Stuart McClure, CEO of Cylance Inc., gave a presentation on securing embedded systems and devices. He began by noting the vast number of embedded systems worldwide that were designed without security. He then demonstrated live hacks against a Samsung smart TV, a Tridium building management system, and an electronic lockbox. To conclude, he discussed countermeasures organizations can implement to prevent attacks on embedded systems, such as disabling unnecessary ports, patching vulnerabilities, restricting physical and remote access, and using firewalls, IDS systems and encryption.
This was an ISACA presentation by Nsale Ronnie a top hacker in Africa working with Ernst and Young. He demonstrated how other governments are leading by far in the nature of their espionage through hardware.
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE
Current mobile gadgets includes of rich devices (high resolution video camera, microphone, GPS, etc) which enable high quantity communication (Video conference, current location data, etc). Unfortunately, the rich devices make easy to conduct cyber espionage. For example, a high resolution video is used to read the text on a display. A GPS device is used to track the user's location ("Cerberus" and "mSpy" are famous. Japanese application named "karelog" became social issues). These devices are not used in company's office or factory and computer administrators want to prohibit these devices. Unfortunately, the devices are embedded in a mobile gadget and most of them cannot be disenabled by BIOS or EFI.
In order to In order to solve this problem, we propose a thin hypervisor called "DeviceDisEnabler (DDE)", which hides some devices from OS. DDE is a lightweight hypervisor and can be inserted to a pre-installed OS. Although the OS uses "IN" instruction to get the device information on PCI and USB (Vendor ID, Device Class, etc), the "IN" instruction is hooked by DDE and the device information is hidden if the devices is prohibited in the company.
Unfortunately, not only attackers but also employees want to bypass the DDE because they want to use the devices. In order to protect bypassing the DDE, it encrypts the disk image of the OS. It means the OS cannot be used without the help of DDE. In order to hide the encryption key, the DDE has three types of key managements (A technique gets a key from the Internet with a secure communication. A technique hides the key into a TPM chip and obtains it at a certain state of boot time only. A technique obfuscates the key into the code using Whitebox Cryptography technique).
Current implementation is based on BitVisor 1.4 and the target is a mobile gadget which has Intel CPU. I will talk about the requirements for ARM CPU based implementation.
Android Mobile forensics with custom recoveriesIbrahim Mosaad
The presentation describes how can we do Android Mobile forensics through custom recovery partitions. It explains that different forensics functionalities can be done on android phones through the custom recovery partition. Some of these functionalities are Logical/Physical data acquisition, PIN/Pattern/Passcode bypass, rooting, adb shell and many other functionalities. The presentation also illustrates how can we build our own custom recoveries.
This was an ISACA presentation by Nsale Ronnie a top hacker in Africa working with Ernst and Young. He demonstrated how other governments are leading by far in the nature of their espionage through hardware.
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE
Current mobile gadgets includes of rich devices (high resolution video camera, microphone, GPS, etc) which enable high quantity communication (Video conference, current location data, etc). Unfortunately, the rich devices make easy to conduct cyber espionage. For example, a high resolution video is used to read the text on a display. A GPS device is used to track the user's location ("Cerberus" and "mSpy" are famous. Japanese application named "karelog" became social issues). These devices are not used in company's office or factory and computer administrators want to prohibit these devices. Unfortunately, the devices are embedded in a mobile gadget and most of them cannot be disenabled by BIOS or EFI.
In order to In order to solve this problem, we propose a thin hypervisor called "DeviceDisEnabler (DDE)", which hides some devices from OS. DDE is a lightweight hypervisor and can be inserted to a pre-installed OS. Although the OS uses "IN" instruction to get the device information on PCI and USB (Vendor ID, Device Class, etc), the "IN" instruction is hooked by DDE and the device information is hidden if the devices is prohibited in the company.
Unfortunately, not only attackers but also employees want to bypass the DDE because they want to use the devices. In order to protect bypassing the DDE, it encrypts the disk image of the OS. It means the OS cannot be used without the help of DDE. In order to hide the encryption key, the DDE has three types of key managements (A technique gets a key from the Internet with a secure communication. A technique hides the key into a TPM chip and obtains it at a certain state of boot time only. A technique obfuscates the key into the code using Whitebox Cryptography technique).
Current implementation is based on BitVisor 1.4 and the target is a mobile gadget which has Intel CPU. I will talk about the requirements for ARM CPU based implementation.
Android Mobile forensics with custom recoveriesIbrahim Mosaad
The presentation describes how can we do Android Mobile forensics through custom recovery partitions. It explains that different forensics functionalities can be done on android phones through the custom recovery partition. Some of these functionalities are Logical/Physical data acquisition, PIN/Pattern/Passcode bypass, rooting, adb shell and many other functionalities. The presentation also illustrates how can we build our own custom recoveries.
