SlideShare una empresa de Scribd logo

Pentesting embedded

Descargar como PPTX, PDF
A
antitree
1 de 20
Pentesting Embedded Introduction
Thesis Everything is insecure We should hack insecure things We should hack everything
Summary • Show why embedded security doesn’t exist • Attack vectors (real world and theoretical) • Mitigations • Tools used for identification of issues in a product
Embedded Security • The security features built into a device or circuit – i.e. Juke Box Remote controls, router circuit board, TV’s, mobile phones • AKA Hardware Hacking
Risk Risk = Threat x Exploitability x Cost • Threat: how likely the attack occurs based on its frequency in the “real” world • Exploitability: how likely is it that it will work • Cost: How much it’s going to hurt when it gets popped • The amount of security invested into an embedded device is directly influenced by risk • The lack of these attacks being exploited in the wild, and the skills required to exploit them, keep the risk level appearing low
Attackers Perspective • Theft-of-service – getting something for free • IP Theft – cloning and idea and remaking it (China) • Information disclosure – find the secrets hidden on a device • Spoofing – horizontal privilege escalation • DoS – causing un-servicable issues means loss of revenue
Attack Surface • Cases and enclosures – to prevent attackers from accessing internals • Circuit board • Firmware
External Interfaces Attacks • JTAG, USB, interfaces, Bluetooth, WIFI, RF* • Accessing debug/diag operation modes • Cut traces able to be repaired • Fuzzing the interface to deobfuscate the protocol • Sensitive information disclosure (encryption, server side info) • EMI emissions leak info
Mitigations • Diag/debug modes should be disabled at the circuit level • JTAG should be removed ideally from production else disabled • Protect against malformed communication • EMI shielding • Tamper protections
Mitigations: Tamper Protections • Tamper Resistant: difficult to access components – One-way screws, steel case, epoxy on Ics • Tamper Evident: If access happens, it is easily identifiable – Sealed cases, glues, tapes • Tamper Detection: the hardware knows when it’s been tainted – Pressure switches, temperature sensors, puncture detection • Tamper Response: the hardware reacts when tainted (like detection but with a counter-measure) – Flash memory, self destruct with explosive charge
Circuit Board Attacks • Reverse engineer components and gather information – PCB hooking – access traces and test points • Probe boards • Delid chips • Access memory: EEPROMS, RAM • Simple and Differential Power Analysis • EMI attacks • Clock/Timing attacks – muck with the clock to cause issues • Epoxy removal – dremel or chemical based • Use an X-ray to determine location of components
Mitigations • Remove ID’s from Ics (“black topping”) • Hide vias and test points when possible • Epoxy critical areas • Implement probe detection on unused pins • Add digital watermarks that uniquely ID your product • Noise generators to defend against power analysis
Cryptographic Attacks • No matter what algorithm or key size you use, a static key must be stored somewhere on the device. Find it • Algorithm mis-implementations are exploitable • Custom crypto means custom pwning • Side-channel attacks (power analysis, etc)
Firmware Attacks • Extracting the firmware is the first step to exploitation • Reversing the firmware usually means death • Bad programming flaws cause exploitation
Mitigations • Be a good programmer :) • Limit attack vectors - remove unnecessary components • Protect firmware from being easily extracted
Tools For Attack • Standard hardware hacking components – DMM, O-Scope, dremel, hobby knife, soldering iron, wire strippers, microscope, logic analyzer • Probe adapter: – emulation.com, advintcorp.com, ironwoodelectronics.com • RF Analysis – SDR like USRP, • USB: SnoopyPro, Facedancer, Bus Pirate • JTAG – GoodFET,
Insane Tools • Scanning electron microscope • Voltage contrast microscopy • Focused Ion Beam (FIB)
Attack In Practice • Passive Recon – learn about the device, manuals, data sheets • Active Recon – perform the initial inspection. – Can you see ICs? Components? Tamper protections? • Risk Assessment – determine threats, risky areas, loot to focus your time on. – Make sure your end goal is either an exploit or more information (skip time wasters) • Collect necessary tools for attack • Probe and interface: Connect to serial interfaces, hook vias or test points, use a probe board • Extract and reverse firmware or sensitive information
Defense In Practice • Make breaking into the device cost more than the value of the result • Built in vs Bolt On later (same old story) • Test your own security (at least the basics) • When in doubt, epoxy (but know that if you do this, you are dead to me)
No questions I don’t know the answer

