SlideShare a Scribd company logo

Kavya racharla ndh-naropanth_fin

PacSecJP
PacSecJP

This document discusses attacks on wearable-mobile communication over Bluetooth Low Energy (BLE). It notes that while BLE uses encryption, any app on a device can subscribe to the same BLE channels and characteristics as legitimate apps to access sensitive data or send commands. This poses a risk as malware could obtain private data like heart rate or put devices into recovery mode. The document proposes mitigations like app-to-device pairing to restrict access to only registered apps and using application-specific keys to protect command integrity and data confidentiality. Future enhancements to mobile platforms and BLE specifications are needed to better support authentication and encryption between apps and devices.

Internet
1 of 38
Download to read offline
WHEN ENCRYPTION IS NOT ENOUGH: 
 ATTACKING WEARABLE – MOBILE COMMUNICATION OVER BLE
 Kavya Racharla Sumanth Naropanth
Why are we here? Encryption != Security • Wearables Security • How things mess up when mobiles & wearables talk to each other • BT/BLE
Who are we? • Sumanth • Security Research Manager & Tech Lead – New Devices Group, Intel • Sun Microsystems & Palm • Kavya Racharla • Security Researcher — New Devices Group, Intel • Oracle & Qualcomm
• The Facts
 
 • The Weakness
 
 • The Mitigation Agenda
• The Facts
 
 • The Weakness
 
 • The Mitigation Agenda
• IoT – connecting any device with an on/off switch to the internet • Cost and low power consumption are significant considerations • BT/BLE FTW! • Connected world —>Huge amounts of data —> Lot of concerns • Security on top of the list : Baby monitor, wearable and Wireless Car hacks! Why Wearables/IoT
BT Classic vs BLE Bluetooth Classic Bluetooth Low Energy Range (theoretical) 100 m > 100 m Power consumption 1 W 0.01 to 0.5 W Peak current consumption <30 mA <15 mA Data rate 1-3 Mbit/s 1 Mbit/s Radio Frequencies 2.4 GHz 2.4 GHz Focus Wireless protocol for short range data exchange Low power consumption – periodic exchange of small amounts of dataUse Cases Wireless speakers, headsets Wearable devices, smart pay systems • Bluetooth 5 is here! 4x Range and 2x Speed
GAP
 Defines how devices discover, connect and create bonding between them SMP Protocol for pairing and key distribution and authenticating other device Shared secrets can be managed and hence speed-up the reconnection process L2CAP Multiplexing layer for BLE GATT Describes characteristics, services and type of attributes/ their usage ATT Simple Client/ Server stateless protocol with rules for accessing data on a peer device BLE Protocol Stack
Ad Ad Advertising interval Scanning Conn. Req. GATT Server Or Peripheral GATT Client Or Central Data Data Data Connection interval Data Broadcaster Observer How it works
Secure Simple Pairing • Just Works: very limited/ no user interface • Numeric Comparison: devices with display plus yes/no button • Passkey Entry: 6 digit pin as the pass key • Out Of Band: Use of an out of the band channel against MITM attacks Pairing Algorithms
Pairing req. Capabilities, list of keys to be distributed and authentication requirements Pairing resp. TK STKSrand Mrand Distribute LTK, IRK and CSRK over link encrypted with STK Further secure communication on channel encrypted with LTK IRK : LE privacy by the use of random addresses
 CSRK : Resolve a signature and authenticate sender
 Supported Algorithms ECDH for key exchange AES-CCM for encryption BLE Security
Object Model: • Main objects • CBCentralManager • CBPeripheral • CBPeripheralManager • CBCentral • Data objects • CBService • CBCharacteristic • Helper objects • CBUUID Core Bluetooth - iOS
•Introduced in the core Android framework in 4.3 or API Level 18
 •Declaration of necessary permissions in the manifest •“BLUETOOTH” permission •necessary to perform any communication •request/accept a connection, transfer data
 •“BLUETOOTH_ADMIN” permission •app to initiate device discovery •manipulate Bluetooth settings Android - BLE support
• Security largely depends on the chosen flavor of the pairing mechanism • Passive attacks • Eavesdropping on the pairing session compromises encryption keys • Mike Ryan’s research: With Low Energy comes Low Security • Just works vulnerable to active attacks • MITM attacks: Just works mode Known Security Risks
Agenda • The Facts
 