You will learn how to deploy and manage powerful applications and services with Cloud Services. Configure, monitor, and scale your cloud services in Azure. Using Azure cloud service, you can deploy a multi-tier web application in Azure, defining multiple roles to distribute processing and allow flexible scaling of your application. A cloud service consists of one or more web roles and/or worker roles, each with its own application files and configuration.
Azure Websites and Virtual Machines also enable web applications on Azure. Upload your application and Azure handles the deployment details – from provisioning and load balancing to health monitoring for continuous availability. The main advantage of cloud services is the ability to support more complex multi-tier architectures.
IoT, Impact Investing and Innovation - Public Masterclass - Brisbane, AustraliaMatthew Bailey
Masterclass to community and business leaders, investors and entrepreneurs on how IoT offers the opportunity to create a purpose driven and sustainable world tackling global issues. The latest and very best Smart City Innovation Frameworks. How IoT can be combined with Impact Investing to become a global powerhouse to solve challenges facing nations, cities and communities.
Copyright and property of Matthew Bailey 2016
Your SCADA system has a vulnerability, now what? I shortly summarize the DNP3 vulnerabilities (and other ICS protocols too). Then I focus on the different mitigations that an ICS owner can do to mitigate these types of protocol implementation vulnerabilities even if there is no patch or patches can't be installed. I also show the importance of doing Network Security Monitoring to help detect and respond to anomalies in ICS/SCADA networks.
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
You will learn how to deploy and manage powerful applications and services with Cloud Services. Configure, monitor, and scale your cloud services in Azure. Using Azure cloud service, you can deploy a multi-tier web application in Azure, defining multiple roles to distribute processing and allow flexible scaling of your application. A cloud service consists of one or more web roles and/or worker roles, each with its own application files and configuration.
Azure Websites and Virtual Machines also enable web applications on Azure. Upload your application and Azure handles the deployment details – from provisioning and load balancing to health monitoring for continuous availability. The main advantage of cloud services is the ability to support more complex multi-tier architectures.
IoT, Impact Investing and Innovation - Public Masterclass - Brisbane, AustraliaMatthew Bailey
Masterclass to community and business leaders, investors and entrepreneurs on how IoT offers the opportunity to create a purpose driven and sustainable world tackling global issues. The latest and very best Smart City Innovation Frameworks. How IoT can be combined with Impact Investing to become a global powerhouse to solve challenges facing nations, cities and communities.
Copyright and property of Matthew Bailey 2016
Your SCADA system has a vulnerability, now what? I shortly summarize the DNP3 vulnerabilities (and other ICS protocols too). Then I focus on the different mitigations that an ICS owner can do to mitigate these types of protocol implementation vulnerabilities even if there is no patch or patches can't be installed. I also show the importance of doing Network Security Monitoring to help detect and respond to anomalies in ICS/SCADA networks.
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
REMOTE CONTROL SYSTEM V5.3
In modern digital communications, encryption is widely employed to protect users from eavesdropping.
Unfortunately, encryption also prevents law enforcement and intelligence agencies from being able to monitor and prevent crimes and threats to the country security.
Remote Control System (RCS) is a solution designed to evade encryption by means of an agent directly installed on the device to monitor. Evidence collection on monitored devices is stealth and transmission of collected data from the device to the RCS server is encrypted and untraceable.
HackingTeam White Paper
HackingTeam Remote Control System (RCS) & Exploit Portal (https://www.linkedin.com/pulse/hackingteam-remote-control-system-rcs-exploit-portal-mayur-agnihotri?trk=mp-reader-card)
RCS Network Injector (https://www.linkedin.com/pulse/rcs-network-injector-mayur-agnihotri?trk=mp-reader-card)
RCS Remote Mobile Infection
(https://www.linkedin.com/pulse/rcs-remote-mobile-infection-mayur-agnihotri?trk=mp-reader-card)
Hack.lu 2006 - All your Bluetooth is belong to usThierry Zoller
During the research on Bluetooth Security we uncovered multiple implementation vulnerabilities in Drivers, Software and Stacks. This presentation will explain the reasons and the consequences of these findings. More importingly however protocol weaknesses were discovered and shown live on stage.
http://events.ccc.de/congress/2006/Fahrplan/speakers/1290.en.html
The prevalence of computers in form of so called "smart" devices embedded in our everyday environment is inevitable. From pentester's perspective, the adjective "smart" at first glance can hardly be used to describe their inventors and ambassadors.
Based on a few examples (i.a. BTLE beacons, smart meters, security cameras...) I will show how easily "smart" devices can be outsmarted. Sometimes you don't even need any 'hacking' skills, or the default configuration is wide-open. But are we doomed? What are the conditions for real threat? Can the vulnerabilities be exploited anonymously and as easily as in web application? Where is the physical border the intruder would be likely to cross? The risks involved are usually different, but does it mean we don't have to worry? Are we sure how to use securely the emerging technology?
