embedded government espionage

EMBEDDED GOVERNMENT ESPIONAGE

AND

CYBER CRIME

Ronald Nsale

Disclaimer

There is a need to discuss the problems in

order to find solutions

This doesn’t represent the current status of

malware/ security trends

I don’t know everything !!!!

Agenda

Motivation: State Level Back dooring ?

X86 architecture

National Level attacks

Cyber criminal advantage

Introducing plasnito

Why cryptography won’t save us

Who am I?

Security Consultant (EY)

MSc. Security and Mobile computing (University of

Massachusetts-Boston)

Author: Blindsecurity 2010 (A hacker’s perspective)

Projects: BlueRon v0.1 Backtrack 2 and Owasp Web

Exploitation. Google can list the rest

.

Motivation: State Level Back dooring ?

Could China a state backdoor all new

computers on earth?

Creating 16:9 Presentations

Creating 16:9 Presentations

Creating 16:9 Presentations

Creating 16:9 Presentations

A bit of X86 architecture

A bit of X86 architecture

Previous

Early 80s : Brain virus, targets the MBR

80s, 90s : thousands of such viruses

2007, John Heasman (NGS Software) Blackhat US: backdoor EFI bootloader

2009, Anibal Saco and Alfredo Ortega (Core security),

CanSecWest : patch/flash a Pheonix-Award BiosWindows, Truecrypt. Load arbitrary unsigned kernel module.

2010, Kumar and Kumar (HITB Malaysia) : vbootkit bootkitting of Windows 7.

Piotr Bania, Konboot : bootkit any Windows (32/64b)

2012 : Snare (Blackhat 2012) : UEFI rootkitting

Previous

Persistent

Stealth (0 hostile code on the machine)

Portable (OS independent)

Remote access, remote updates

State level quality : plausible deniability, non attribution

Cross network perimeters (firewalls, auth proxy)

Redundancy

Non detectable by AV (goes without saying...)

National Level attacks

Firewalls: JETPLOW

Cisco 500 series PIX firewall, ASA (5505,5510,5520,5540,5550)

Routers: HEADWATER

• HEADWATER PBD transferred remotely over internet to target router

• PBD is installed in the router’s boot ROM via upgrade command

• PBD activated after a system boot

NOTE:

HEADWATER is the cover term for the PBD for Huawei Technologies

routers. This was adopted for use in the joint NSA/CIA effort to exploit

Huawei network equipment under project name TURBOPANDA

Servers: IRONCHEF

HP Proliant 380DL G5 server

Computers: GINSU

Installed as a PCI bus hardware implant

Cyber criminal advantage

Cyber criminal advantage

Default usernames and passwords

Unsecured Debugging ports

Unencrypted Trojans and Back doors

Introduction to Plasnito

DEMO

Reality

This is not a vulnerability :

It is sheer bad design due to legacy.

Don't expect a patch.

Fixing those issues will probably require breaking

backward compatibility with most standards (PCI,

PCIe, TPM).

Why crypto won't save you

We can fake the bootking/password prompt by

booting a remote OS (Truecrypt/Bitlocker)

Once we know the password, the BIOS backdoor

can emulate keyboard typing in 16bit real mode by

programming the keyboard/motherboard PIC

microcontrollers

If necessary, patch back original BIOS/firmwares

remotely.

Why crypto won't save you

TPM + full disk encryption won't save you either :

It's a passive chip : if the backdoor doesn't want

explicit access to data on the HD, it can simply

ignore TPM.

Your HD is never encrypted when delivered to you.

You seal the TPM when you encrypt your HD only.

So TPM doesn't prevent backdooring from anyone in

the supply chain.

How about Antivirus?????

Putting an AV on a server to protect against unknown

threats is purely cosmetic.

You may as well put lipstick on your servers...

Example: 3 year old bootkit

Example: 3 year old bootkit

Remediation

Flash any firmware upon reception of new hardware with open source software you can verify

Perform checksums of all firmwares by physically extracting them (FPGA..) : costly !

Verify the integrity of all firmwares from time to time

Update forensics best practices :1) Include firmwares in SoW

2) Throw away your computer in case of intrusion

Even then... not entirely satisfying : the backdoor can flash the original firmwares back remotely.

Questions ?

Contact me

Ronald.Nsale@ug.ey.com