SlideShare a Scribd company logo

Bsides Puerto Rico-2017

P
Price McDonald

BSides Puerto Rico 2018 - Insecure Obsolete and Trivial : The Real IOT

Technology
1 of 43
Download to read offline
Insecure Obsolete and Trivial The Real IOT BSides Puerto Rico 2017(18) Price McDonald
#USERID 0,0 pkm • 10 years InfoSec Experience • Manager, Rapid7 Global Services • Certifications: • GPEN, GREM, GWAPT, GXPN, OSCP • Enjoys long walks to Microcenter, Competitive Shooting and Reverse Engineering.
Current State of Hardware Security O’RLY?
Current State of Hardware Security Ok, So Hardware Security sucks… But why focus on the hardware?
Get the “Things” on the Cheap • Beta Programs • https://www.betabound.com/tp-link-router-private-beta/ • https://beta.linksys.com/ • https://www.beta.netgear.com/signup/ • Flea Markets • Ebay • Craigslist • Garage Sales
Test Dummy
Tamper Resistance and Detection
Component Identification
Component Identification(2) • EOL 802.11G router SoC (System on Chip) • 200 Mhz MIPS32 core • Supports Serial or Parallel Flash • One JTAG and two UART Ports • 336 ball FBGA (Fine-pitch Ball Grid Array) • 32M-BIT Parallel NOR Flash Memory • 3V only • 48-pin TSOP (Thin Small Outline Package) • CMOS DDR400 RAM • 66-pin TSOP II
Component Identification Tips and Trick
Arts and Crafts Time
Finding Ground • Using the Multi-Meter we can figure out which of the pins on our headers connect to ground and which have voltage. Ground Voltage Specifically 3.3v • Got Ground?
Physical Counter Measures
Common Interface Types • UART - Universal Asynchronous Receiver/Transmitter • SPI – Serial Peripheral Interface • I2C – Inter Integrated Circuit • JTAG – Joint Test Action Group – Hardware Debugging Interface • CAN – Controller Area Network (Cars/ATM/etc) • RS232- Serial Interface used on many legacy devices
Pinout Reversing • Saleae Logic Analyzer • ~100 Bucks on the low end @ https://www.saleae.com • Also, EDU discounts available up to 50% depending on model. • Keep in mind that logic analyzers are sampling which can cause artificial data depending on the sampling rate and thresholds. • Works for I2C, UART, SPI, JTAG, CAN, etc, etc
Saleae Logic UI • Using the Saleae logic analyzer we can watch the pins during boot to check for voltage spikes during. This is a good indication of either a UART, I2C or SPI connection.
Saleae Logic Decoders Given that we suspect Async Serial (UART) we will select that analyzer
Saleae Logic - Decoding Among small embedded devices 115200 is a very common bit rate so it is an easy guess. But we will also cover a more automated way of determining bit rate.
Saleae Logic - Decoding(2) We must also ensure we are configuring the device to analyze the appropriate channel (which are color coded as long as you connect them correctly)
Saleae Logic - Output As you can see we are successfully decoding the output from the UART serial connection on our Broadcom chip.
Connecting to Interfaces • Bus Pirate • Less of a learning curve • Slower transfer speeds • Supports UART, SPI, I2C and JTAG • Shikra • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C and JTAG • TIAO USB Multiprotocol Adapter • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C, JTAG, RS-232 • Supports multiple connections from same device • Slightly less reliable in my experience
Using the Shikra http://int3.cc/products/the-shikra
Connecting to UART The command used to connect to a UART serial adapter will vary by device and OS but will generally be similar to the command below. sudo screen /dev/[device id] baud rate Or the the case of the Device ID below for the Shikra: sudo screen /dev/ttyUSB0 115200
NOW WE HAVE A SHELL! But what’s next? AND THEN?
Shell is only the beginning
No Tech Hacking
File System Fiddling • MTD is a "Memory Technology Device. • Unix traditionally only knew block devices and character devices. Character devices were things like keyboards or mice, that you could read current data from, but couldn't be seek-ed and didn't have a size. Block devices had a fixed size and could be seek-ed. • A mtdblock is a block device emulated over an mtd device.
Hiding in Plain Sight Often times embedded device manufacturers leave important file systems unmounted. Another good Resource: http://wiki.in-circuit.de/index.php5?title=Flashfilesystem_UBIFS
Pilfering But, How do we get the file system off of the target device?
Accidental Footprints
So what Happens if that doesn’t work? • JTAG stands for (Joint Test Action Group) which was formed in 1985. • The following pins are required for JTAG use: • TDI (Test Data In) • TDO (Test Data Out) • TCK (Test Clock) • TMS (Test Mode Select) • The TCK Pin (Test Clock) is what keeps the clock for the state machine. • THE TMS Pin (Test Mode Select) is what determines when and how the State Machine advances depending on it’s relative position during each clock cycle.
JTAG ADAPTERS Good Better Best $45 $60-$600 $5000-$20000
Have you heard of the JTAGulator? • Created by Joe Grand @ http://www.grandideastudio.com • ~180-200 Bucks
HOW TO CONNECT WITH OPENOCD The command to initiate openocd is : openocd –f interface –f target But now what? There are errors and stuff!!!!! #openocd on Freenode
HOW TO CONNECT WITH OPENOCD(2) Silly openocd! That’s more like it J
Cereal
Reverse Engineering • Binary Ninja • Free version available • Limited Architecture Support • Learn one IL to reverse them all • Ida Pro • Paid Version required for disassembly • ARM decompiler available but $$$$ • Also very good debugger • Radare2 • Free multiplatform support • No decompiler available
Radare2
IDA Pro
No Shell No Problem
Peripheral interfaces
Contact Information Contact information twitter: @PriceMcdonald Linkedin: linkedin.com/pricemcdonald Email: pricemcdonald@gmail.com

