building trojan hardware at home
DESCRIPTION
Presented by JP Dunning “.ronin” BlackHat Asia 2014; Demonstration of how to build a hardware based trojan at home. Create your own hardware of Trojan Virus. http://www.ehacking.net/2014/09/building-trojan-hardware-at-home.htmlTRANSCRIPT
![Page 1: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/1.jpg)
Building Trojan Hardware at Home
JP Dunning “.ronin”BlackHat Asia 2014
![Page 2: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/2.jpg)
What is Hardware?
● PCB (Printed Circuit Board)● Single use components (resistor, led,
crystal, capacitor, etc)● Specialized chips (RAM, controller, I/O)● Primary processor chip● I/O ports● Firmware
![Page 3: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/3.jpg)
Goals of This Talk
● Discuss hardware and firmware based Trojans
● Remain platform neutral– This is not a vendor specific problem
● Display the relative ease of modifying hardware
![Page 4: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/4.jpg)
What you'll need to play along
● Computer with Linux and Windows● Cheep used target hardware● Less that $40 programmer● Time● Soldering equipment (sometimes)● Trojan● (Minions)
![Page 5: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/5.jpg)
Modify Hardware
● What's in the Box?!?!● What kind of IO ports are available?
– USB, UART, I2C, SPI, PS/2, RJ45, GPIO, draughtboards connectors, etc.
● Get it cheep– Ebay/Craigslist/Taobao anyone?!?
● What is the hardware's purpose● How does is interact with target
![Page 6: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/6.jpg)
USB + 1
● Let's hide out attack hardware inside a USB device
– Many devices have large open cavities
– Looks the same from the outside
● Attack the host device connected to the USB Trojan
● Try to leave device functional
![Page 7: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/7.jpg)
The Glitch Platform
● Create an open hardware testing platform ● Make it Arduino compatible● Build upon open hardware security projects● Make projects accessible to non-coders and
non-engineers
![Page 8: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/8.jpg)
Glitch Platform made Easy
● Create or edit modules on the Micro SD card using plaint text configuration files
– Available configuration options are up to the developer
– Provide additional payload files
● Select module with DIP switch● Plug-and-play● Project site
– theglitch.sourceforge.net
![Page 9: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/9.jpg)
Keystroke Injection
● Emulating computer keyboard● “Press” keys
● Benefits of leveraging HID Injection● “Type” accurately● “Type” quickly● No Human Required
● Works against computers that can use an external keyboard
● Designed for Windows, Linux, and OS X
![Page 10: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/10.jpg)
HIDIScript
● HID Scripting Language● Four components
● Plain text● Parsed Modifiers● Parsed Keys● Commands
● Write using HIDIScript Generator● http://keymeglitch.sourceforge.net
![Page 11: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/11.jpg)
HIDIScript Example
[KEY_RIGHT_GUI][KEY_R]
[WAIT_1000]
notepad
[KEY_ENTER]
[WAIT_2000]
Hello BlackHat Asia 2014!
[WAIT_2000]
[KEY_ALT][KEY_F4]
![Page 12: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/12.jpg)
Trojan Mouse
● Parts– USB mouse
– USB hub
– The Glitch
![Page 13: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/13.jpg)
Trojan Mouse
Row 1 Row 2 Row 3 Row 40
2
4
6
8
10
12
Column 1
Column 2
Column 3
● Open the mouse– USB Pins solderer or plug in
– Remove scroller
– Several square centimeters of open space
![Page 14: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/14.jpg)
Trojan Mouse
● Remove the hubs case
● Cut of USB plugs● Unsolder two cables● Unsolder USB host
connector
![Page 15: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/15.jpg)
Trojan Mouse
● USB (Universal Serial Bus)– Four pins
● Vcc <---> Vcc (Red)● D- <---> D- (White)● D+ <---> D+ (Green)● GND <---> GND (Black)
– Standard colors● Many USB cables use the standard color
wires● Makes it easy to reuse cables
![Page 16: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/16.jpg)
Trojan Mouse
● Split the mouse USB cable
![Page 17: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/17.jpg)
Trojan Mouse
![Page 18: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/18.jpg)
Trojan Mouse
![Page 19: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/19.jpg)
Trojan Mouse
![Page 20: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/20.jpg)
Trojan Mouse
![Page 21: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/21.jpg)
Trojan Keyboard
![Page 22: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/22.jpg)
Trojan Keyboard
● Take apart the keyboard with a standard screwdriver
![Page 23: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/23.jpg)
Trojan Keyboard
● The keyboard has an built in USB hub● Tap in and replace one of the USB ports● Avoid soldering by connecting into the
connector with wires
![Page 24: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/24.jpg)
Trojan Keyboard
● USB cables take up to much room● The Glitch has built in solder pads for an
alternative USB connection
![Page 25: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/25.jpg)
Trojan Keyboard
● Cut the lines to the USB plug● Disables plug to avoid other device
interference– Could also add another USB hub to keep
the port active
![Page 26: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/26.jpg)
Trojan Keyboard
![Page 27: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/27.jpg)
Trojan Card Logger
● Common PoS card reader– Keyboard + Mag Reader
![Page 28: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/28.jpg)
Trojan Card Logger
● Keyboard types card data into the PoS
● Replace the PS2 cable
● Connect to The Glitch pinouts
– Vcc, GND,
IRQ, DATA
● No soldering
![Page 29: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/29.jpg)
Trojan Card Logger
● Connect The Glitch USB cable to PoS● Keystrokes converted from PS/2 to USB● Log data on the Micro SD card
![Page 30: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/30.jpg)
Trojan Desktop/PoS
● Plug into motherboard USB pins inside case
![Page 31: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/31.jpg)
What does the User see?
