SlideShare una empresa de Scribd logo

Vectors

Descargar como PPT, PDF
Yashin Mehaboobe
Yashin Mehaboobe
1 de 28
Hardware Attack Vectors Yashin Mehaboobe Security Researcher
#whoami • Security Researcher, Open Security • Conference Speaker • Interested in : • Embedded system security • Radio/ RTL-SDR research • Malware Analysis • My little projects (Arcanum, PyTriage) • Organizer, Defcon Kerala ( Mar 4. Be there! ) • Python aficionado • Open source contributor.
Why Hardware? • More interesting • Less well known = easier to exploit • More rewarding • • Usually open entry point into an otherwise secure network It’s awesome!
Keys to the kingdom?
What is covered: • The attack of the HID • Simulating physical access for fun and profit. • IR vector • Let TVs be bygones. • Radio • Radio!= FM or Radio!= WiFi • Bus attacks: • Unprotected = Easy to pwn (mostly)
Usual suspects Wireless LAN Web Applications Client Side exploits Remote exploits Hardware attacks
HIDe it • A little bit of physical access is a dangerous thing. • Usually physical access = pwning • Software can’t protect hardware • HID attacks simulate an automated keyboard and mouse • = Attacker gets to run code as if he is physically there.
The Rise of the Rubber Ducky • USB Rubber Ducky by the Hak5 team. • Comes with an automated script creator. • Looks like a normal USB drive. • Runs the payload burned into the memory when connected.
Teensy • Arduino clone by PJRC • Can emulate an HID device • Existing tools like kautilya and SET to generate payloads. • Again, multiplatform mayhem
DEMO
IR •TV, Pedestrian lights, Old smartphones •Uses one of four: •Philips •Sony •NEC •RAW •IR Library already available for Arduino
Tools of the Trade: • Arduino or a similar microcontroller • TSOP382 IR receiver • IR LED • Little bit of mischief
IR Attack 1 : Replay • Receive the code using TSOP382 • Check the code type • Transmit accordingly whenever the button is pressed
TV-B-Gone • Most TVs have predefined poweroff sequence • Widely available • Create a script that goes through the popular off codes one by one • No more pesky TVs
DEMO
Tangoing with Radio • SDR=Software Defined Radio • Usually pretty expensive. • Until the rise of RTLSDR • Scope=AIS,GSM, ADS-B, GPS you name it.
RTL-SDR or cheap radio sniffer • Mainly two types: • • • E4000: 52-2200 Mhz R820T: 24-1766 Mhz Software used: • • rtl_sdr • • GQRX SDRSharp Log most data broadcast within the frequency ranges
Sniffing Radio Traffic • AIS (ship transmissions) are easily picked up • So is Aircraft broadcasts • You can sniff most protocols off the air • Decode using baudline • Possible attacks against : Home automation systems and car keyfobs • Keyfobs are supposed to use rolling key codes • “Supposed to”
Antennas ● ● Dependent on the frequency that you want to capture. Different types for different purposes: ● Monopole: ACARS,ADS-B, AIS (Airplanes/Ships) ● Rubber Ducky Antennaes for short range ● Discone for wide coverage (More noise)
Discone Monopole Rubber Ducky
DEMO TIME!
Bus Attacks
The Magic Electronic Buses ● ● ● Buses are used by components in an embedded system to communicate with each other Not secured Most commonly used protocols are SPI,I2C and UART ● No authentication ● I2C utilizes addressing
Attacking bus protocols ● Sniffing: ● ● ● Logic analyzers pick up most of the protocols Bus pirate is your friend Replay: ● ● ● Sniffed sequences can be played back at later times Bus pirate is your best friend Debug ports: ● ● UART/JTAG ports are left open for debugging purposes Can be used to dump firmware and mess with the memory
Here there be Pirates ● ● Hardware hacker's multitool Read/write I2C,SPI,UART ● Midlevel JTAG support ● AVR programmer too! ● Can be accessed via USB.
DEMO
Thank you! Questions?
Contact Details Twitter:twitter.com/yashin.mehaboobe Email:yashinm92<at>gmail.com Carrier pigeon works too.