 • The Weakness
 
 • The Mitigation
Wearables BT/BLE/ANT+ BT/BLE Back End Services HTTPS
The Problem – Prelude Device Commands: • Put device into recovery mode • Do a FW update • Change Device (BLE) name Notifications: • Social apps • Calls and texts Information: • User activity data • User profile updates • Application action (calls, music control) • Call/text/social updates (sometimes)
The Problem – Prelude Device Commands: • Put device into recovery mode • Do a FW update • Change Device (BLE) name Notifications: • Social apps • Calls and texts Information: • User activity data • User profile updates • Application action (calls, music control) • Call/text/social updates (sometimes) BLE - ENCRYPTED ATTACKER
The Problem Device Commands: • Put device into recovery mode • Do a FW update • Change Device (BLE) name Notifications: • Social apps • Calls and texts Information: • User activity data • User profile updates • Application action (calls, music control) • Call/text/social updates (sometimes) BLE - ENCRYPTED ATTACKER
Root Cause All applications on Android and iOS can subscribe to the BT service and get the data on the same BT channels or BLE characteristics as the legitimate app • Android • android.permission.BLUETOOTH • android.permission.BLUETOOTH_ADMIN – quote: • iOS • Core Bluetooth (CB) Framework • Centrals (client/phone) and Peripherals (server/wearable) classes
Example – Wearable Ecosystem 1 • Uses BLE • Proprietary code • Existing market research for format of messages and headers • Malware app subscribes to the known BLE characteristics gets data synced with the legit app
Example – Wearable Ecosystem 1
Example – Wearable Ecosystems 2 • Use BT, BLE and WiFi
 • Device can sync directly to the cloud • Fewer app-associated threats
 • Malware app (GATT characteristics scan/read/write) does not pick up any user information
Example – Wearable 3 • Similar, but with a twist • Malware application cannot send commands to the wearable by itself • Legitimate app opens a connection to the device • The malware app piggybacks to send commands to the wearable Moral: Partial security does not help • Protect not just the handshake but every message
Example – Wearable 3
Malware Proof of Concept Wearable device sends heart rate data continuously over BLE if ((charaProp | BluetoothGattCharacteristic.PROPERTY_NOTIFY) > 0) {
 mNotifyCharacteristic = characteristic;
 mBluetoothLeService.setCharacteristicNotification(
 characteristic, true);
 }
 return true;
 } public void onCharacteristicChanged(BluetoothGatt gatt,
 BluetoothGattCharacteristic characteristic) { final byte[] data = characteristic.getValue(); ... if (characterstics.equals("558dfa01-4fa8-4105-9f02-4eaa93e62980"))
 {
 
 int[] dataArray = new int[data.length];
 int i = 0;
 for (byte b : data)
 dataArray[i++] = b & 0xff;
 int steps = ((dataArray[5] & 0xff) << 8) | (dataArray[4] & 0xff);
 int calories = ((dataArray[13] & 0xff) << 8) | (dataArray[12] & 0xff);
 int heartRate = dataArray[18];
 System.out.println("malware: Steps = "+ steps +" , calories = “+ calories +", HearRate = “+heartRate);
 } } Malware app subscribes to the same GATT profiles, captures the raw data and parses to get useful personal data
• Activity data and exercise modes • HR, calories, distance, skin temperature, etc. • Fine-grained GPS patterns = user location • Malware app puts the device into recovery mode without a follow-up FW image • User will need to take the device to a service center to recover • Change the device name to cause temporary DoS “Malware on my phone?” Never! But… Confidentiality • Malware executes commands on the device • Changing device name to rogue values • See list for more commands Integrity Availability PR Problems • Hot research topic • BORE risk Why should we care?
Agenda • The Facts
 
 • The Weakness
 
 • The Mitigation
Objectives • Allow communication only between the legitimate application on the phone and the wearable device
 • Protect confidentiality of sensitive data sent from the wearable to phone • activity data – HR, Calories, activity information, etc. • Application specific feedback or inputs – music, notifications, etc.
 • Protect integrity of all commands sent from the companion app to the wearable
Assumptions & Non-Objectives • Out of the Box Experience (OOBE) occurs with the legit application • Phone is not rooted/jail-broken • Pre-existing application sandbox breaking vulnerabilities • Man-In-The-Middle attack during BLE pairing
BLE Pairing Mitigation Overview Multiple applications use BLE link layer to transmit data Malware has access to the same BLE pairing as legit app App to Device Pairing App to device pairing restricts access to registered app BLE Stack BLE Hardware BLE Stack BLE Hardware
Mitigation Design Key Exchange - Application Specific Key Kp Protect Integrity — HMAC(Kp, command) Protect Confidentiality — E(Kp, data) Ignorant of Kp. Cannot Read/Write
Mitigation — Real World Web portal & Services Service A Service B Service C Multipletrustedappsonmultipletrustedphones Cloud-based account & key management Wearable device may offer services to multiple apps
Mitigation Considerations • #apps to #wearable services mapping • Crypto support • Performance • Key management • Wearable • Phone • Cloud?
Demo – Fix
The Future • Android and iOS Security enhancements • Support for App to Device security • BLE Spec support for authentication and encryption • Both
Summary • Soft underbelly: • Bluetooth/BLE Spec • Adoption of the spec on popular smartphone platforms
 • Medium Risk (malware on the phone); High Impact (sensitive user information) • Severe impact for wearables with security and finance use cases • Apple Watch Auto Unlock • Pay • Protecting from network attackers is not enough • Onus on App developers and wearable OEMs to add an extra layer of security for
 App <— —> Device communication
Thanks!
 (and Q&A) @kavyaracharla @snaropanth

