Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox...
-
Upload
trinhkhuong -
Category
Documents
-
view
309 -
download
2
Transcript of Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox...
![Page 1: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/1.jpg)
Horror on the busHacking COMBUS in a Paradox security system
Horror on the bus
Hacking combus in a Paradox security system
Hack In The Box Dubai 2018 #HITB2018DXB
![Page 2: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/2.jpg)
#HIT
B201
8DXB
Author Lead researcher at Possible Security,
Latvia Hacking and breaking things
– Network flow analysis– Reverse engineering– Social engineering– Legal dimension
twitter / @KirilsSolovjovs
![Page 3: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/3.jpg)
#HIT
B201
8DXB
Security alarm systems
![Page 4: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/4.jpg)
#HIT
B201
8DXB
Security alarm systems
![Page 5: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/5.jpg)
#HIT
B201
8DXB
3998 3111 9309 1400 8248 4584 9450 5617 6550 8245 6979 9878 6101 4971 1294 9576 5005 2789 7113 3627 6856 5132 4920 5076 7500 7065 0643 9302 1744 3725 8432 1275 1128 1497 8657 9264
What could go wrong? 7113
![Page 6: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/6.jpg)
#HIT
B201
8DXB
Does this provide a peace of mind?
![Page 7: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/7.jpg)
INTRO
![Page 8: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/8.jpg)
#HIT
B201
8DXB
Paradox security systems Canadian company, founded 1989 Modular security alarms
– SPECTRA SP Expandable Security Systems
– EVO High-Security & Access Systems
– MAGELLAN Wireless Security Systems
![Page 9: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/9.jpg)
#HIT
B201
8DXB
Prior research Work on interfacing with SP series via COMBUS
– Martin Harizanov partially working code, moved on to SERIAL
Work on interfacing with MG series via SERIAL– All over forums
leaked docs
– Gytis Ramanauskas code on github
![Page 10: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/10.jpg)
#HIT
B201
8DXB
Responsible disclosure process At first:
– General claim that there’s a vulnerability met with doubt– Clearly no process in place
In a few of months:– The information has been “dealt with”– «For obvious security reasons, it is our policy to never discuss engineering matters
outside of the company and thus we will not be commenting further on this issue»
A couple years later I’m doing public disclosure
¯\_(ツ )_/¯
![Page 11: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/11.jpg)
#HIT
B201
8DXB
Components master
heart on the system – “motherboard”– panel
ancillaries– battery– power supply– siren
![Page 12: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/12.jpg)
#HIT
B201
8DXB
Components combus slaves
provide two-way communication– keypads– modules
expansion printer listen-in etc.
![Page 13: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/13.jpg)
#HIT
B201
8DXB
Components zone interrupt devices
input, measures resistance chaining⇒– magnetic sensors– PIR sensors– panic buttons– etc.
![Page 14: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/14.jpg)
#HIT
B201
8DXB
Components PGM modules:
output, 100mA relays (solid state)– external actuators– boost relays
![Page 15: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/15.jpg)
#HIT
B201
8DXB
Components serial devices:
– RS485– Serial converters (RS232, usb)– IP modules– GSM modules– etc.
![Page 16: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/16.jpg)
#HIT
B201
8DXB
16.5 V
12 V battery
COMBUS
RTC 3Vbattery
RS485
memkey
voice dialerEVO192
![Page 17: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/17.jpg)
REVERSE ENGINEERING
![Page 18: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/18.jpg)
#HIT
B201
8DXB
Hardware tools Saleae Logic 8 Arduino UNO
![Page 19: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/19.jpg)
#HIT
B201
8DXB
COMBUS
![Page 20: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/20.jpg)
#HIT
B201
8DXB
Electrical layer combus – 4 wire bus resistance = 0 black = GROUND⇒
stable voltage red = POWER⇒
... ?
