and how to sniff/speak them. Then a bit about USB, and some interesting hacks with these things.
Then a bit about openwrt and router hacking.
With a surge in the production of internet of things (IoT) devices, embedded development tools are becoming commonplace and the software they run on is often trusted to run in escalated modes. However, some of the embedded development tools on the market contain serious vulnerabilities that put users at risk. In this talk we discuss the various attack vectors that these embedded development tools expose users to, and why users should not blindly trust their tools. This talk will detail a variety reverse engineering, fuzzing, exploit development and protocol analysis techniques that we used to analyze and exploit the security of a common embedded debugger.
UWE Linux Boot Camp 2007: Hacking embedded Linux on the cheapedlangley
Slides from a talk at the first ever UWE Linux Boot Camp in 2007, about getting started playing around with embedded Linux on a budget. The example system used is the Mattel Juicebox.
Armadillos - or how to bypass code readout protection on microcontrollersAndrew Tierney
Slides to accompany the hour long talk on bypassing code readout protection on some common microcontrollers.
https://www.youtube.com/watch?v=DTuzuaiQL_Q
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick44CON
44CON 2014 - Stupid PCIe Tricks, Joe Fitzpatrick.
Hardware hacks tend to focus on low-speed (jtag, uart) and external (network, usb) interfaces, and PCI Express is typically neither. After a crash course in PCIe Architecture, we’ll demonstrate a handful of hacks showing how pull PCIe outside of your system case and add PCIe slots to systems without them, including embedded platforms. We’ll top it off with a demonstration of SLOTSCREAMER, an inexpensive device that’s part of the NSA Playset which we’ve configured to access memory and IO, cross-platform and transparent to the OS - all by design with no 0-day needed. The open hardware and software framework that we will release will expand your Playset with the ability to tinker with DMA attacks to read memory, bypass software and hardware security measures, and directly attack other hardware devices in the system.
DefCon 2012 - Firmware Vulnerability Hunting with FRAKMichael Smith
"Embedded Device Firmware Vulnerability Hunting Using FRAK, the Firmware Reverse Analysis Konsole -- FRAK is a framework for unpacking, analyzing, modifying and repacking the firmware images of proprietary embedded devices. The FRAK framework provides a programmatic environment for the analysis of arbitrary embedded device firmware as well as an interactive environment for the disassembly, manipulation and re-assembly of such binary images.
We demonstrate the automated analysis of Cisco IOS, Cisco IP phone and HP LaserJet printer firmware images. We show how FRAK can integrate with existing vulnerability analysis tools to automate bug hunting for embedded devices. We also demonstrate how FRAK can be used to inject experimental host-based defenses into proprietary devices like Cisco routers and HP printers. "
1. A 16 Bit Rootkit, and
Second Generation Zigbee Chips
Travis Goodspeed
travis@radiantmachines.com
Black Hat USA, 2009
Las Vegas, NV
2.
3. Topics for Today
● Second Generation Zigbee Chips
– EM250, CC2430, CC2530
– How to break them.
● A 16 Bit Rootkit
– A very portable operating system,
– easily injected into a µC application,
– without damaging that application.
4. Notice That
● In IT,
– Malware is common.
– It's annoying.
– Simple malware is detected, removed.
● In embedded systems,
– Malware is rare.
– No one looks for it.
– Simple malware is undetected, sufficient.
5. Forward
● Confidentiality
– Only to prevent plagiarism.
● Integrity
– Only against accidental corruption.
● Availability
– A watchdog timer.
6.
7. In this Episode
● EM250
– WTF were they thinking?
● CC2430/CC2530
– Keys are easily extracted.
● MSP430
– A rootkit design.
– How to recognize one, or to build one.
8. Disclaimers
● EM250/260
– EM3xx will be better.
● CC2430/CC2530
– CC430 will be better.
● MSP430
– MSP430 only chosen for a concrete
example.
9. Brief Review: Microcontrollers
● Little computer.
– 8 or 16 bit
– Von Neumann or Harvard
– Internal Flash/RAM
– No/partial MMU
● Still a computer.
10. Brief Review: Wireless Sensors
● Radio+MCU=WSN
● Ultra low power, long deployment.
● Mesh Networking
● Applications
– Smart Grid
– Military
– Wildlife, Geological Research
11. Brief Review: Terms
● 802.15.4, MAC and lower layers.
● Zigbee, upper layers.
● MSP430, a 16 bit µC
● First Gen Radios, just a radio
● Second Gen Radios, radio+µC
13. First Generation
● CC2420, EM2420
– Same chip!
● Just a radio.
– Keys are sent by SPI.
– As cleartext.
14. Zigbee Bus Snooping
● First presented at S4 Miami.
– Later Source Boston, HackADay.
– Workshop at Defcon!
● Dirt simple,
– Stick needles into the board's test points.
– Capture SPI traffic live.
– Read the AES128 key.
– Set your radio to the same.
20. Again
● “...the vast majority of pilots and products
out there that support SEP are based on
the EM250, and not the TI CC2420.
Utilities are requiring the security and
standardization that the SEP provides. ...”
– Bruce
21. EM250
● 12MHz XAP2b 16-bit microcontroller core
– 128kB Flash and 5kB RAM
– 128-bit AES hardware engine
– <1uA sleep current w/ internal RC oscillator
running
● Also a radio.
22. So to be clear.
● The argument is:
– The CC2420 is vulnerable.
– The EM250 doesn't expose keys by SPI.
– Therefore, EM250 boards are secure.
● The argument is wrong.
– Let's see why!