Recommended

Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
PacSecJP
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
PacSecJP
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slides
PacSecJP
 
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблюNFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
Positive Hack Days
 
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
CODE BLUE
 
Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare Infrastructure
Positive Hack Days
 
Solnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsec
PacSecJP
 
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsDefcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Priyanka Aash
 

Recommended

Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2Yunusov babin 7 sins pres atm v2
Yunusov babin 7 sins pres atm v2
PacSecJP
 
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
Ryder robertson security-considerations_in_the_supply_chain_2017.11.02
PacSecJP
 
Lucas apa pacsec slides
Lucas apa pacsec slidesLucas apa pacsec slides
Lucas apa pacsec slides
PacSecJP
 
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблюNFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
NFC: Naked Fried Chicken / Пентест NFC — вот что я люблю
Positive Hack Days
 
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
[CB16] ATMS how to break them to stop the fraud. by Olga Kochetova & Alexey O...
CODE BLUE
 
Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare Infrastructure
Positive Hack Days
 
Solnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsecSolnik secure enclaveprocessor-pacsec
Solnik secure enclaveprocessor-pacsec
PacSecJP
 
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systemsDefcon 22-cesar-cerrudo-hacking-traffic-control-systems
Defcon 22-cesar-cerrudo-hacking-traffic-control-systems
Priyanka Aash
 
Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__final
PacSecJP
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems
Ollie Whitehouse
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive Firmware
Riscure
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware Wallets
Riscure
 
Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009
Jason Shen
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
Yashin Mehaboobe
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS Village
Chris Sistrunk
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
Controlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault InjectionControlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault Injection
Riscure
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
Zoltan Balazs
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesSecure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Riscure
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
Marina Krotofil
 
Riscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glance
Riscure
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
pgmaynard
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot Securely
Niek Timmers
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS Security
Chris Sistrunk
 
Man in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing YangMan in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing Yang
CODE BLUE
 
Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-final
PacSecJP
 
Anıl kurmuş pacsec3
Anıl kurmuş pacsec3Anıl kurmuş pacsec3
Anıl kurmuş pacsec3
PacSecJP
 

More Related Content

What's hot

Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__final
PacSecJP
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems
Ollie Whitehouse
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive Firmware
Riscure
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
Security Weekly
 
Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware Wallets
Riscure
 
Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009
Jason Shen
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
Yashin Mehaboobe
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS Village
Chris Sistrunk
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
Chris Sistrunk
 
Controlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault InjectionControlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault Injection
Riscure
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
Zoltan Balazs
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CanSecWest
 
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesSecure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Riscure
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
Marina Krotofil
 
Riscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glance
Riscure
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
pgmaynard
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot Securely
Niek Timmers
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS Security
Chris Sistrunk
 
Man in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing YangMan in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing Yang
CODE BLUE
 

What's hot (20)

Kochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__finalKochetova+osipv atm how_to_make_the_fraud__final
Kochetova+osipv atm how_to_make_the_fraud__final
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems
 
Efficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive FirmwareEfficient Reverse Engineering of Automotive Firmware
Efficient Reverse Engineering of Automotive Firmware
 
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
CODE BLUE 2014 : DeviceDisEnabler : A hypervisor which hides devices to prote...
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
 
Software Attacks on Hardware Wallets
Software Attacks on Hardware WalletsSoftware Attacks on Hardware Wallets
Software Attacks on Hardware Wallets
 
Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009Stanford Cybersecurity January 2009
Stanford Cybersecurity January 2009
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
 
Master Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS VillageMaster Serial Killer - DEF CON 22 - ICS Village
Master Serial Killer - DEF CON 22 - ICS Village
 
DEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICSDEF CON 23 - NSM 101 for ICS
DEF CON 23 - NSM 101 for ICS
 
Controlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault InjectionControlling PC on ARM using Fault Injection
Controlling PC on ARM using Fault Injection
 
Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015Sandbox detection: leak, abuse, test - Hacktivity 2015
Sandbox detection: leak, abuse, test - Hacktivity 2015
 
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoTCSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
CSW2017 Yuhao song+Huimingliu cyber_wmd_vulnerable_IoT
 
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & DefensesSecure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
Secure Boot Under Attack: Simulation to Enhance Fault Attacks & Defenses
 
Defcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slidesDefcon through the_eyes_of_the_attacker_2018_slides
Defcon through the_eyes_of_the_attacker_2018_slides
 
Riscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glanceRiscure Assurance for Premium Content at a glance
Riscure Assurance for Premium Content at a glance
 
Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104Man in the middle attacks on IEC 60870-5-104
Man in the middle attacks on IEC 60870-5-104
 
PEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot SecurelyPEW PEW PEW: Designing Secure Boot Securely
PEW PEW PEW: Designing Secure Boot Securely
 
RSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS SecurityRSAC 2016: How to Get into ICS Security
RSAC 2016: How to Get into ICS Security
 
Man in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing YangMan in the NFC by Haoqi Shan and Qing Yang
Man in the NFC by Haoqi Shan and Qing Yang
 

Viewers also liked

Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-final
PacSecJP
 
Anıl kurmuş pacsec3
Anıl kurmuş pacsec3Anıl kurmuş pacsec3
Anıl kurmuş pacsec3
PacSecJP
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-jYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
PacSecJP
 
Ryder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jpRyder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jp
PacSecJP
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026
PacSecJP
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
PacSecJP
 
Lucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-finalLucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-final
PacSecJP
 
Rouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jpRouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jp
PacSecJP
 
Rouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsecRouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsec
PacSecJP
 
Di shen pacsec_jp-final
Di shen pacsec_jp-finalDi shen pacsec_jp-final
Di shen pacsec_jp-final
PacSecJP
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_finalYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
PacSecJP
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_final
PacSecJP
 
Yunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jpYunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jp
PacSecJP
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
PacSecJP
 
Shusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jpShusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jp
PacSecJP
 
Anıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-jaAnıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-ja
PacSecJP
 
Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2
PacSecJP
 
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
PacSecJP
 
Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2
PacSecJP
 
Moony li pacsec-1.8
Moony li pacsec-1.8Moony li pacsec-1.8
Moony li pacsec-1.8
PacSecJP
 

Viewers also liked (20)

Kavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-finalKavya racharla ndh-naropanth_fin_jp-final
Kavya racharla ndh-naropanth_fin_jp-final
 
Anıl kurmuş pacsec3
Anıl kurmuş pacsec3Anıl kurmuş pacsec3
Anıl kurmuş pacsec3
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-jYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final-j
 
Ryder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jpRyder robertson pac-sec skeleton 2017_jp
Ryder robertson pac-sec skeleton 2017_jp
 
Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026Shusei tomonaga pac_sec_20171026
Shusei tomonaga pac_sec_20171026
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
 
Lucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-finalLucas apa pacsec_slides_jp-final
Lucas apa pacsec_slides_jp-final
 
Rouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jpRouault imbert view_alpc_rpc_pacsec_jp
Rouault imbert view_alpc_rpc_pacsec_jp
 
Rouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsecRouault imbert alpc_rpc_pacsec
Rouault imbert alpc_rpc_pacsec
 
Di shen pacsec_jp-final
Di shen pacsec_jp-finalDi shen pacsec_jp-final
Di shen pacsec_jp-final
 
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_finalYuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
Yuki chen from_out_of_memory_to_remote_code_execution_pac_sec2017_final
 
Di shen pacsec_final
Di shen pacsec_finalDi shen pacsec_final
Di shen pacsec_final
 
Yunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jpYunusov babin 7sins-pres_atm_v4(2)_jp
Yunusov babin 7sins-pres_atm_v4(2)_jp
 
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography...
 
Shusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jpShusei tomonaga pac_sec_20171026_jp
Shusei tomonaga pac_sec_20171026_jp
 
Anıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-jaAnıl kurmuş pacsec3-ja
Anıl kurmuş pacsec3-ja
 
Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2Marc schoenefeld grandma‘s old handbag_draft2
Marc schoenefeld grandma‘s old handbag_draft2
 
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
Nishimura finding vulnerabilities-in-firefox-for-i-os-(nishimunea)
 
Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2Jurczyk windows metafile_pacsec_v2
Jurczyk windows metafile_pacsec_v2
 