Recommended

BSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the ThingsBSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the ThingsPrice McDonald
 
BSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode EnabledBSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode Enabledpricemcdonald
 
Thotcon 0x8 - Hardware Hacking on a Budget
Thotcon 0x8 - Hardware Hacking on a BudgetThotcon 0x8 - Hardware Hacking on a Budget
Thotcon 0x8 - Hardware Hacking on a BudgetPrice McDonald
 
Insecure Obsolete and Trivial - The Real IOT
Insecure Obsolete and Trivial - The Real IOTInsecure Obsolete and Trivial - The Real IOT
Insecure Obsolete and Trivial - The Real IOTPrice McDonald
 
Jtag
JtagJtag
JtagTELE-audiovision eng
 
FSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGFSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGDobrica Pavlinušić
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootYashin Mehaboobe
 
Intro to Hardware Firmware Hacking
Intro to Hardware Firmware HackingIntro to Hardware Firmware Hacking
Intro to Hardware Firmware HackingAndrew Freeborn
 

Recommended

BSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the ThingsBSides Indy 2017 - Hardware Hacking - Abusing the Things
BSides Indy 2017 - Hardware Hacking - Abusing the ThingsPrice McDonald
 
BSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode EnabledBSides DFW2016-Hack Mode Enabled
BSides DFW2016-Hack Mode Enabledpricemcdonald
 
Thotcon 0x8 - Hardware Hacking on a Budget
Thotcon 0x8 - Hardware Hacking on a BudgetThotcon 0x8 - Hardware Hacking on a Budget
Thotcon 0x8 - Hardware Hacking on a BudgetPrice McDonald
 
Insecure Obsolete and Trivial - The Real IOT
Insecure Obsolete and Trivial - The Real IOTInsecure Obsolete and Trivial - The Real IOT
Insecure Obsolete and Trivial - The Real IOTPrice McDonald
 