D1 t1 t. yunusov k. nesterov - bootkit via smsqqlan
Having developed a test set, we started to research how safe it is for clients to use 4G networks of the telecommunication companies. During the research we have tested SIM-cards, 4G USB modems, radio components, IP access network. First of all we looked for the vulnerabilities that could be exploited remotely, via IP or radio network.
And the result was not late in arriving. In some cases we managed to attack SIM-cards and install a malicious Java applet there, we were able to update remotely USB modem firmware, to change password on a selfcare portal via SMS and even to get access to the internal technological network of a carrier.
Further attack evolution helped to understand how it is possible to use a simple SMS as an exploit that is able not only to compromise a USB modem and all the communications that go through it, but also to install bootkit on a box, that this modem is connected to.
IoT offers a plethora of new protocols and frequencies over which communication travels. Protocols and services such as SSDP, P25, Zigbee, Z-Wave, WiFi and more provide countless ways to exfiltrate data or infiltrate the network. Through real-world examples, sample code and demos, presenters will bring to light these threats and new methods for detecting aberrant behavior emanating to/from these devices.
Learning Objectives:
1: Gain a better understanding of the many IoT protocols, frequencies and services.
2: Learn how IoT communications can be exploited to exfiltrate your network.
3: Obtain a list of techniques for detecting these aberrant IoT behaviors.
(Source: RSA Conference USA 2018)
Presenter: Mikael Vingaard, EnergiNet.dk
The goal of having a Honeypot (a fake ‘vulnerable’ IT-system/ service) is to learn more about your attackers and the methods they will use to breach your ICS/SCADA systems – but how can the Energy Sector actual benefit from using a Honeypot?
The Danish information security researcher, Mikael Vingaard has taken various free open source software to deploy ICS/SCADA Honeypot systems, and will share his experiences from the research and present interesting findings from the collected informations.
The talk will be discuss the pros and cons of honeypots, how to use honeypots as an early-warning system and add some interesting points seen from the energy sector of using Honeypot systems.
The presentation will showcase that gaining access to actual ICS threat intelligence can be done – even in budget constrained organizations.
Your Thing is Pwned - Security Challenges for the IoTWSO2
The Internet of Things and Machine to Machine are growing areas, and security and privacy are prime issues. In this session security challenges are examined around using M2M devices with protocols such as MQTT & CoAP - encryption, federated identity and authorisation models in particular.
On the topic of encryption, we’ll examine securing MQTT with TLS, challenges with Arduino, and using hardware encryption for microcontrollers. A key privacy requirement for user-centric IoT use cases will be giving users control over how their things collect and share data. On the Internet, protocols like OAuth 2.0, OpenID Connect & User Managed Access have been defined to enable a privacy-respecting user consent & authorization model. We'll look at the issues with applying these protocols to the M2M world and review existing proposals & activity for extending the above M2M protocols to include federated identity concepts.
The session included a live demonstration of Arduino and Eclipse Paho inter-operating secured by OAuth 2.0.
Об угрозах информационной безопасности, актуальных для разработчика СЗИSelectedPresentations
Качалин Алексей Игоревич, эксперт МОО «АЗИ»
IV Форум АЗИ
«Актуальные вопросы информационной безопасности России»
г. Москва, Конгресс-Центр МТУСИ, 14 апреля 2015 года
Об угрозах информационной безопасности, актуальных для разработчика СЗИ
Exp w21
1. Session ID:
Session Classification:
Stuart McClure
CEO, Cylance Inc.