Recomendados

Corporate Intelligence: Bridging the security and intelligence community
Corporate Intelligence: Bridging the security and intelligence communityCorporate Intelligence: Bridging the security and intelligence community
Corporate Intelligence: Bridging the security and intelligence communityantitree
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Hykeos
 
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsVulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsRoger Johnston
 
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Chase Schultz
 
Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructurePositive Hack Days
 
Threats
ThreatsThreats
Threatssbmiller87
 
All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...
All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...
All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...EC-Council
 
Forensics for the Defense
Forensics for the DefenseForensics for the Defense
Forensics for the DefenseCoastal Pet Products, Inc.
 

Recomendados

Corporate Intelligence: Bridging the security and intelligence community
Corporate Intelligence: Bridging the security and intelligence communityCorporate Intelligence: Bridging the security and intelligence community
Corporate Intelligence: Bridging the security and intelligence communityantitree
 
Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Physical Penetration Testing - RootedCON 2015
Physical Penetration Testing - RootedCON 2015Hykeos
 
Vulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsVulnerability Assessment, Physical Security, and Nuclear Safeguards
Vulnerability Assessment, Physical Security, and Nuclear SafeguardsRoger Johnston
 
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23
Pwning Iot via Hardware Attacks - Chase Schultz - IoT Village - Defcon 23Chase Schultz
 
Fingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructureFingerprinting and Attacking a Healthcare Infrastructure
Fingerprinting and Attacking a Healthcare InfrastructurePositive Hack Days
 
Threats
ThreatsThreats
Threatssbmiller87
 
All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...
All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...
All Your Base Still Belong To Us Physical Penetration Testing Tales From The ...EC-Council
 
Forensics for the Defense
Forensics for the DefenseForensics for the Defense
Forensics for the DefenseCoastal Pet Products, Inc.
 
Forensics for the defense
Forensics for the defenseForensics for the defense
Forensics for the defenseWilliam Mathews
 
Andrew kozma - security 101 - atlseccon2011
Andrew kozma - security 101 - atlseccon2011Andrew kozma - security 101 - atlseccon2011
Andrew kozma - security 101 - atlseccon2011Atlantic Security Conference
 
Red team Engagement
Red team EngagementRed team Engagement
Red team EngagementIndranil Banerjee
 
Bar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 HackingBar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 HackingBarcamp Kerala
 
Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011Atlantic Security Conference
 
Practical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsPractical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsChase Schultz
 
Hack one iot device, break them all!
Hack one iot device, break them all!Hack one iot device, break them all!
Hack one iot device, break them all!Justin Black
 
Information Security Professional
Information Security ProfessionalInformation Security Professional
Information Security ProfessionalAmmar WK
 
IMA - Anatomy of an Attack - Presentation- 28Aug15
IMA - Anatomy of an Attack - Presentation- 28Aug15IMA - Anatomy of an Attack - Presentation- 28Aug15
IMA - Anatomy of an Attack - Presentation- 28Aug15Benjamin D. Brooks, CISSP
 
Vest Forensics presentation owasp benelux days 2012 leuven
Vest Forensics presentation owasp benelux days 2012 leuvenVest Forensics presentation owasp benelux days 2012 leuven
Vest Forensics presentation owasp benelux days 2012 leuvenMarc Hullegie
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications WSO2
 
CS8792 - Cryptography and Network Security
CS8792 - Cryptography and Network SecurityCS8792 - Cryptography and Network Security
CS8792 - Cryptography and Network Securityvishnukp34
 
Network Security Topic 1 intro
Network Security Topic 1 introNetwork Security Topic 1 intro
Network Security Topic 1 introKhawar Nehal khawar.nehal@atrc.net.pk
 
Using fault injection attacks for digital forensics
Using fault injection attacks for digital forensics Using fault injection attacks for digital forensics
Using fault injection attacks for digital forensics Justin Black
 
E thical hacking
E thical hackingE thical hacking
E thical hackingCookie Tuazon
 
Electronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordElectronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordNicholas Davis
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
Why Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceGlobal Knowledge Training
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...HITCON GIRLS
 
Trends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yoursTrends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yoursMotherGuardians
 
Embabded system security for feuture .ppt
Embabded system security for feuture .pptEmbabded system security for feuture .ppt
Embabded system security for feuture .pptgunjansingh2917683
 