Jtag
JtagJtag
JtagTELE-audiovision eng
 
FSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGFSEC 2014 - I can haz your board with JTAG
FSEC 2014 - I can haz your board with JTAGDobrica Pavlinušić
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootYashin Mehaboobe
 
Intro to Hardware Firmware Hacking
Intro to Hardware Firmware HackingIntro to Hardware Firmware Hacking
Intro to Hardware Firmware HackingAndrew Freeborn
 
Hardware hacking 101
Hardware hacking 101Hardware hacking 101
Hardware hacking 101Tiago Henriques
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkYashin Mehaboobe
 
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGA BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGSilvio Cesare
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devicesYashin Mehaboobe
 
Hardware Hacking
Hardware HackingHardware Hacking
Hardware HackingAndrew Brockhurst
 
Arduino Forensics
Arduino ForensicsArduino Forensics
Arduino ForensicsSteve Watson
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyNiek Timmers
 
Deploy Small IoT Embedded SOC Devices and a Back-End Platform with Java, usin...
Deploy Small IoT Embedded SOC Devices and a Back-End Platform with Java, usin...Deploy Small IoT Embedded SOC Devices and a Back-End Platform with Java, usin...
Deploy Small IoT Embedded SOC Devices and a Back-End Platform with Java, usin...Kynetics
 
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Takeda Pharmaceuticals
 
Java Card Security
Java Card SecurityJava Card Security
Java Card SecurityRiscure
 
Cheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerCheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerDobrica Pavlinušić
 
Hardware Hacking Primer
Hardware Hacking PrimerHardware Hacking Primer
Hardware Hacking PrimerYashin Mehaboobe
 
Raspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsRaspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsDobrica Pavlinušić
 
The Baseband Playground
The Baseband PlaygroundThe Baseband Playground
The Baseband Playgroundslides_luis
 
Company overview
Company overview Company overview
Company overview Jessika Remolona
 
Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA Premier Farnell
 
Musclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and UnlocksMusclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and UnlocksMike Webb
 
GATTacking Bluetooth Smart
GATTacking Bluetooth SmartGATTacking Bluetooth Smart
GATTacking Bluetooth SmartOWASP
 
Geek Pic-Nic Master Class
Geek Pic-Nic Master ClassGeek Pic-Nic Master Class
Geek Pic-Nic Master ClassMediaTek Labs
 
Asia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-canAsia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-caninjenerzntu
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaYogesh Ojha
 

More Related Content

What's hot

PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkYashin Mehaboobe
 
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGA BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGSilvio Cesare
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devicesYashin Mehaboobe
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyNiek Timmers
 
Deploy Small IoT Embedded SOC Devices and a Back-End Platform with Java, usin...
Deploy Small IoT Embedded SOC Devices and a Back-End Platform with Java, usin...Deploy Small IoT Embedded SOC Devices and a Back-End Platform with Java, usin...
Deploy Small IoT Embedded SOC Devices and a Back-End Platform with Java, usin...Kynetics
 
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Takeda Pharmaceuticals
 
Java Card Security
Java Card SecurityJava Card Security
Java Card SecurityRiscure
 
Cheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerCheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerDobrica Pavlinušić
 
Raspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsRaspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsDobrica Pavlinušić
 
The Baseband Playground
The Baseband PlaygroundThe Baseband Playground
The Baseband Playgroundslides_luis
 
Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA Premier Farnell
 
Musclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and UnlocksMusclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and UnlocksMike Webb
 
GATTacking Bluetooth Smart
GATTacking Bluetooth SmartGATTacking Bluetooth Smart
GATTacking Bluetooth SmartOWASP
 
Geek Pic-Nic Master Class
Geek Pic-Nic Master ClassGeek Pic-Nic Master Class
Geek Pic-Nic Master ClassMediaTek Labs
 

What's hot (20)

Hardware hacking 101
Hardware hacking 101Hardware hacking 101
Hardware hacking 101
 
PyTriage: A malware analysis framework
PyTriage: A malware analysis frameworkPyTriage: A malware analysis framework
PyTriage: A malware analysis framework
 