EXP-W21
Advanced
Hacking Exposed: Embedded
Securing the Unsecurable
Billy Rios
Terry McCorkle
Justin W. Clarke
Chris Abad
3. World of Embedded
Estimated 10Billion WorldWide
Designed without Security
Endless Connectivity options
Few protective solutions
4. Access Linux Platform
AirOS by Ubiquiti Networks
AlliedWare by Allied Telesis
Android
bada
BlackBerry OS
Boot to Gecko
brickOS
CatOS by Cisco Systems
Cisco IOS by Cisco Systems
Contiki
DD-WRT by NewMedia-NET
DSPnano RTOS
eCos
Embedded Linux
Embedded Linux by Wind River
FreeBSD
freeRTOS, openRTOS and safeRTOS
FTOS by Force10 Networks
Green Hills Software
Inferno (Bell Labs)
iOS (a subset of Mac OS X)
IOS-XR by Cisco Systems
IronWare by Foundry Networks
JunOS by Juniper Networks
leJOS
LiMo Platform
MeeGo (Maemo & Moblin)
MINIX
Mobilinux
MotoMagx
NCOS
Openmoko Linux
OPhone
Palm OS
PEN/GEOS, GEOS-SC, GEOS-SE
polyBSD (embedded NetBSD)
Qt Extended
REX OS (microkernel OS)
ROM-DOS
RouterOS by Mikrotik
RTOS by Force10 Networks
RuggedCom OS by RuggedCom
ScreenOS by Juniper Networks
Symbian OS platform
ThreadX
Timos by Alcatel-Lucent
TinyOS
uClinux
Unison Operating System by
RoweBots
VxWorks by Wind River Systems
webOS
Windows CE
Windows Embedded
Windows Embedded Enterprise
Windows Embedded POSReady
Windows Embedded Standard
Windows Mobile
Wombat OS (microkernel OS)
µTasker
Embedded and RealTime Operating Systems
5. ARM
Atmel ARM
Atmel AVR32
BlackFin
CEVA-TeakLite-III
ColdFire/68K
Energy Micro EFM32
Freescale ARM
Fujitsu FM3
G-Series
Hitachi H8/300H
Infineon XMC-4000
Leon3
M-CORE
MicroBlaze
Microchip PIC24/dsPIC
Microchip PIC32
MIPS
Nios II
NXP
ThreadX by ExpressLogic (rtos.com)
Power Architecture
Renesas RX
Renesas SH
Renesas V8xx
SHARC
ST Microelectronics STM32
StarCore
StrongARM
Synopsys ARC
TI ARM
TI MSP430
TMS320C54x
TMS320C6x
Univers A2P
Win32
x86/x386
Xilinx ARM
Xscale
Xtensa/Diamond
7. Shared Secrets
Private certificates
Hardcoded passwords
and backdoors
Open source bugs
Weak cryptography
Weak authentication
“Real”Security Flaws
Exploitation of server software
(HMI, Management, Web)
I/O communications
Distributed/Denial of Service
Exploitation of ladder logic
10. UDP Port 17185 - Debug port running on some 250M devices worldwide
“THAT stuff’s not on MY network…”
Redline RedCONNEX AN80
HP StorageWorks MSA2012i
Toshiba e-Studio Network Printer
IBM TotalStorage SAN Switch
Canon ImageRunner Printer/Copier
Cisco MGX Chassis OS
Sonicwall Appliances
Xerox Phaser 5400
Cisco Wireless IP phones
11. True 0-days (public and vendor don’t know)
¼-days (vendor knows, public doesn’t, no fix)
½-days (vendor and public knows, no fix)
¾-days (patch available, not installed)
∞-days (it’s a feature!)
Vendor knows about it,
has chosen not to fix it
So we worry about theWRONG things…
13. "He treated it like any other schoolboy might a giant train set,
but it was lucky nobody was killed.“
- Miroslaw Micor, Lodz Police
• 14-year old
• Modified Infrared TV
remote control
• Changed track points
• Derailed 4 trams
• 12 people injured
Jan. 2008 – Lodz, Poland
19. ► Sit in car outside office parking lot
► Samsung TVs in the lobby
► Gain access to internal network
► Find and attack the Building Management Server
► Control door access
► When all else fails, just use“the key”…
Hack Scenario
20. Unauthenticated IR
Universal Remote, replaced
IR LED with IR Laser
Long distance (200 feet)
possible
Full reconfiguration of TV
including TV as Access Point
Access to full network resources
Pose as the user on the system for FB,
Twitter, mail, etc.
Samsung“Smart”TVVulnerability
25. Hardened, weatherproof, industrial key storage
Fire/Police/Emergency access
Keyed by district/county/state
Available on eBay
Rekeying possible
Instant access to buildings
Shared secret problem
LockboxVulnerability
29. ► Disable IR port w/black electrical
► Use your Bluetooth remote until…
► IDS to detect suspect network
attempts
► Patched and Hardened Endpoint with Firewalls
► Hardwire network onto DMZ network
► Make sure all patches have been applied as soon as
they are made available
► Double pane or tinted window glass
Samsung Countermeasures
30. ► Tridium
► Restrict physical access to the box
► Remove systems from the Internet
► ACLs approved remote management IPs
► Web (80)
► Fox TCP 1911 and Platform TCP 3011 (restrict at firewall and alert)
► Enforce VPN in front of any systems
► Sign the Java modules (vendor should do this)
► Inline Serial PLC monitoring IN/OUT
► Hardware safety controls
Tridium Countermeasures
31. ► Connect tamper switches from a Knox Box to
fire and/or security alarm system(s)
► Track and audit all keys and other materials
within your Knox Box
► Have a plan to revoke access to any compromised keys
within your Knox Box
► Install and manage CCTV
► Ensure Knox Boxes are within your CCTV’s field of view
► Use this as a lesson to think about other inherent low-
hanging risks to your facilities that may be overlooked
► Install and manage Door Entry Alarm systems (and don’t let
them get hacked)
Lockbox Countermeasures