Moony li pacsec-1.8
Moony li pacsec-1.8Moony li pacsec-1.8
Moony li pacsec-1.8
 

Similar to Kavya racharla ndh-naropanth_fin

When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
Shakacon
 
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
Priyanka Aash
 
R U aBLE? BLE Application Hacking
R U aBLE? BLE Application HackingR U aBLE? BLE Application Hacking
R U aBLE? BLE Application Hacking
Tal Melamed
 
JAM805 - Beyond the Device
JAM805 - Beyond the DeviceJAM805 - Beyond the Device
JAM805 - Beyond the Device
Dr. Ranbijay Kumar
 
IoT on azure
IoT on azureIoT on azure
IoT on azure
Joanna Lamch
 
How to use Bluetooth® Smart to control your embedded device with a mobile device
How to use Bluetooth® Smart to control your embedded device with a mobile deviceHow to use Bluetooth® Smart to control your embedded device with a mobile device
How to use Bluetooth® Smart to control your embedded device with a mobile device
Anaren, Inc.
 
Can a browser become an IoT Gateway?
Can a browser become an IoT Gateway?Can a browser become an IoT Gateway?
Can a browser become an IoT Gateway?
Sooraj Sanker
 
Wearables, Things & Apps - Mobile Dev + Test '15
Wearables, Things & Apps - Mobile Dev + Test '15Wearables, Things & Apps - Mobile Dev + Test '15
Wearables, Things & Apps - Mobile Dev + Test '15
Chris Beauchamp
 
Successful Industrial IoT patterns
Successful Industrial IoT patterns Successful Industrial IoT patterns
Successful Industrial IoT patterns
John Mathon
 
Security Issues in Internet of Things
Security Issues in Internet of ThingsSecurity Issues in Internet of Things
Security Issues in Internet of Things
Lohith Haravu Chandrashekar
 
Internet of things
Internet of thingsInternet of things
Internet of things
Selvaraj Kesavan
 
Iot Security
Iot SecurityIot Security
Iot Security
MAITREYA MISRA
 
WSO2Con EU 2015: IoT in Finance
WSO2Con EU 2015: IoT in FinanceWSO2Con EU 2015: IoT in Finance
WSO2Con EU 2015: IoT in Finance
WSO2
 
BTLE (Bluetooth Low Energy) and CoreBluetooth
BTLE (Bluetooth Low Energy) and CoreBluetooth BTLE (Bluetooth Low Energy) and CoreBluetooth
BTLE (Bluetooth Low Energy) and CoreBluetooth
Zach Dennis
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
Precisely
 
Azure Internet of Things
Azure Internet of ThingsAzure Internet of Things
Azure Internet of Things
Alon Fliess
 
Gab 2015 aymeric weinbach azure iot
Gab 2015 aymeric weinbach azure iot Gab 2015 aymeric weinbach azure iot
Gab 2015 aymeric weinbach azure iot Aymeric Weinbach
 
Testing in the IoT Era
Testing in the IoT EraTesting in the IoT Era
Testing in the IoT Era
TechWell
 
IoT setup and pairing
IoT setup and pairingIoT setup and pairing
IoT setup and pairing
Guy Vinograd ☁
 

Similar to Kavya racharla ndh-naropanth_fin (20)

When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
When Encryption is Not Enough...Sumanth Naropanth, Chandra Prakash Gopalaiah ...
 
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
(Sacon) Sumanth Naropanth - IoT network & ecosystem security attacks & secur...
 
R U aBLE? BLE Application Hacking
R U aBLE? BLE Application HackingR U aBLE? BLE Application Hacking
R U aBLE? BLE Application Hacking
 
JAM805 - Beyond the Device
JAM805 - Beyond the DeviceJAM805 - Beyond the Device
JAM805 - Beyond the Device
 
Wireless personal area networks(PAN)
Wireless personal area networks(PAN)Wireless personal area networks(PAN)
Wireless personal area networks(PAN)
 
IoT on azure
IoT on azureIoT on azure
IoT on azure
 
How to use Bluetooth® Smart to control your embedded device with a mobile device
How to use Bluetooth® Smart to control your embedded device with a mobile deviceHow to use Bluetooth® Smart to control your embedded device with a mobile device
How to use Bluetooth® Smart to control your embedded device with a mobile device
 
Can a browser become an IoT Gateway?
Can a browser become an IoT Gateway?Can a browser become an IoT Gateway?
Can a browser become an IoT Gateway?
 