Track 5 session 4 - st dev con 2016 - life cycle management for web
Track 5 session 4 - st dev con 2016 - life cycle management for webTrack 5 session 4 - st dev con 2016 - life cycle management for web
Track 5 session 4 - st dev con 2016 - life cycle management for webST_World
 

Más contenido relacionado

La actualidad más candente

Forensics for the defense
Forensics for the defenseForensics for the defense
Forensics for the defenseWilliam Mathews
 
Bar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 HackingBar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 HackingBarcamp Kerala
 
Practical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsPractical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsChase Schultz
 
Hack one iot device, break them all!
Hack one iot device, break them all!Hack one iot device, break them all!
Hack one iot device, break them all!Justin Black
 
Information Security Professional
Information Security ProfessionalInformation Security Professional
Information Security ProfessionalAmmar WK
 
IMA - Anatomy of an Attack - Presentation- 28Aug15
IMA - Anatomy of an Attack - Presentation- 28Aug15IMA - Anatomy of an Attack - Presentation- 28Aug15
IMA - Anatomy of an Attack - Presentation- 28Aug15Benjamin D. Brooks, CISSP
 
Vest Forensics presentation owasp benelux days 2012 leuven
Vest Forensics presentation owasp benelux days 2012 leuvenVest Forensics presentation owasp benelux days 2012 leuven
Vest Forensics presentation owasp benelux days 2012 leuvenMarc Hullegie
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications WSO2
 
CS8792 - Cryptography and Network Security
CS8792 - Cryptography and Network SecurityCS8792 - Cryptography and Network Security
CS8792 - Cryptography and Network Securityvishnukp34
 
Using fault injection attacks for digital forensics
Using fault injection attacks for digital forensics Using fault injection attacks for digital forensics
Using fault injection attacks for digital forensics Justin Black
 
Electronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordElectronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordNicholas Davis
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comAravind R
 
Why Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceGlobal Knowledge Training
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...HITCON GIRLS
 
Trends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yoursTrends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yoursMotherGuardians
 

La actualidad más candente (20)

Forensics for the defense
Forensics for the defenseForensics for the defense
Forensics for the defense
 
Andrew kozma - security 101 - atlseccon2011
Andrew kozma - security 101 - atlseccon2011Andrew kozma - security 101 - atlseccon2011
Andrew kozma - security 101 - atlseccon2011
 
Red team Engagement
Red team EngagementRed team Engagement
Red team Engagement
 
Bar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 HackingBar Camp 11 Oct09 Hacking
Bar Camp 11 Oct09 Hacking
 
Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011Adam w. mosher - geo tagging - atlseccon2011
Adam w. mosher - geo tagging - atlseccon2011
 
Practical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of ThingsPractical hardware attacks against SOHO Routers & the Internet of Things
Practical hardware attacks against SOHO Routers & the Internet of Things
 
Hack one iot device, break them all!
Hack one iot device, break them all!Hack one iot device, break them all!
Hack one iot device, break them all!
 
Information Security Professional
Information Security ProfessionalInformation Security Professional
Information Security Professional
 
IMA - Anatomy of an Attack - Presentation- 28Aug15
IMA - Anatomy of an Attack - Presentation- 28Aug15IMA - Anatomy of an Attack - Presentation- 28Aug15
IMA - Anatomy of an Attack - Presentation- 28Aug15
 
Vest Forensics presentation owasp benelux days 2012 leuven
Vest Forensics presentation owasp benelux days 2012 leuvenVest Forensics presentation owasp benelux days 2012 leuven
Vest Forensics presentation owasp benelux days 2012 leuven
 
Securing IoT Applications
Securing IoT Applications Securing IoT Applications
Securing IoT Applications
 
CS8792 - Cryptography and Network Security
CS8792 - Cryptography and Network SecurityCS8792 - Cryptography and Network Security
CS8792 - Cryptography and Network Security
 
Network Security Topic 1 intro
Network Security Topic 1 introNetwork Security Topic 1 intro
Network Security Topic 1 intro
 
Using fault injection attacks for digital forensics
Using fault injection attacks for digital forensics Using fault injection attacks for digital forensics
Using fault injection attacks for digital forensics
 
E thical hacking
E thical hackingE thical hacking
E thical hacking
 
Electronic Authentication More Than Just A Password
Electronic Authentication More Than Just A PasswordElectronic Authentication More Than Just A Password
Electronic Authentication More Than Just A Password
 
Cybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.comCybersecurity Basics - Aravindr.com
Cybersecurity Basics - Aravindr.com
 
Why Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD WorkforceWhy Pentesting is Vital to the Modern DoD Workforce
Why Pentesting is Vital to the Modern DoD Workforce
 
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
Birds of a Feather 2017: 邀請分享 Place of Attribution in Threat Intelligence - F...
 
