Vectors

927 views

Published on

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
927
On SlideShare
0
From Embeds
0
Number of Embeds
4
Actions
Shares
0
Downloads
22
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Vectors

  1. 1. Hardware Attack Vectors Yashin Mehaboobe Security Researcher
  2. 2. #whoami • Security Researcher, Open Security • Conference Speaker • Interested in : • Embedded system security • Radio/ RTL-SDR research • Malware Analysis • My little projects (Arcanum, PyTriage) • Organizer, Defcon Kerala ( Mar 4. Be there! ) • Python aficionado • Open source contributor.
  3. 3. Why Hardware? • More interesting • Less well known = easier to exploit • More rewarding • • Usually open entry point into an otherwise secure network It’s awesome!
  4. 4. Keys to the kingdom?
  5. 5. What is covered: • The attack of the HID • Simulating physical access for fun and profit. • IR vector • Let TVs be bygones. • Radio • Radio!= FM or Radio!= WiFi • Bus attacks: • Unprotected = Easy to pwn (mostly)
  6. 6. Usual suspects Wireless LAN Web Applications Client Side exploits Remote exploits Hardware attacks
  7. 7. HIDe it • A little bit of physical access is a dangerous thing. • Usually physical access = pwning • Software can’t protect hardware • HID attacks simulate an automated keyboard and mouse • = Attacker gets to run code as if he is physically there.
  8. 8. The Rise of the Rubber Ducky • USB Rubber Ducky by the Hak5 team. • Comes with an automated script creator. • Looks like a normal USB drive. • Runs the payload burned into the memory when connected.
  9. 9. Teensy • Arduino clone by PJRC • Can emulate an HID device • Existing tools like kautilya and SET to generate payloads. • Again, multiplatform mayhem
  10. 10. DEMO
  11. 11. IR •TV, Pedestrian lights, Old smartphones •Uses one of four: •Philips •Sony •NEC •RAW •IR Library already available for Arduino
  12. 12. Tools of the Trade: • Arduino or a similar microcontroller • TSOP382 IR receiver • IR LED • Little bit of mischief
  13. 13. IR Attack 1 : Replay • Receive the code using TSOP382 • Check the code type • Transmit accordingly whenever the button is pressed
  14. 14. TV-B-Gone • Most TVs have predefined poweroff sequence • Widely available • Create a script that goes through the popular off codes one by one • No more pesky TVs
  15. 15. DEMO
  16. 16. Tangoing with Radio • SDR=Software Defined Radio • Usually pretty expensive. • Until the rise of RTLSDR • Scope=AIS,GSM, ADS-B, GPS you name it.
  17. 17. RTL-SDR or cheap radio sniffer • Mainly two types: • • • E4000: 52-2200 Mhz R820T: 24-1766 Mhz Software used: • • rtl_sdr • • GQRX SDRSharp Log most data broadcast within the frequency ranges
  18. 18. Sniffing Radio Traffic • AIS (ship transmissions) are easily picked up • So is Aircraft broadcasts • You can sniff most protocols off the air • Decode using baudline • Possible attacks against : Home automation systems and car keyfobs • Keyfobs are supposed to use rolling key codes • “Supposed to”
  19. 19. Antennas ● ● Dependent on the frequency that you want to capture. Different types for different purposes: ● Monopole: ACARS,ADS-B, AIS (Airplanes/Ships) ● Rubber Ducky Antennaes for short range ● Discone for wide coverage (More noise)
  20. 20. Discone Monopole Rubber Ducky
  21. 21. DEMO TIME!
  22. 22. Bus Attacks
  23. 23. The Magic Electronic Buses ● ● ● Buses are used by components in an embedded system to communicate with each other Not secured Most commonly used protocols are SPI,I2C and UART ● No authentication ● I2C utilizes addressing
  24. 24. Attacking bus protocols ● Sniffing: ● ● ● Logic analyzers pick up most of the protocols Bus pirate is your friend Replay: ● ● ● Sniffed sequences can be played back at later times Bus pirate is your best friend Debug ports: ● ● UART/JTAG ports are left open for debugging purposes Can be used to dump firmware and mess with the memory
  25. 25. Here there be Pirates ● ● Hardware hacker's multitool Read/write I2C,SPI,UART ● Midlevel JTAG support ● AVR programmer too! ● Can be accessed via USB.
  26. 26. DEMO
  27. 27. Thank you! Questions?
  28. 28. Contact Details Twitter:twitter.com/yashin.mehaboobe Email:yashinm92<at>gmail.com Carrier pigeon works too.

×