Wearables, Things & Apps - Mobile Dev + Test '15
Wearables, Things & Apps - Mobile Dev + Test '15Wearables, Things & Apps - Mobile Dev + Test '15
Wearables, Things & Apps - Mobile Dev + Test '15
 
Successful Industrial IoT patterns
Successful Industrial IoT patterns Successful Industrial IoT patterns
Successful Industrial IoT patterns
 
Security Issues in Internet of Things
Security Issues in Internet of ThingsSecurity Issues in Internet of Things
Security Issues in Internet of Things
 
Internet of things
Internet of thingsInternet of things
Internet of things
 
Iot Security
Iot SecurityIot Security
Iot Security
 
WSO2Con EU 2015: IoT in Finance
WSO2Con EU 2015: IoT in FinanceWSO2Con EU 2015: IoT in Finance
WSO2Con EU 2015: IoT in Finance
 
BTLE (Bluetooth Low Energy) and CoreBluetooth
BTLE (Bluetooth Low Energy) and CoreBluetooth BTLE (Bluetooth Low Energy) and CoreBluetooth
BTLE (Bluetooth Low Energy) and CoreBluetooth
 
Controlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and DataControlling Access to IBM i Systems and Data
Controlling Access to IBM i Systems and Data
 
Azure Internet of Things
Azure Internet of ThingsAzure Internet of Things
Azure Internet of Things
 
Gab 2015 aymeric weinbach azure iot
Gab 2015 aymeric weinbach azure iot Gab 2015 aymeric weinbach azure iot
Gab 2015 aymeric weinbach azure iot
 
Testing in the IoT Era
Testing in the IoT EraTesting in the IoT Era
Testing in the IoT Era
 
IoT setup and pairing
IoT setup and pairingIoT setup and pairing
IoT setup and pairing
 

More from PacSecJP

Marc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_jaMarc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_ja
PacSecJP
 
Kasza smashing the_jars_j-corrected
Kasza smashing the_jars_j-correctedKasza smashing the_jars_j-corrected
Kasza smashing the_jars_j-corrected
PacSecJP
 
Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3
PacSecJP
 
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_finalWenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
PacSecJP
 
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-jaWenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
PacSecJP
 
Nishimura i os版firefoxの脆弱性を見つけ出す_jp
Nishimura i os版firefoxの脆弱性を見つけ出す_jpNishimura i os版firefoxの脆弱性を見つけ出す_jp
Nishimura i os版firefoxの脆弱性を見つけ出す_jp
PacSecJP
 
Moony li pacsec-1.5_j4-truefinal
Moony li pacsec-1.5_j4-truefinalMoony li pacsec-1.5_j4-truefinal
Moony li pacsec-1.5_j4-truefinal
PacSecJP
 

More from PacSecJP (7)

Marc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_jaMarc schoenefeld grandma‘s old handbag_draft2_ja
Marc schoenefeld grandma‘s old handbag_draft2_ja
 
Kasza smashing the_jars_j-corrected
Kasza smashing the_jars_j-correctedKasza smashing the_jars_j-corrected
Kasza smashing the_jars_j-corrected
 
Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3Jurczyk windows metafile_pacsec_jp3
Jurczyk windows metafile_pacsec_jp3
 
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_finalWenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
Wenyuan xu Minrui yan can you trust autonomous vehicles_slides_liu_final
 
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-jaWenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
Wenyuan xu Minrui Yan can you trust autonomous vehicles_slides_liu_final-ja
 
Nishimura i os版firefoxの脆弱性を見つけ出す_jp
Nishimura i os版firefoxの脆弱性を見つけ出す_jpNishimura i os版firefoxの脆弱性を見つけ出す_jp
Nishimura i os版firefoxの脆弱性を見つけ出す_jp
 
Moony li pacsec-1.5_j4-truefinal
Moony li pacsec-1.5_j4-truefinalMoony li pacsec-1.5_j4-truefinal
Moony li pacsec-1.5_j4-truefinal
 

Recently uploaded

JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Sanjeev Rampal
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
natyesu
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
Arif0071
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
JungkooksNonexistent
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptxInternet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
VivekSinghShekhawat2
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 

Recently uploaded (20)

JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesMulti-cluster Kubernetes Networking- Patterns, Projects and Guidelines
Multi-cluster Kubernetes Networking- Patterns, Projects and Guidelines
 
BASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptxBASIC C++ lecture NOTE C++ lecture 3.pptx
BASIC C++ lecture NOTE C++ lecture 3.pptx
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...test test test test testtest test testtest test testtest test testtest test ...
test test test test testtest test testtest test testtest test testtest test ...
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
Latest trends in computer networking.pptx
Latest trends in computer networking.pptxLatest trends in computer networking.pptx
Latest trends in computer networking.pptx
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptxInternet-Security-Safeguarding-Your-Digital-World (1).pptx
Internet-Security-Safeguarding-Your-Digital-World (1).pptx
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 