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKINGA BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
A BEGINNER’S JOURNEY INTO THE WORLD OF HARDWARE HACKING
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
 
Hardware Hacking
Hardware HackingHardware Hacking
Hardware Hacking
 
Arduino Forensics
Arduino ForensicsArduino Forensics
Arduino Forensics
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot Securely
 
Deploy Small IoT Embedded SOC Devices and a Back-End Platform with Java, usin...
Deploy Small IoT Embedded SOC Devices and a Back-End Platform with Java, usin...Deploy Small IoT Embedded SOC Devices and a Back-End Platform with Java, usin...
Deploy Small IoT Embedded SOC Devices and a Back-End Platform with Java, usin...
 
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
Hacker's and painters Hardware Hacking 101 - 10th Oct 2014
 
Java Card Security
Java Card SecurityJava Card Security
Java Card Security
 
Cheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component testerCheap, good, hackable tools from China: AVR component tester
Cheap, good, hackable tools from China: AVR component tester
 
Hardware Hacking Primer
Hardware Hacking PrimerHardware Hacking Primer
Hardware Hacking Primer
 
Raspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needsRaspberry Pi - best friend for all your GPIO needs
Raspberry Pi - best friend for all your GPIO needs
 
The Baseband Playground
The Baseband PlaygroundThe Baseband Playground
The Baseband Playground
 
Company overview
Company overview Company overview
Company overview
 
Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA Introduction to NanoBoard-3000 FPGA
Introduction to NanoBoard-3000 FPGA
 
Musclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and UnlocksMusclenerd - Evolution of iPhone Baseband and Unlocks
Musclenerd - Evolution of iPhone Baseband and Unlocks
 
GATTacking Bluetooth Smart
GATTacking Bluetooth SmartGATTacking Bluetooth Smart
GATTacking Bluetooth Smart
 
Geek Pic-Nic Master Class
Geek Pic-Nic Master ClassGeek Pic-Nic Master Class
Geek Pic-Nic Master Class
 

Similar to Bsides Puerto Rico-2017

Asia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-canAsia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-caninjenerzntu
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaYogesh Ojha
 
Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...Alexander Bolshev
 
FPGA_prototyping proccesing with conclusion
FPGA_prototyping proccesing with conclusionFPGA_prototyping proccesing with conclusion
FPGA_prototyping proccesing with conclusionPersiPersi1
 
Shodan- That Device Search Engine
Shodan- That Device Search EngineShodan- That Device Search Engine
Shodan- That Device Search EngineInMobi Technology
 
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...ST_World
 
JTAG Interface (Intro)
JTAG Interface (Intro)JTAG Interface (Intro)
JTAG Interface (Intro)Nitesh Bhatia
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2PacSecJP
 
Hacking a Xiami Mi Vacuum Robot
Hacking a Xiami Mi Vacuum RobotHacking a Xiami Mi Vacuum Robot
Hacking a Xiami Mi Vacuum RobotPaul Terrasi
 
Tools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalTools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalPriyanka Aash
 
Architectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud PlatformsArchitectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud PlatformsRoshan Kulkarni
 
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2Bhavin Chandarana
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
 
Intel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology OverviewIntel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology OverviewMichelle Holley
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020Jose Palanco
 
S2C China ICCAD 2010 Presentation
S2C China ICCAD 2010 PresentationS2C China ICCAD 2010 Presentation
S2C China ICCAD 2010 Presentationsrpollock
 
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOLGETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOLMinh237839
 

Similar to Bsides Puerto Rico-2017 (20)

Asia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-canAsia 14-garcia-illera-dude-wtf-in-my-can
Asia 14-garcia-illera-dude-wtf-in-my-can
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
 
IOT Exploitation
IOT Exploitation IOT Exploitation
IOT Exploitation
 
Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...Practical reverse engineering and exploit development for AVR-based Embedded ...
Practical reverse engineering and exploit development for AVR-based Embedded ...
 