(keypad)
![Page 21: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/21.jpg)
#HIT
B201
8DXB
Signal layer yellow = CLOCK green = DATA 40ms between packet bursts 1 clock cycle = 1ms; signal = 1kHz
![Page 22: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/22.jpg)
#HIT
B201
8DXB
Signal encoding CLOCK = low data!!! ⇒
... we should have two-way commssomething is missing
0 0 0 0 1 1 0 0 1 0 0 1 0 0 0 1 0 0 1 0 1 1 0 1 0 0 1 0 0 0 0 1
0 C 9 1 2 D 2 1
![Page 23: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/23.jpg)
#HIT
B201
8DXB
Full signal encoding CLOCK = high
– slave pulls down to send “1”
CLOCK = low– master pulls up to send “1”
-----M-M-M-M-M-M-M-MsMsMsMsMsMsMsMsMsMsMsMsMsMsMsMsMsMsMsMsMsMsMsMsM---
![Page 24: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/24.jpg)
#HIT
B201
8DXB
12 V
5 V
2.4 kΩ
50 Ω
2.4 kΩ
Resistors to limit– voltage– current draw
Hardware setup (read-only)
![Page 25: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/25.jpg)
#HIT
B201
8DXB
on CLK change: wait 50µs if CLK == high: master =- master=<1 + DAT&1 else: slave =- slave=<1 + !DAT&1
on idle > 2ms: if master > 0: print master print slave master =- 0 slave =- 0
CLK
DAT
Decoding into bytes
![Page 26: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/26.jpg)
#HIT
B201
8DXB
01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23
masterE2 14 10 0B 0F 37 05 00 01 5D 00 0C 13 38 1B
slave00 02 00 0000 02 20 00 00 00 FF 5A 22 00 00 00 00 D5 23 79 E2 00 00 00 C8 B6 00
command checksum unused channel-request
Packet structure
![Page 27: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/27.jpg)
#HIT
B201
8DXB
Checksumchecksum =- 0
for i in @command to @checksum - 1:
checksum =- (checksum + *i) % 100
![Page 28: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/28.jpg)
#HIT
B201
8DXB
Commands: heartbeat / clock 0C NN DD/MM HH/SS
– NN = xxxxxxxp = sequence number
p==0 => 0C NN DD HH– DD = day of the month– HH = hour
p==1 => 0C NN MM SS– MM = minutes– SS = seconds
0C AA 10 11
![Page 29: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/29.jpg)
#HIT
B201
8DXB
Commands: code entry 00 02 20 UT 00 00 CT CC CC 00 00 00 00 SS SS SS SS 00 00 00 00 =# 00– UT = pxxxxxxx
p = user type == 1 => programmer
– CT = code type– CC CC = code– SS SS SS SS = serial number of source device– =# = checksum
00 02 20 00 00 00 FF 12 34 00 00 00 00 D9 10 3A 99 00 00 00 00 21 00
![Page 30: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/30.jpg)
#HIT
B201
8DXB
Payloads No encryption used Text as fixed length (often 16 chars) ASCII strings
– 0x20 = filler
Numbers usually packed BCD– “0” is 0b1010 = 0xA– no encryption, but hey, at least we got obfuscation!
![Page 31: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/31.jpg)
DEMO TIMEBefore connecting a module to the combus, remove AC and battery power from the control panel.
![Page 32: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/32.jpg)
#HIT
B201
8DXB
EVO192“Digiplex and Digiplex EVO systems provide the highest level of protection for banks, high-security military and government sites, luxurious residential homes and any place where maximum security is essential”
– https://www.paradox.com/Products/default.asp?CATID=7
![Page 33: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/33.jpg)
SUMMARY
![Page 34: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/34.jpg)
#HIT
B201
8DXB
Results Hardware built, decoding software written Protocol partially transcribed Impact of possible attacks
![Page 35: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/35.jpg)
#HIT
B201
8DXB
Solutions Encryption at command layer
– TLS– CA in trust-store in all components
Mutual slave-master authentication– client certificates
Sensitive payload encryption– with unique per-panel key (synchronized at install time)
![Page 36: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/36.jpg)
#HIT
B201
8DXB
Further research DoS attacks Emulating a slave COMBUS over radio RF attacks Firmware reverse engineering
![Page 37: Horror on the bus on the bus Hacking COMBUS in a Paradox security system Hacking combus in a Paradox security system Hack In The Box Dubai 2018 #HITB2018DXB # H I T B 2 0 1 8 D X B](https://reader030.fdocuments.us/reader030/viewer/2022012305/5ca19ad188c993d3358c4756/html5/thumbnails/37.jpg)
28.11.2018.Hack In The Box Dubai 2018
Horror on the busHacking COMBUS in a Paradox security system
Horror on the bus
Hacking combus in a Paradox security system
http://kirils.org/https://github.com/0ki/paradox
@KirilsSolovjovs