Más contenido relacionado
Inbar Raz - Physical (In)Security – it’s not –ALL– about Cyber
- 2. Types of Vulnerability Disclosures
Responsible Disclosure:
– Contact the vendor only and inform them of the vulnerability
– If asked, work with the vendor
– After 3-6 months, proceed to Full Disclosure
Full Disclosure:
– Publish all information, including POC
– Sometimes – only a video of POC
©2013 Check Point Software Technologies Ltd.
2
- 3. Disclosure #1
Vendor: An Online Movie Ticket Service
Field: Online shopping and entertainment
Affected Product: On-site Ticket Kiosk
Vulnerability: Multiple vulnerabilities cause the compromise
of both customer and company data
©2013 Check Point Software Technologies Ltd.
3
- 4. Disclosure Details
On-site Kiosk
Touch Screen
Credit Card
Reader
Ticket Printer
No peripherals,
No interfaces
And the journey begins…
©2013 Check Point Software Technologies Ltd.
4
- 5. Disclosure Details
Improper interface settings
allow the opening of menu
options.
Menus can be used to
browse for a new printer.
©2013 Check Point Software Technologies Ltd.
5
- 6. Disclosure Details
A limited browser is not
restricted enough.
A right-click can be used…
To open a full, unlimited
Windows Explorer.
Now the sky is the limit…
©2013 Check Point Software Technologies Ltd.
6
- 7. Disclosure Details
Browsing through the
file system reveals
indicative directory names…
And even more indicative
file names.
©2013 Check Point Software Technologies Ltd.
7
- 8. Disclosure Details
Bingo: Credit Card Data
(Unencrypted!)
Tools of the trade: Notepad
We can use the ticket
printer to take it home
©2013 Check Point Software Technologies Ltd.
8
- 9. Disclosure Details
But that’s not all:
RSA Keys and Certificates
are also found on the drive!
Which we can print, take
home and then use a
free OCR software to read…
©2013 Check Point Software Technologies Ltd.
9
- 10. Disclosure Details
The result:
RSA Keys used to
bill credit cards.
©2013 Check Point Software Technologies Ltd.
10
- 11. Disclosure #2
Vendor: Point-of-Sale Manufacturer and Users
Field: Network Security
Vulnerability: Improper physical security allows access to
insecure PoS devices during afterhours.
©2013 Check Point Software Technologies Ltd.
11
- 13. Disclosure Details
Location: A bar in Tel-Aviv
During working hours – tables, chair and PoS outside
During afterhours – everything is locked inside the facility
But the Ethernet port remains hot
– In public space…
©2013 Check Point Software Technologies Ltd.
13
- 14. Attack Vector
In the past – play hacker/script kiddie with BackTrack.
Today: Fire up wireshark, discover IPs of live machines.
©2013 Check Point Software Technologies Ltd.
14
- 15. Attack Vector
In the past – play hacker/script kiddie with BackTrack.
Today: Fire up wireshark, discover IPs of live machines.
Detected IP addresses:
– 192.168.0.1
– 192.168.0.2
– 192.168.0.4
– 192.168.0.250
– 192.168.0.254
Confirm by ping (individual and broadcast)
©2013 Check Point Software Technologies Ltd.
15
- 16. Attack Vector
Evidence of SMB (plus prior knowledge) lead to the next
step:
And the response:
©2013 Check Point Software Technologies Ltd.
16
- 17. Things to do with an open share
#1: Look around
[Restricted] ONLY for designated groups and individuals
©2013 Check Point Software Technologies Ltd.
17
- 18. Things to do with an open share
#1: Look around
#2: Create a file list
[Restricted] ONLY for designated groups and individuals
©2013 Check Point Software Technologies Ltd.
18
- 19. The mystery of 192.168.0.250
Answers a ping, but no SMB.
First guess: the ADSL Modem.
Try to access the Web-UI:
[Restricted] ONLY for designated groups and individuals
©2013 Check Point Software Technologies Ltd.
19
- 20. The mystery of 192.168.0.250
Use the full URL:
[Restricted] ONLY for designated groups and individuals
©2013 Check Point Software Technologies Ltd.
20
- 21. Going for the ADSL router
Reminder: We actually had this information.
[Restricted] ONLY for designated groups and individuals
©2013 Check Point Software Technologies Ltd.
21
- 22. Going for the ADSL router
Naturally, there is access control:
Want to guess?
[Restricted] ONLY for designated groups and individuals
©2013 Check Point Software Technologies Ltd.
22
- 23. Unlocked Achievements
Best for me, worst for them: Credit card data.
Database files (yet to be analyzed).
The program files of the billing system.
Potential attack through the internet.
[Restricted] ONLY for designated groups and individuals
©2013 Check Point Software Technologies Ltd.
23
- 24. Next Steps
Create a Responsible Disclose document for the PoS
manufacturer
Send an Advisory to businesses
©2013 Check Point Software Technologies Ltd.
24
- 25. IMPORTANT NOTICE
The bar operation was with full cooperation and consent.
DOING THIS ON YOUR OWN IS ILLEGAL.
[Restricted] ONLY for designated groups and individuals
©2013 Check Point Software Technologies Ltd.
25