Prezentare tcs2011
Prezentare tcs2011Prezentare tcs2011
Prezentare tcs2011
 
FPGA_prototyping proccesing with conclusion
FPGA_prototyping proccesing with conclusionFPGA_prototyping proccesing with conclusion
FPGA_prototyping proccesing with conclusion
 
Shodan- That Device Search Engine
Shodan- That Device Search EngineShodan- That Device Search Engine
Shodan- That Device Search Engine
 
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
Track 5 session 3 - st dev con 2016 - mechanisms for trusted code execution...
 
JTAG Interface (Intro)
JTAG Interface (Intro)JTAG Interface (Intro)
JTAG Interface (Intro)
 
Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
 
No[1][1]
No[1][1]No[1][1]
No[1][1]
 
Hacking a Xiami Mi Vacuum Robot
Hacking a Xiami Mi Vacuum RobotHacking a Xiami Mi Vacuum Robot
Hacking a Xiami Mi Vacuum Robot
 
Tools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade FinalTools Of The Hardware Hacking Trade Final
Tools Of The Hardware Hacking Trade Final
 
Architectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud PlatformsArchitectural Patterns in IoT Cloud Platforms
Architectural Patterns in IoT Cloud Platforms
 
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
Presentation for IoT workshop at Sinhagad University (Feb 4, 2016) - 2/2
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
 
Intel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology OverviewIntel(r) Quick Assist Technology Overview
Intel(r) Quick Assist Technology Overview
 
OT Security - h-c0n 2020
OT Security - h-c0n 2020OT Security - h-c0n 2020
OT Security - h-c0n 2020
 
S2C China ICCAD 2010 Presentation
S2C China ICCAD 2010 PresentationS2C China ICCAD 2010 Presentation
S2C China ICCAD 2010 Presentation
 
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOLGETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
GETTING STARTED WITH DATABASE SECURITY ASSESSMENT TOOL
 

Recently uploaded

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 

Recently uploaded (20)