Trends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yoursTrends in electronic crimes and its impact on businesses like yours
Trends in electronic crimes and its impact on businesses like yours
 

Similar a Pentesting embedded

Embabded system security for feuture .ppt
Embabded system security for feuture .pptEmbabded system security for feuture .ppt
Embabded system security for feuture .pptgunjansingh2917683
 
Track 5 session 4 - st dev con 2016 - life cycle management for web
Track 5 session 4 - st dev con 2016 - life cycle management for webTrack 5 session 4 - st dev con 2016 - life cycle management for web
Track 5 session 4 - st dev con 2016 - life cycle management for webST_World
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Sessionveerababu penugonda(Mr-IoT)
 
Securing Internet of Things
Securing Internet of ThingsSecuring Internet of Things
Securing Internet of ThingsRishabh Sharma
 
Hardware Security Training By TONEX
Hardware Security Training By TONEXHardware Security Training By TONEX
Hardware Security Training By TONEXBryan Len
 
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat Security Conference
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devicesYashin Mehaboobe
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootYashin Mehaboobe
 
Inria Tech Talk IoT - 28 Mars 2018
Inria Tech Talk IoT - 28 Mars 2018Inria Tech Talk IoT - 28 Mars 2018
Inria Tech Talk IoT - 28 Mars 2018FrenchTechCentral
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrLAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrShovan Sargunam
 
Securing embedded systems
Securing embedded systemsSecuring embedded systems
Securing embedded systemsaissa benyahya
 
Antelope Audio - Licensing Software Features
Antelope Audio - Licensing Software FeaturesAntelope Audio - Licensing Software Features
Antelope Audio - Licensing Software FeaturesSvetoslav Enchev
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationJoshua Prince
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22MichaelM85042
 
Computer hardware, and network
Computer hardware, and networkComputer hardware, and network
Computer hardware, and networkIkuru Kanuma
 
Presentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingPresentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingAmbuj Kumar
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Security Weekly
 

Similar a Pentesting embedded (20)

Embabded system security for feuture .ppt
Embabded system security for feuture .pptEmbabded system security for feuture .ppt
Embabded system security for feuture .ppt
 
Track 5 session 4 - st dev con 2016 - life cycle management for web
Track 5 session 4 - st dev con 2016 - life cycle management for webTrack 5 session 4 - st dev con 2016 - life cycle management for web
Track 5 session 4 - st dev con 2016 - life cycle management for web
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
 
Securing Internet of Things
Securing Internet of ThingsSecuring Internet of Things
Securing Internet of Things
 
Hardware Security Training By TONEX
Hardware Security Training By TONEXHardware Security Training By TONEX
Hardware Security Training By TONEX
 
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
BlueHat v17 || Extracting Secrets from Silicon – A New Generation of Bug Hunt...
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to Root
 
Inria Tech Talk IoT - 28 Mars 2018
Inria Tech Talk IoT - 28 Mars 2018Inria Tech Talk IoT - 28 Mars 2018
Inria Tech Talk IoT - 28 Mars 2018
 
LAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT ZephyrLAS16-300K2: Geoff Thorpe - IoT Zephyr
LAS16-300K2: Geoff Thorpe - IoT Zephyr
 
Securing embedded systems
Securing embedded systemsSecuring embedded systems
Securing embedded systems
 
Antelope Audio - Licensing Software Features
Antelope Audio - Licensing Software FeaturesAntelope Audio - Licensing Software Features
Antelope Audio - Licensing Software Features
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentation
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
Computer hardware, and network
Computer hardware, and networkComputer hardware, and network
Computer hardware, and network
 
Presentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hackingPresentation cyber forensics & ethical hacking
Presentation cyber forensics & ethical hacking
 
Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)Attacking Embedded Devices (No Axe Required)
Attacking Embedded Devices (No Axe Required)
 