Recomendados

Key scan wireless reciever
Key scan wireless recieverKey scan wireless reciever
Key scan wireless recieverDavid Burnett
 
SlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Encryption
 
Voice encryption for gsm using arduino
Voice encryption for gsm using arduinoVoice encryption for gsm using arduino
Voice encryption for gsm using arduinoiruldaworld
 
Encrypted Voice Communications
Encrypted Voice CommunicationsEncrypted Voice Communications
Encrypted Voice Communicationssbwahid
 
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM SystemLabmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM SystemSyuan Wang
 
SDR Basestation with Raspberry Pi
SDR Basestation with Raspberry PiSDR Basestation with Raspberry Pi
SDR Basestation with Raspberry PiJonathan Singer
 
PrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateWave Italia SpA
 
Attack presentation
Attack presentationAttack presentation
Attack presentationFrikha Nour
 

Recomendados

Key scan wireless reciever
Key scan wireless recieverKey scan wireless reciever
Key scan wireless recieverDavid Burnett
 
SlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Voice Encryption
SlingSecure Mobile Voice EncryptionSlingSecure Mobile Encryption
 
Voice encryption for gsm using arduino
Voice encryption for gsm using arduinoVoice encryption for gsm using arduino
Voice encryption for gsm using arduinoiruldaworld
 
Encrypted Voice Communications
Encrypted Voice CommunicationsEncrypted Voice Communications
Encrypted Voice Communicationssbwahid
 
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM SystemLabmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM System
Labmeeting - 20150211 - Novel End-to-End Voice Encryption Method in GSM SystemSyuan Wang
 
SDR Basestation with Raspberry Pi
SDR Basestation with Raspberry PiSDR Basestation with Raspberry Pi
SDR Basestation with Raspberry PiJonathan Singer
 
PrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateGSM - Voice Encryption Technical Overview
PrivateGSM - Voice Encryption Technical OverviewPrivateWave Italia SpA
 
Attack presentation
Attack presentationAttack presentation
Attack presentationFrikha Nour
 
Vpn presnt
Vpn presntVpn presnt
Vpn presntFrikha Nour
 
Satellite and Cellular Communications for Aviation
Satellite and Cellular Communications for AviationSatellite and Cellular Communications for Aviation
Satellite and Cellular Communications for AviationFlightcell International
 
Hacker tool talk: kismet
Hacker tool talk: kismetHacker tool talk: kismet
Hacker tool talk: kismetChris Hammond-Thrasher
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisP1Security
 
FM & Bluetooth & WIFI, Oh My!
FM & Bluetooth & WIFI, Oh My!FM & Bluetooth & WIFI, Oh My!
FM & Bluetooth & WIFI, Oh My!Aaron Lafferty
 
Wardriving & Kismet Introduction
Wardriving & Kismet IntroductionWardriving & Kismet Introduction
Wardriving & Kismet IntroductionLance Howell
 
Mikael Falkvidd IoT - Stena AB Faster Forward
Mikael Falkvidd IoT - Stena AB Faster ForwardMikael Falkvidd IoT - Stena AB Faster Forward
Mikael Falkvidd IoT - Stena AB Faster ForwardMikael Falkvidd
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Securityamiable_indian
 
Bluetooth Vulnerabilities
Bluetooth VulnerabilitiesBluetooth Vulnerabilities
Bluetooth VulnerabilitiesVictorYee
 
Wireless Hacking
Wireless HackingWireless Hacking
Wireless HackingVIKAS SINGH BHADOURIA
 
Cctv camera
Cctv cameraCctv camera
Cctv cameraNdayizeye Lukas
 
Hacking device
Hacking deviceHacking device
Hacking deviceanandha muthaiah
 
Using fault injection attacks for digital forensics
Using fault injection attacks for digital forensics Using fault injection attacks for digital forensics
Using fault injection attacks for digital forensics Justin Black
 
Understanding Intrusion Detection Systems with Snort
Understanding Intrusion Detection Systems with SnortUnderstanding Intrusion Detection Systems with Snort
Understanding Intrusion Detection Systems with SnortShyamsundar Das
 
Hacking a Professional Drone
Hacking a Professional DroneHacking a Professional Drone
Hacking a Professional DronePriyanka Aash
 
It’s in the Air(waves): Deconstructing 2017’s Biggest RF Attacks
It’s in the Air(waves): Deconstructing 2017’s Biggest RF AttacksIt’s in the Air(waves): Deconstructing 2017’s Biggest RF Attacks
It’s in the Air(waves): Deconstructing 2017’s Biggest RF AttacksPriyanka Aash
 
Ceh v5 module 21 cryptography
Ceh v5 module 21 cryptographyCeh v5 module 21 cryptography
Ceh v5 module 21 cryptographyVi Tính Hoàng Nam
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesPriyanka Aash
 
Smart Pi DSP
Smart Pi DSPSmart Pi DSP
Smart Pi DSPtm stagetec systems
 
Wireless and WLAN Secuirty, Presented by Vijay
Wireless and WLAN Secuirty, Presented by VijayWireless and WLAN Secuirty, Presented by Vijay
Wireless and WLAN Secuirty, Presented by Vijaythevijayps
 
Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devicesYashin Mehaboobe
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Sessionveerababu penugonda(Mr-IoT)
 

Más contenido relacionado

La actualidad más candente

Satellite and Cellular Communications for Aviation
Satellite and Cellular Communications for AviationSatellite and Cellular Communications for Aviation
Satellite and Cellular Communications for AviationFlightcell International
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisP1Security
 
FM & Bluetooth & WIFI, Oh My!
FM & Bluetooth & WIFI, Oh My!FM & Bluetooth & WIFI, Oh My!
FM & Bluetooth & WIFI, Oh My!Aaron Lafferty
 
Wardriving & Kismet Introduction
Wardriving & Kismet IntroductionWardriving & Kismet Introduction
Wardriving & Kismet IntroductionLance Howell
 
Mikael Falkvidd IoT - Stena AB Faster Forward
Mikael Falkvidd IoT - Stena AB Faster ForwardMikael Falkvidd IoT - Stena AB Faster Forward
Mikael Falkvidd IoT - Stena AB Faster ForwardMikael Falkvidd
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Securityamiable_indian
 
Bluetooth Vulnerabilities
Bluetooth VulnerabilitiesBluetooth Vulnerabilities
Bluetooth VulnerabilitiesVictorYee
 
Using fault injection attacks for digital forensics
Using fault injection attacks for digital forensics Using fault injection attacks for digital forensics
Using fault injection attacks for digital forensics Justin Black
 
Understanding Intrusion Detection Systems with Snort
Understanding Intrusion Detection Systems with SnortUnderstanding Intrusion Detection Systems with Snort
Understanding Intrusion Detection Systems with SnortShyamsundar Das
 
Hacking a Professional Drone
Hacking a Professional DroneHacking a Professional Drone
Hacking a Professional DronePriyanka Aash
 
It’s in the Air(waves): Deconstructing 2017’s Biggest RF Attacks
It’s in the Air(waves): Deconstructing 2017’s Biggest RF AttacksIt’s in the Air(waves): Deconstructing 2017’s Biggest RF Attacks
It’s in the Air(waves): Deconstructing 2017’s Biggest RF AttacksPriyanka Aash
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesPriyanka Aash
 
Wireless and WLAN Secuirty, Presented by Vijay
Wireless and WLAN Secuirty, Presented by VijayWireless and WLAN Secuirty, Presented by Vijay
Wireless and WLAN Secuirty, Presented by Vijaythevijayps
 

La actualidad más candente (20)

Vpn presnt
Vpn presntVpn presnt
Vpn presnt
 
Satellite and Cellular Communications for Aviation
Satellite and Cellular Communications for AviationSatellite and Cellular Communications for Aviation
Satellite and Cellular Communications for Aviation
 
Hacker tool talk: kismet
Hacker tool talk: kismetHacker tool talk: kismet
Hacker tool talk: kismet
 
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent GhigonisHacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
Hacking Telco equipment: The HLR/HSS, by Laurent Ghigonis
 
FM & Bluetooth & WIFI, Oh My!
FM & Bluetooth & WIFI, Oh My!FM & Bluetooth & WIFI, Oh My!
FM & Bluetooth & WIFI, Oh My!
 
Wardriving & Kismet Introduction
Wardriving & Kismet IntroductionWardriving & Kismet Introduction
Wardriving & Kismet Introduction
 
Mikael Falkvidd IoT - Stena AB Faster Forward
Mikael Falkvidd IoT - Stena AB Faster ForwardMikael Falkvidd IoT - Stena AB Faster Forward
Mikael Falkvidd IoT - Stena AB Faster Forward
 
Workshop on Wireless Security
Workshop on Wireless SecurityWorkshop on Wireless Security
Workshop on Wireless Security
 
Bluetooth Vulnerabilities
Bluetooth VulnerabilitiesBluetooth Vulnerabilities
Bluetooth Vulnerabilities
 
Wireless Hacking
Wireless HackingWireless Hacking
Wireless Hacking
 
Cctv camera
Cctv cameraCctv camera
Cctv camera
 
Hacking device
Hacking deviceHacking device
Hacking device
 
Using fault injection attacks for digital forensics
Using fault injection attacks for digital forensics Using fault injection attacks for digital forensics
Using fault injection attacks for digital forensics
 
Understanding Intrusion Detection Systems with Snort
Understanding Intrusion Detection Systems with SnortUnderstanding Intrusion Detection Systems with Snort
Understanding Intrusion Detection Systems with Snort
 