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 

Bsides Puerto Rico-2017

  • 1. Insecure Obsolete and Trivial The Real IOT BSides Puerto Rico 2017(18) Price McDonald
  • 2. #USERID 0,0 pkm • 10 years InfoSec Experience • Manager, Rapid7 Global Services • Certifications: • GPEN, GREM, GWAPT, GXPN, OSCP • Enjoys long walks to Microcenter, Competitive Shooting and Reverse Engineering.
  • 3. Current State of Hardware Security O’RLY?
  • 4. Current State of Hardware Security Ok, So Hardware Security sucks… But why focus on the hardware?
  • 5. Get the “Things” on the Cheap • Beta Programs • https://www.betabound.com/tp-link-router-private-beta/ • https://beta.linksys.com/ • https://www.beta.netgear.com/signup/ • Flea Markets • Ebay • Craigslist • Garage Sales
  • 9. Component Identification(2) • EOL 802.11G router SoC (System on Chip) • 200 Mhz MIPS32 core • Supports Serial or Parallel Flash • One JTAG and two UART Ports • 336 ball FBGA (Fine-pitch Ball Grid Array) • 32M-BIT Parallel NOR Flash Memory • 3V only • 48-pin TSOP (Thin Small Outline Package) • CMOS DDR400 RAM • 66-pin TSOP II
  • 12. Finding Ground • Using the Multi-Meter we can figure out which of the pins on our headers connect to ground and which have voltage. Ground Voltage Specifically 3.3v • Got Ground?
  • 14. Common Interface Types • UART - Universal Asynchronous Receiver/Transmitter • SPI – Serial Peripheral Interface • I2C – Inter Integrated Circuit • JTAG – Joint Test Action Group – Hardware Debugging Interface • CAN – Controller Area Network (Cars/ATM/etc) • RS232- Serial Interface used on many legacy devices
  • 15. Pinout Reversing • Saleae Logic Analyzer • ~100 Bucks on the low end @ https://www.saleae.com • Also, EDU discounts available up to 50% depending on model. • Keep in mind that logic analyzers are sampling which can cause artificial data depending on the sampling rate and thresholds. • Works for I2C, UART, SPI, JTAG, CAN, etc, etc
  • 16. Saleae Logic UI • Using the Saleae logic analyzer we can watch the pins during boot to check for voltage spikes during. This is a good indication of either a UART, I2C or SPI connection.
  • 17. Saleae Logic Decoders Given that we suspect Async Serial (UART) we will select that analyzer
  • 18. Saleae Logic - Decoding Among small embedded devices 115200 is a very common bit rate so it is an easy guess. But we will also cover a more automated way of determining bit rate.
  • 19. Saleae Logic - Decoding(2) We must also ensure we are configuring the device to analyze the appropriate channel (which are color coded as long as you connect them correctly)
  • 20. Saleae Logic - Output As you can see we are successfully decoding the output from the UART serial connection on our Broadcom chip.
  • 21. Connecting to Interfaces • Bus Pirate • Less of a learning curve • Slower transfer speeds • Supports UART, SPI, I2C and JTAG • Shikra • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C and JTAG • TIAO USB Multiprotocol Adapter • No UI but faster transfer speeds as a result • Supports UART, SPI, I2C, JTAG, RS-232 • Supports multiple connections from same device • Slightly less reliable in my experience
  • 23. Connecting to UART The command used to connect to a UART serial adapter will vary by device and OS but will generally be similar to the command below. sudo screen /dev/[device id] baud rate Or the the case of the Device ID below for the Shikra: sudo screen /dev/ttyUSB0 115200
  • 24. NOW WE HAVE A SHELL! But what’s next? AND THEN?
  • 25. Shell is only the beginning
  • 27. File System Fiddling • MTD is a "Memory Technology Device. • Unix traditionally only knew block devices and character devices. Character devices were things like keyboards or mice, that you could read current data from, but couldn't be seek-ed and didn't have a size. Block devices had a fixed size and could be seek-ed. • A mtdblock is a block device emulated over an mtd device.
  • 28. Hiding in Plain Sight Often times embedded device manufacturers leave important file systems unmounted. Another good Resource: http://wiki.in-circuit.de/index.php5?title=Flashfilesystem_UBIFS
  • 29. Pilfering But, How do we get the file system off of the target device?
  • 31. So what Happens if that doesn’t work? • JTAG stands for (Joint Test Action Group) which was formed in 1985. • The following pins are required for JTAG use: • TDI (Test Data In) • TDO (Test Data Out) • TCK (Test Clock) • TMS (Test Mode Select) • The TCK Pin (Test Clock) is what keeps the clock for the state machine. • THE TMS Pin (Test Mode Select) is what determines when and how the State Machine advances depending on it’s relative position during each clock cycle.
  • 32. JTAG ADAPTERS Good Better Best $45 $60-$600 $5000-$20000
  • 33. Have you heard of the JTAGulator? • Created by Joe Grand @ http://www.grandideastudio.com • ~180-200 Bucks
  • 34. HOW TO CONNECT WITH OPENOCD The command to initiate openocd is : openocd –f interface –f target But now what? There are errors and stuff!!!!! #openocd on Freenode
  • 35. HOW TO CONNECT WITH OPENOCD(2) Silly openocd! That’s more like it J
  • 37. Reverse Engineering • Binary Ninja • Free version available • Limited Architecture Support • Learn one IL to reverse them all • Ida Pro • Paid Version required for disassembly • ARM decompiler available but $$$$ • Also very good debugger • Radare2 • Free multiplatform support • No decompiler available
  • 40. No Shell No Problem
  • 42.
  • 43. Contact Information Contact information twitter: @PriceMcdonald Linkedin: linkedin.com/pricemcdonald Email: pricemcdonald@gmail.com