Security Issues in Internet of Things
Security Issues in Internet of ThingsSecurity Issues in Internet of Things
Security Issues in Internet of Things
 
Hugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric ImpHugo Fiennes - Security and the IoT - Electric Imp
Hugo Fiennes - Security and the IoT - Electric Imp
 

Más de antitree

Hardening ssh configurations
Hardening ssh configurationsHardening ssh configurations
Hardening ssh configurationsantitree
 
State of wifi_2016
State of wifi_2016State of wifi_2016
State of wifi_2016antitree
 
Just Mouse Jack Init
Just Mouse Jack InitJust Mouse Jack Init
Just Mouse Jack Initantitree
 
Introduction to ethereum_public
Introduction to ethereum_publicIntroduction to ethereum_public
Introduction to ethereum_publicantitree
 
Docker Security
Docker SecurityDocker Security
Docker Securityantitree
 
Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon emailantitree
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpadantitree
 
Meek and domain fronting public
Meek and domain fronting publicMeek and domain fronting public
Meek and domain fronting publicantitree
 
Nsa and vpn
Nsa and vpnNsa and vpn
Nsa and vpnantitree
 
Salander v bond 2600
Salander v bond 2600Salander v bond 2600
Salander v bond 2600antitree
 
Salander v bond b sides detroit final v3
Salander v bond b sides detroit final v3Salander v bond b sides detroit final v3
Salander v bond b sides detroit final v3antitree
 
28c3 in 15
28c3 in 1528c3 in 15
28c3 in 15antitree
 
Android Hacking
Android HackingAndroid Hacking
Android Hackingantitree
 
Lock picking barcamp
Lock picking barcampLock picking barcamp
Lock picking barcampantitree
 
Lock picking 2600
Lock picking 2600Lock picking 2600
Lock picking 2600antitree
 
Anti tree firesheep
Anti tree firesheepAnti tree firesheep
Anti tree firesheepantitree
 
Image based automation
Image based automationImage based automation
Image based automationantitree
 
How [not] to throw a b sides
How [not] to throw a b sidesHow [not] to throw a b sides
How [not] to throw a b sidesantitree
 

Más de antitree (20)

Hardening ssh configurations
Hardening ssh configurationsHardening ssh configurations
Hardening ssh configurations
 
State of wifi_2016
State of wifi_2016State of wifi_2016
State of wifi_2016
 
Just Mouse Jack Init
Just Mouse Jack InitJust Mouse Jack Init
Just Mouse Jack Init
 
Introduction to ethereum_public
Introduction to ethereum_publicIntroduction to ethereum_public
Introduction to ethereum_public
 
Docker Security
Docker SecurityDocker Security
Docker Security
 
Reinventing anon email
Reinventing anon emailReinventing anon email
Reinventing anon email
 
0x20 hack
0x20 hack0x20 hack
0x20 hack
 
Laverna vs etherpad
Laverna vs etherpadLaverna vs etherpad
Laverna vs etherpad
 
Meek and domain fronting public
Meek and domain fronting publicMeek and domain fronting public
Meek and domain fronting public
 
Nsa and vpn
Nsa and vpnNsa and vpn
Nsa and vpn
 
Salander v bond 2600
Salander v bond 2600Salander v bond 2600
Salander v bond 2600
 
Salander v bond b sides detroit final v3
Salander v bond b sides detroit final v3Salander v bond b sides detroit final v3
Salander v bond b sides detroit final v3
 
Tor
TorTor
Tor
 
28c3 in 15
28c3 in 1528c3 in 15
28c3 in 15
 
Android Hacking
Android HackingAndroid Hacking
Android Hacking
 
Lock picking barcamp
Lock picking barcampLock picking barcamp
Lock picking barcamp
 
Lock picking 2600
Lock picking 2600Lock picking 2600
Lock picking 2600
 
Anti tree firesheep
Anti tree firesheepAnti tree firesheep
Anti tree firesheep
 
Image based automation
Image based automationImage based automation
Image based automation
 
How [not] to throw a b sides
How [not] to throw a b sidesHow [not] to throw a b sides
How [not] to throw a b sides
 