Hacking a Professional Drone
Hacking a Professional DroneHacking a Professional Drone
Hacking a Professional Drone
 
It’s in the Air(waves): Deconstructing 2017’s Biggest RF Attacks
It’s in the Air(waves): Deconstructing 2017’s Biggest RF AttacksIt’s in the Air(waves): Deconstructing 2017’s Biggest RF Attacks
It’s in the Air(waves): Deconstructing 2017’s Biggest RF Attacks
 
Ceh v5 module 21 cryptography
Ceh v5 module 21 cryptographyCeh v5 module 21 cryptography
Ceh v5 module 21 cryptography
 
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phonesDefcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
Defcon 22-fatih-ozavci-vo ip-wars-attack-of-the-cisco-phones
 
Smart Pi DSP
Smart Pi DSPSmart Pi DSP
Smart Pi DSP
 
Wireless and WLAN Secuirty, Presented by Vijay
Wireless and WLAN Secuirty, Presented by VijayWireless and WLAN Secuirty, Presented by Vijay
Wireless and WLAN Secuirty, Presented by Vijay
 

Similar a Vectors

Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devicesYashin Mehaboobe
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Sessionveerababu penugonda(Mr-IoT)
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Priyanka Aash
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationJoshua Prince
 
SIGFOX Makers Tour - Barcelona
SIGFOX Makers Tour - BarcelonaSIGFOX Makers Tour - Barcelona
SIGFOX Makers Tour - BarcelonaNicolas Lesconnec
 
Ethical Hacking Redefined
Ethical Hacking RedefinedEthical Hacking Redefined
Ethical Hacking RedefinedPawan Patil
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONLyon Yang
 
Defcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over PowerlinesDefcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over PowerlinesMichael Smith
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksPriyanka Aash
 
How to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagHow to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagBeau Bullock
 
Pentesting embedded
Pentesting embeddedPentesting embedded
Pentesting embeddedantitree
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoTouhami Kasbaoui
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network SecurityUC San Diego
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootYashin Mehaboobe
 
Security B Sides Puerto Rico - Weaponizing your Drone
Security B Sides Puerto Rico - Weaponizing your DroneSecurity B Sides Puerto Rico - Weaponizing your Drone
Security B Sides Puerto Rico - Weaponizing your DroneJose L. Quiñones-Borrero
 
Network security basics
Network security basicsNetwork security basics
Network security basicsSkillspire LLC
 

Similar a Vectors (20)

Making and breaking security in embedded devices
Making and breaking security in embedded devicesMaking and breaking security in embedded devices
Making and breaking security in embedded devices
 
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st SessionBeginner’s Guide on How to Start Exploring IoT Security 1st Session
Beginner’s Guide on How to Start Exploring IoT Security 1st Session
 
SIGFOX Makers Tour - Madrid
SIGFOX Makers Tour - MadridSIGFOX Makers Tour - Madrid
SIGFOX Makers Tour - Madrid
 
Ethical hacking
Ethical hackingEthical hacking
Ethical hacking
 
Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.Breaking Smart Speakers: We are Listening to You.
Breaking Smart Speakers: We are Listening to You.
 
Inetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentationInetsecurity.in Ethical Hacking presentation
Inetsecurity.in Ethical Hacking presentation
 
SIGFOX Makers Tour - Barcelona
SIGFOX Makers Tour - BarcelonaSIGFOX Makers Tour - Barcelona
SIGFOX Makers Tour - Barcelona
 
Ethical Hacking Redefined
Ethical Hacking RedefinedEthical Hacking Redefined
Ethical Hacking Redefined
 
Advanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCONAdvanced SOHO Router Exploitation XCON
Advanced SOHO Router Exploitation XCON
 
Defcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over PowerlinesDefcon 2011 - Penetration Testing Over Powerlines
Defcon 2011 - Penetration Testing Over Powerlines
 
The New Landscape of Airborne Cyberattacks
The New Landscape of Airborne CyberattacksThe New Landscape of Airborne Cyberattacks
The New Landscape of Airborne Cyberattacks
 
How to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bagHow to Build Your Own Physical Pentesting Go-bag
How to Build Your Own Physical Pentesting Go-bag
 
Pentesting embedded
Pentesting embeddedPentesting embedded
Pentesting embedded
 
Malware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence MoroccoMalware analysis _ Threat Intelligence Morocco
Malware analysis _ Threat Intelligence Morocco
 
WiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & DefenceWiFi Secuiry: Attack & Defence
WiFi Secuiry: Attack & Defence
 