Kavya racharla ndh-naropanth_fin

  • 1. WHEN ENCRYPTION IS NOT ENOUGH: 
 ATTACKING WEARABLE – MOBILE COMMUNICATION OVER BLE
 Kavya Racharla Sumanth Naropanth
  • 2. Why are we here? Encryption != Security • Wearables Security • How things mess up when mobiles & wearables talk to each other • BT/BLE
  • 3. Who are we? • Sumanth • Security Research Manager & Tech Lead – New Devices Group, Intel • Sun Microsystems & Palm • Kavya Racharla • Security Researcher — New Devices Group, Intel • Oracle & Qualcomm
  • 4. • The Facts
 
 • The Weakness
 
 • The Mitigation Agenda
  • 5. • The Facts
 
 • The Weakness
 
 • The Mitigation Agenda
  • 6. • IoT – connecting any device with an on/off switch to the internet • Cost and low power consumption are significant considerations • BT/BLE FTW! • Connected world —>Huge amounts of data —> Lot of concerns • Security on top of the list : Baby monitor, wearable and Wireless Car hacks! Why Wearables/IoT
  • 7. BT Classic vs BLE Bluetooth Classic Bluetooth Low Energy Range (theoretical) 100 m > 100 m Power consumption 1 W 0.01 to 0.5 W Peak current consumption <30 mA <15 mA Data rate 1-3 Mbit/s 1 Mbit/s Radio Frequencies 2.4 GHz 2.4 GHz Focus Wireless protocol for short range data exchange Low power consumption – periodic exchange of small amounts of dataUse Cases Wireless speakers, headsets Wearable devices, smart pay systems • Bluetooth 5 is here! 4x Range and 2x Speed
  • 8. GAP
 Defines how devices discover, connect and create bonding between them SMP Protocol for pairing and key distribution and authenticating other device Shared secrets can be managed and hence speed-up the reconnection process L2CAP Multiplexing layer for BLE GATT Describes characteristics, services and type of attributes/ their usage ATT Simple Client/ Server stateless protocol with rules for accessing data on a peer device BLE Protocol Stack
  • 10. Secure Simple Pairing • Just Works: very limited/ no user interface • Numeric Comparison: devices with display plus yes/no button • Passkey Entry: 6 digit pin as the pass key • Out Of Band: Use of an out of the band channel against MITM attacks Pairing Algorithms
  • 11. Pairing req. Capabilities, list of keys to be distributed and authentication requirements Pairing resp. TK STKSrand Mrand Distribute LTK, IRK and CSRK over link encrypted with STK Further secure communication on channel encrypted with LTK IRK : LE privacy by the use of random addresses
 CSRK : Resolve a signature and authenticate sender
 Supported Algorithms ECDH for key exchange AES-CCM for encryption BLE Security
  • 12. Object Model: • Main objects • CBCentralManager • CBPeripheral • CBPeripheralManager • CBCentral • Data objects • CBService • CBCharacteristic • Helper objects • CBUUID Core Bluetooth - iOS
  • 13. •Introduced in the core Android framework in 4.3 or API Level 18
 •Declaration of necessary permissions in the manifest •“BLUETOOTH” permission •necessary to perform any communication •request/accept a connection, transfer data
 •“BLUETOOTH_ADMIN” permission •app to initiate device discovery •manipulate Bluetooth settings Android - BLE support
  • 14. • Security largely depends on the chosen flavor of the pairing mechanism • Passive attacks • Eavesdropping on the pairing session compromises encryption keys • Mike Ryan’s research: With Low Energy comes Low Security • Just works vulnerable to active attacks • MITM attacks: Just works mode Known Security Risks
  • 15. Agenda • The Facts
 