Pentesting embedded

  • 1. Pentesting Embedded Introduction
  • 2. Thesis Everything is insecure We should hack insecure things We should hack everything
  • 3. Summary • Show why embedded security doesn’t exist • Attack vectors (real world and theoretical) • Mitigations • Tools used for identification of issues in a product
  • 4. Embedded Security • The security features built into a device or circuit – i.e. Juke Box Remote controls, router circuit board, TV’s, mobile phones • AKA Hardware Hacking
  • 5. Risk Risk = Threat x Exploitability x Cost • Threat: how likely the attack occurs based on its frequency in the “real” world • Exploitability: how likely is it that it will work • Cost: How much it’s going to hurt when it gets popped • The amount of security invested into an embedded device is directly influenced by risk • The lack of these attacks being exploited in the wild, and the skills required to exploit them, keep the risk level appearing low
  • 6. Attackers Perspective • Theft-of-service – getting something for free • IP Theft – cloning and idea and remaking it (China) • Information disclosure – find the secrets hidden on a device • Spoofing – horizontal privilege escalation • DoS – causing un-servicable issues means loss of revenue
  • 7. Attack Surface • Cases and enclosures – to prevent attackers from accessing internals • Circuit board • Firmware
  • 8. External Interfaces Attacks • JTAG, USB, interfaces, Bluetooth, WIFI, RF* • Accessing debug/diag operation modes • Cut traces able to be repaired • Fuzzing the interface to deobfuscate the protocol • Sensitive information disclosure (encryption, server side info) • EMI emissions leak info
  • 9. Mitigations • Diag/debug modes should be disabled at the circuit level • JTAG should be removed ideally from production else disabled • Protect against malformed communication • EMI shielding • Tamper protections
  • 10. Mitigations: Tamper Protections • Tamper Resistant: difficult to access components – One-way screws, steel case, epoxy on Ics • Tamper Evident: If access happens, it is easily identifiable – Sealed cases, glues, tapes • Tamper Detection: the hardware knows when it’s been tainted – Pressure switches, temperature sensors, puncture detection • Tamper Response: the hardware reacts when tainted (like detection but with a counter-measure) – Flash memory, self destruct with explosive charge
  • 11. Circuit Board Attacks • Reverse engineer components and gather information – PCB hooking – access traces and test points • Probe boards • Delid chips • Access memory: EEPROMS, RAM • Simple and Differential Power Analysis • EMI attacks • Clock/Timing attacks – muck with the clock to cause issues • Epoxy removal – dremel or chemical based • Use an X-ray to determine location of components
  • 12. Mitigations • Remove ID’s from Ics (“black topping”) • Hide vias and test points when possible • Epoxy critical areas • Implement probe detection on unused pins • Add digital watermarks that uniquely ID your product • Noise generators to defend against power analysis
  • 13. Cryptographic Attacks • No matter what algorithm or key size you use, a static key must be stored somewhere on the device. Find it • Algorithm mis-implementations are exploitable • Custom crypto means custom pwning • Side-channel attacks (power analysis, etc)
  • 14. Firmware Attacks • Extracting the firmware is the first step to exploitation • Reversing the firmware usually means death • Bad programming flaws cause exploitation
  • 15. Mitigations • Be a good programmer :) • Limit attack vectors - remove unnecessary components • Protect firmware from being easily extracted
  • 16. Tools For Attack • Standard hardware hacking components – DMM, O-Scope, dremel, hobby knife, soldering iron, wire strippers, microscope, logic analyzer • Probe adapter: – emulation.com, advintcorp.com, ironwoodelectronics.com • RF Analysis – SDR like USRP, • USB: SnoopyPro, Facedancer, Bus Pirate • JTAG – GoodFET,
  • 17. Insane Tools • Scanning electron microscope • Voltage contrast microscopy • Focused Ion Beam (FIB)
  • 18. Attack In Practice • Passive Recon – learn about the device, manuals, data sheets • Active Recon – perform the initial inspection. – Can you see ICs? Components? Tamper protections? • Risk Assessment – determine threats, risky areas, loot to focus your time on. – Make sure your end goal is either an exploit or more information (skip time wasters) • Collect necessary tools for attack • Probe and interface: Connect to serial interfaces, hook vias or test points, use a probe board • Extract and reverse firmware or sensitive information
  • 19. Defense In Practice • Make breaking into the device cost more than the value of the result • Built in vs Bolt On later (same old story) • Test your own security (at least the basics) • When in doubt, epoxy (but know that if you do this, you are dead to me)
  • 20. No questions I don’t know the answer