HackInTheBox 2016-V2-OPALE SECURITY
Transcript of HackInTheBox 2016-V2-OPALE SECURITY
Who we are?• JulienMoinard
- Electronic engineer@opale-security (Frenchcompany)- Securityconsultant,Hardware&Softwarepentester- Teamproject leaderofHardsploit- DIYenthusiast
• YannALLAIN- CEO- Blackhat,HackInThebox,HIP,speaker&trainer- Cybersecurity veteran (+20years)/(old)electronic
engineer- FormerCSOofACCOR(softwaredomain)
2
InternetofThings &Privacy concern ?• Any IoT object could reveal informationaboutindividuals
• Wearable Technology: clothes,watches,contactlenseswith sensors,microphoneswith camerasembeddedandsoon• Quantified Self: pedometers,sleep monitors,andsoon• HomeAutomation: connected households using smartfridges,smartlighting andsmartsecurity systems,andso on• …
4
InternetofThings &Privacy concern ?
• Lastnews:(you can updatethis slideevery weekL)
Firmware can be read withoutany problem (SPImemory)
VTech was hacked inNovember,exposingmillionsofaccounts.
Inresponse, thefirm took some essentialservicesoffline, meaning products couldnotbe registered onChristmasDay.
5
Iot Eco-system(20000feet view)
• Privacy Risk level :Where? HFcommunication (ISMBand)+Wifi+3G-5G,Bluetooth,Sigfox, Loraetc..
Classical wired connectionsCentralservers,UserInterface,API,Backofficeetc.
IoT devices
6
SOFTWARETosecure it:• Securityproducts (Firewall,Antivirus,IDS,…)• Securityservices(Pentest,Audit,…)• Tools(Uncountable number ofthem)
HARDWARETosecure it:• Feworunimplemented solutions(Encryptionwith keyinasecure area,anti-replaymechanisms,readout protection,…)
Securityspeaking,hardwareis thenewsoftware?
7
• 1/Openit• 2/Fingerprint allthecomponentifyou can else automatic bruteforcing• 3/Usethose that may containdata(Online/Offlineanalysis ?)• 4/Perform read |write operation onthem• 5/Reverseengineering,find vulnerabilitiesandexploitthem
Hardsploit &hardwarehackingbasicprocedure
8
How?
• Ahardwarepentester need toknowelectronic busesandhe need tobeabletointeract with them
1-Wire
JTAG/SWDUART
PARALLEL
Custom11
Hardsploit framework
Same hardwarebutasoftwareupdate is needed toadd anewprotocols
Hardsploit
IoT target
Input/Output
database Module (SWD,SMBus,I2C,SPI,etc..)
12
Hardsploit busindentification&scanner(inprogress,notpublished yet)
Hardsploit
IoT target
Input/Output
Database ofpatterns
Database ofcomponents Module (I2C,SPI,etc..)
IOhardwaremixer
Scanner
13
Tool oftrade
FUNCTIONALITIES BUSPIRATE JTAGULATOR GOODFET HARDSPLOIT
UART Busidentification
SPI
PARALLEL
I2C
JTAG/SWD Busidentification
MODULARITY Microcontroller Microcontroller Microcontroller uC /FPGA
EASEOFUSE Cmd line+datasheet Commandline Commandline OfficialGUI/API/DB
I/ONUMBER < 10 24 <14 64(pluspower)
WIRING TEXT(butMOSI=SDAJ) TEXT/AUTOMATICidentification
TEXT LED/TEXT/AUTOMATICidentification
14
Theboard – Finalversion
• 64I/Ochannels• ESDProtection• Targetvoltage:3.3&5V• UseaCycloneIIFPGA• USB2.0• 20cmx9cm
16/03/2016 19
Wiring helper
Datasheetrepresentation
HardsploitWiring modulerepresentation
GUI<–>Board interaction
22
What areavailable ongithub (Open)?
• Microcontroller (c)• API(ruby)• GUI(ruby)• Create your own Hardsploit module:VHDL&API(ruby)
25
Already available (github)Parallel nonmultiplexed memory dump• 32bitsforaddress• 8/16bitsfordata
Helping wiringI2C100Khz400Khzand1Mhz• Addresses scan• Read,write, automatic fullandpartialdump
SPImode0,1,2,3upto25Mhz• Read,write,automatic fullandpartialdump
SWDinterface(like JTAGbutforARMcore)• Dumpandwrite firmware ofmost ARMCPU
GPIOinteract /bitbanging (APIonly forthemoment)• Low speed<500Hz read &write operations on64bits
26
Moretocome(see onlineroadmap)…• Automatic busindentification&Scanner(@30%)• Component&commands sharingplatform (@90%)• TTLUARTModulewith automatic detection speed(@80%)• Parallel communicationwith multiplexed memory• I2Csniffing (shot of4000bytesupto1Mhz)• SPIsniffing (shot of8000/4000bytehalf /fullupto 25Mhz)• RFWirelesstransmissiontrainingplateform (Nordic NRF24,433Mhz,868Mhztranscievers)
• Metasploitintegration (module)??• JTAG• 1Wire• CanBUS (with hardwarelevel adapter)• …
27
Concrete case
• Anelectronic lock system• 4characters pincodeA– B– C– D• Goodcombinaison– Door opens,greenL.E.Dturn on• Wrong combinaison– Door closes,red L.E.Dturn on
28
Concrete case:hardsploit scenario
1. OpenHardsploittocreate thecomponent(ifnotexist)2. Connect thecomponenttoHardsploit (wiring helping)3. Enterandsave thecomponentsettings(ifnotexist)4. Dumpthecontentofthememories (1click)5. Changethedoor password byusing commands (fewclicks)6. Try thenewpassword onthelocksystem(enjoy)
32
Conclusion
• IoT Device are(also)prone tovulnerabilities helpyou tofind them• Securitypolicy need tobe adpated,nowadays,it is notso difficult to
extract dataonIoT• Designersneed todesignwith security inmind• Skills related topentest ahardwaredevice is mandatory forSecurity
Experts(buttrainingexist)• Industry need totake careaboutdevice security
38
Thank you !Hardsploit board is available atshop-hardsploit.com (250€ /277USD/370CADexcluding VAT)
Tolearn moreaboutHardsploitandfollow thedevelopment
Hardsploit.io &Opale-Security.com• YannALLAIN(CEO)• [email protected]• +33645453381
Hardware&Software,Pentest,Audit,Training
• JulienMOINARD(ProjectleaderofHardsploit)• [email protected]• +33972438707
39