23. EM250 Chip
● 16 bit Harvard XAP2
– 1999 design by Cambridge Consultants
● Insight® for Debugging
– JTAG Variant
24. EM250 Programming
● OTA and by Serial Port
– Bootloader of some sort.
– Might be vulnerable. I haven't looked.
● Serial Port
– Vulnerable to glitching, but don't bother.
● InSight®
– Wide open.
35. Chipcon Physical Layer
● Bits
– MSBit first
– Written on rising edge of clock.
– Sampled on falling edge of clock.
● Direction
– Master speaks first.
– Slave replies.
41. 8051 Constant Sidebar
● 8051 Compilers
– All variables in Data memory,
● unless explicitly told otherwise.
– At initialization
● Data is populated from Code.
● Therefore,
– EVERY variable is in Data by default.
– Keys are in Data memory.
42. Chipcon Exploitation
● GoodFET.CC
– Erase
– Write Data >keys.bin
● Key search
– Joshua Wright's Killer Bee, TBR
– 2 seconds for upper RAM
– 4 seconds for all of RAM
43. Chipcon Defense
● Keep anything sensitive in Code memory.
– See Chipcon DN200.
● const __code char foo[]=”Hello World!”
● printf(foo);
– Won't work!
– printf() expects a pointer to Data memory.
44. Chipcon Summary
● All current chips are vulnerable.
● Keys are exposed unless protected.
● Protection requires some recoding.
45. Third Generation Chips
● EM3xx
– ARM Cortex M3 µC
– JTAG Pin Fuse
● CC430
– MSP430 µC
– JTAG TAP Fuse
● Neither is yet available.
48. Part 1 Conclusions
● Zigbee chips aren't very secure.
● Next generation might be better.
– Might not be better.
● Local security is hard.
– Cryptography != Security
49. Part 2:
A 16-bit Rootkit
● IVT Proxying/Hooking
● Initial Foothold
● Blind Command Reception
● Efficient Command Frames
● Blind Function Calling
50. History
● 2007, I authored the first WSN exploit.
– MSP430 infected by 802.15.4 packet
● 2008, I authored an MSP430 R.E. kit.
– http://msp430static.sf.net/ in Perl/SQLite
● 2009, Mike Davis Smart Grid Worm
– Catch his talk at 16h45.
– Practical implementation, which mine ain't.
51. WSN Exploits in Brief
● Memory is precious
– A few kilobytes of free memory.
– 128 byte packets
● No operating system.
– No system calls, function tables, etc.
– Single statically-linked image.
● Code is in Flash, not RAM.
52. This Rootkit
● Generic Installation
– Reasonably hardware agnostic.
– Coexists with prior firmware.
● Efficient
– Fits in available memory.
– Reuses victim code where possible.
– Memory/security tradeoff.
53. MSP430
● 16 bit RISC processor
– Two 20 bit variants.
● Masked ROM Bootloader (BSL)
– Flash ROM in recent variants.
● Chosen for a concrete example.
– Similarities in AVR, PIC, MIPS, etc.
54. Rootkit Specifics
● How do you find a function?
– No linking tables.
● How do you trap an incoming packet?
– Radio drivers are inlined.
● How do you make the rootkit stealthy?
– Would you make it stealthy?
55. Locating a Function
● Fingerprints
– Isolate functions, then iterate.
– Checksum bytes.
– Call function that matches bytes.
● Ports
– IO ports are unique to hardware.
– Called as literal indirects.
56. Interrupt Handling
● Interrupt Vector Table
– List of interrupt handler addresses.
– At the top of memory in Flash.
● To proxy it,
– Copy table to a lower address.
– Handle each target.
– Handler branches to original.
60. Interrupt Proxying
● Also used without malice.
● Drastically changes
– Bootloader password.
– Call Graph.
– Memory usage.
– Calling convention.
● Barely changes
– Bytes.
61. Bootloader Password
● Hard to fake for masked BSL.
– Entry sequence is in hardware.
– Not maskable on classic MSP430.
● JTAG Fuse
– If blown, access is restricted without pass.
– If unblown, local attacker has access.
62. Call Graph
● Two applications,
– Two disconnected graphs.
– Child connections can be made,
● CALL #0x4000
– Parent connections are more difficult.
● Clearing bits is easier than setting them.
● Reflashing a segment.
63. Memory Usage
● Linker behavior
– Flash is at the top of memory.
– Code grows from starting address upward.
– Each app starts at a segment boundary.
64. Calling Convention
● Hackers use GCC
– r15, r14, r13, r12
● Others use IAR
– r12, r14 in IAR 3
– r12, r13, r14, r15 in IAR 4
● Other compilers
– other conventions
65. Further Fingerprinting
● switch(){}
– Table, word offset, or byte offset?
● mov #0xFFFF, r15
– Constant generator or literal?
● Unused interrupts.
– 0xFFFF, single handler, or many handlers?
66. Locating a Rootkit
● One app or two?
– Memory map, register usage, gap.
● One compiler or two?
– Calling convention consistency?
– Assembler, switch{} consistency?
68. Once again,
● In IT,
– Malware is common.
– It's annoying.
– Simple malware is detected, removed.
● In embedded systems,
– Malware is rare.
– No one looks for it.
– Simple malware is undetected, sufficient.
69. For more information,
● TravisGoodspeed.blogspot.com
– Compiler behavior survey.
– MSP430static R.E. toolkit.
● GoodFET.sourceforge.net
– Chipcon debugging.
– Voltage glitching soon.
70. Defcon talks
● Locally Exploiting Wireless Sensors
– Less theory, more practice.
● An Open JTAG Debugger
– Mapping JTAG Registers
– CC2430 Protocol
– Voltage Glitching