 • The Weakness
 
 • The Mitigation
  • 17. The Problem – Prelude Device Commands: • Put device into recovery mode • Do a FW update • Change Device (BLE) name Notifications: • Social apps • Calls and texts Information: • User activity data • User profile updates • Application action (calls, music control) • Call/text/social updates (sometimes)
  • 18. The Problem – Prelude Device Commands: • Put device into recovery mode • Do a FW update • Change Device (BLE) name Notifications: • Social apps • Calls and texts Information: • User activity data • User profile updates • Application action (calls, music control) • Call/text/social updates (sometimes) BLE - ENCRYPTED ATTACKER
  • 19. The Problem Device Commands: • Put device into recovery mode • Do a FW update • Change Device (BLE) name Notifications: • Social apps • Calls and texts Information: • User activity data • User profile updates • Application action (calls, music control) • Call/text/social updates (sometimes) BLE - ENCRYPTED ATTACKER
  • 20. Root Cause All applications on Android and iOS can subscribe to the BT service and get the data on the same BT channels or BLE characteristics as the legitimate app • Android • android.permission.BLUETOOTH • android.permission.BLUETOOTH_ADMIN – quote: • iOS • Core Bluetooth (CB) Framework • Centrals (client/phone) and Peripherals (server/wearable) classes
  • 21. Example – Wearable Ecosystem 1 • Uses BLE • Proprietary code • Existing market research for format of messages and headers • Malware app subscribes to the known BLE characteristics gets data synced with the legit app
  • 22. Example – Wearable Ecosystem 1
  • 23. Example – Wearable Ecosystems 2 • Use BT, BLE and WiFi
 • Device can sync directly to the cloud • Fewer app-associated threats
 • Malware app (GATT characteristics scan/read/write) does not pick up any user information
  • 24. Example – Wearable 3 • Similar, but with a twist • Malware application cannot send commands to the wearable by itself • Legitimate app opens a connection to the device • The malware app piggybacks to send commands to the wearable Moral: Partial security does not help • Protect not just the handshake but every message
  • 26. Malware Proof of Concept Wearable device sends heart rate data continuously over BLE if ((charaProp | BluetoothGattCharacteristic.PROPERTY_NOTIFY) > 0) {
 mNotifyCharacteristic = characteristic;
 mBluetoothLeService.setCharacteristicNotification(
 characteristic, true);
 }
 return true;
 } public void onCharacteristicChanged(BluetoothGatt gatt,
 BluetoothGattCharacteristic characteristic) { final byte[] data = characteristic.getValue(); ... if (characterstics.equals("558dfa01-4fa8-4105-9f02-4eaa93e62980"))
 {
 
 int[] dataArray = new int[data.length];
 int i = 0;
 for (byte b : data)
 dataArray[i++] = b & 0xff;
 int steps = ((dataArray[5] & 0xff) << 8) | (dataArray[4] & 0xff);
 int calories = ((dataArray[13] & 0xff) << 8) | (dataArray[12] & 0xff);
 int heartRate = dataArray[18];
 System.out.println("malware: Steps = "+ steps +" , calories = “+ calories +", HearRate = “+heartRate);
 } } Malware app subscribes to the same GATT profiles, captures the raw data and parses to get useful personal data
  • 27. • Activity data and exercise modes • HR, calories, distance, skin temperature, etc. • Fine-grained GPS patterns = user location • Malware app puts the device into recovery mode without a follow-up FW image • User will need to take the device to a service center to recover • Change the device name to cause temporary DoS “Malware on my phone?” Never! But… Confidentiality • Malware executes commands on the device • Changing device name to rogue values • See list for more commands Integrity Availability PR Problems • Hot research topic • BORE risk Why should we care?
  • 28. Agenda • The Facts
 
 • The Weakness
 
 • The Mitigation
  • 29. Objectives • Allow communication only between the legitimate application on the phone and the wearable device
 • Protect confidentiality of sensitive data sent from the wearable to phone • activity data – HR, Calories, activity information, etc. • Application specific feedback or inputs – music, notifications, etc.
 • Protect integrity of all commands sent from the companion app to the wearable
  • 30. Assumptions & Non-Objectives • Out of the Box Experience (OOBE) occurs with the legit application • Phone is not rooted/jail-broken • Pre-existing application sandbox breaking vulnerabilities • Man-In-The-Middle attack during BLE pairing
  • 31. BLE Pairing Mitigation Overview Multiple applications use BLE link layer to transmit data Malware has access to the same BLE pairing as legit app App to Device Pairing App to device pairing restricts access to registered app BLE Stack BLE Hardware BLE Stack BLE Hardware
  • 32. Mitigation Design Key Exchange - Application Specific Key Kp Protect Integrity — HMAC(Kp, command) Protect Confidentiality — E(Kp, data) Ignorant of Kp. Cannot Read/Write
  • 33. Mitigation — Real World Web portal & Services Service A Service B Service C Multipletrustedappsonmultipletrustedphones Cloud-based account & key management Wearable device may offer services to multiple apps
  • 34. Mitigation Considerations • #apps to #wearable services mapping • Crypto support • Performance • Key management • Wearable • Phone • Cloud?
  • 36. The Future • Android and iOS Security enhancements • Support for App to Device security • BLE Spec support for authentication and encryption • Both
  • 37. Summary • Soft underbelly: • Bluetooth/BLE Spec • Adoption of the spec on popular smartphone platforms
 • Medium Risk (malware on the phone); High Impact (sensitive user information) • Severe impact for wearables with security and finance use cases • Apple Watch Auto Unlock • Pay • Protecting from network attackers is not enough • Onus on App developers and wearable OEMs to add an extra layer of security for
 App <— —> Device communication