Workshop on Network Security
Workshop on Network SecurityWorkshop on Network Security
Workshop on Network Security
 
Internet security
Internet securityInternet security
Internet security
 
Hardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to RootHardware Reverse Engineering: From Boot to Root
Hardware Reverse Engineering: From Boot to Root
 
Security B Sides Puerto Rico - Weaponizing your Drone
Security B Sides Puerto Rico - Weaponizing your DroneSecurity B Sides Puerto Rico - Weaponizing your Drone
Security B Sides Puerto Rico - Weaponizing your Drone
 
Network security basics
Network security basicsNetwork security basics
Network security basics
 

Vectors

  • 2. #whoami • Security Researcher, Open Security • Conference Speaker • Interested in : • Embedded system security • Radio/ RTL-SDR research • Malware Analysis • My little projects (Arcanum, PyTriage) • Organizer, Defcon Kerala ( Mar 4. Be there! ) • Python aficionado • Open source contributor.
  • 3. Why Hardware? • More interesting • Less well known = easier to exploit • More rewarding • • Usually open entry point into an otherwise secure network It’s awesome!
  • 4. Keys to the kingdom?
  • 5. What is covered: • The attack of the HID • Simulating physical access for fun and profit. • IR vector • Let TVs be bygones. • Radio • Radio!= FM or Radio!= WiFi • Bus attacks: • Unprotected = Easy to pwn (mostly)
  • 6. Usual suspects Wireless LAN Web Applications Client Side exploits Remote exploits Hardware attacks
  • 7. HIDe it • A little bit of physical access is a dangerous thing. • Usually physical access = pwning • Software can’t protect hardware • HID attacks simulate an automated keyboard and mouse • = Attacker gets to run code as if he is physically there.
  • 8. The Rise of the Rubber Ducky • USB Rubber Ducky by the Hak5 team. • Comes with an automated script creator. • Looks like a normal USB drive. • Runs the payload burned into the memory when connected.
  • 9. Teensy • Arduino clone by PJRC • Can emulate an HID device • Existing tools like kautilya and SET to generate payloads. • Again, multiplatform mayhem
  • 10. DEMO
  • 11. IR •TV, Pedestrian lights, Old smartphones •Uses one of four: •Philips •Sony •NEC •RAW •IR Library already available for Arduino
  • 12. Tools of the Trade: • Arduino or a similar microcontroller • TSOP382 IR receiver • IR LED • Little bit of mischief
  • 13. IR Attack 1 : Replay • Receive the code using TSOP382 • Check the code type • Transmit accordingly whenever the button is pressed
  • 14. TV-B-Gone • Most TVs have predefined poweroff sequence • Widely available • Create a script that goes through the popular off codes one by one • No more pesky TVs
  • 15. DEMO
  • 16. Tangoing with Radio • SDR=Software Defined Radio • Usually pretty expensive. • Until the rise of RTLSDR • Scope=AIS,GSM, ADS-B, GPS you name it.
  • 17. RTL-SDR or cheap radio sniffer • Mainly two types: • • • E4000: 52-2200 Mhz R820T: 24-1766 Mhz Software used: • • rtl_sdr • • GQRX SDRSharp Log most data broadcast within the frequency ranges
  • 18. Sniffing Radio Traffic • AIS (ship transmissions) are easily picked up • So is Aircraft broadcasts • You can sniff most protocols off the air • Decode using baudline • Possible attacks against : Home automation systems and car keyfobs • Keyfobs are supposed to use rolling key codes • “Supposed to”
  • 19. Antennas ● ● Dependent on the frequency that you want to capture. Different types for different purposes: ● Monopole: ACARS,ADS-B, AIS (Airplanes/Ships) ● Rubber Ducky Antennaes for short range ● Discone for wide coverage (More noise)
  • 23. The Magic Electronic Buses ● ● ● Buses are used by components in an embedded system to communicate with each other Not secured Most commonly used protocols are SPI,I2C and UART ● No authentication ● I2C utilizes addressing
  • 24. Attacking bus protocols ● Sniffing: ● ● ● Logic analyzers pick up most of the protocols Bus pirate is your friend Replay: ● ● ● Sniffed sequences can be played back at later times Bus pirate is your best friend Debug ports: ● ● UART/JTAG ports are left open for debugging purposes Can be used to dump firmware and mess with the memory
  • 25. Here there be Pirates ● ● Hardware hacker's multitool Read/write I2C,SPI,UART ● Midlevel JTAG support ● AVR programmer too! ● Can be accessed via USB.
  • 26. DEMO