● USB device drivers installing for all components
– A few pop-ups in Windows
– Default drivers are fine
● Launch of the attack– The Glitch has a new one time attack
option
– Will not attack again after each power on
![Page 32: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/32.jpg)
How can we make this stealthier?
● Clone USB ID– The Glitch can clone the USB ID
– Computer see double
● Plan the attack– Make it look like an update
– Wait a while after the Trojan device is installed
![Page 33: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/33.jpg)
Trojan Network Connection
● Hardware <-> Trojan Router <-> Network● Method
– Remove the Ethernet connector
– Connect PCB Ethernet headers to router
– Connect second Ethernet cable to Ethernet connector
– Connect USB charger to existing USB connectors on the device
![Page 34: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/34.jpg)
Trojan LCD TV & Blu-Ray Player
● Fits in the case ● USB power and
ground taps
![Page 35: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/35.jpg)
Modify Firmware
● See whats already out there about moding the device
● Research the chips– ARM, AVR, PIC, Texas Instrument,
Broadcom, Intel, etc
● Exposed ports (or chip pin outs)– JTAG, UART, I2C, SPI, GPIO, etc
● Program/Debugger (often low cost)– Bus Pirate, Goodfet, FTDI, PICKIT, etc
![Page 36: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/36.jpg)
Flash Firmware
● Integrated Development Environment– Port code or use custom language
● Look for a development community– Code examples
– Custom libraries
● Flashing methods
![Page 37: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/37.jpg)
Programmers
![Page 38: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/38.jpg)
Customize Through Serial
● You may not need to overwrite the firmware● Connect through a serial console over USB
to UART– Issue AT+ commands
– Command shell access
– Custom commands
![Page 39: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/39.jpg)
Linux YAY!!!
● Many mufti-function hardware platforms run Linux … YAY!!!
– BusyBox
– 2.4.x or 2.6.x kernel core + compiler
● Porting Linux is free and easy– BSD is preferred … no source code
publishing required
● Compiled for custom architecture like ARM
![Page 40: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/40.jpg)
Linux YAY!!!
● Types of devices– Printers
– TVs
– DVR/DVD/BluRay players
– Routers
– Watches
● PwnPlug embedded computer● Almost anything you can ping!
![Page 41: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/41.jpg)
Trojan Router
● Open sources router firmware– OpenWRT
– DDWRT
● Replace existing router firmware on hundreds of models
– Cisco, TP-Link, D-Link, Siemens, etc
● Configured using local Web, SSH, Telenet● Access to underlying Linux OS● Install / configure new applications
![Page 42: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/42.jpg)
Trojan Router
1. Backup router web interface pages
2. Flash with open firmware
3. Integrate original web interface with open firmware
4. Configure hidden Trojan functionality– Enable remote VPN access
– Create reverse SSH
– Install hacking tools● MiniPwner project
![Page 43: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/43.jpg)
Trojan Devices
Hardware Trojans● TVs / Monitors● Game systems● Printers● Mice / Keyboards● PoS / Desktops
Firmware Trojans● Embedded Linux● Routers● CC Cameras● Controllers● SCADA devices● 'Internet of Things'
Ju$t l00k @R0uƞd U > - <
![Page 44: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/44.jpg)
Countermeasures
● Make purchases from a reputable source● Monitor peripherals and network for
suspicious actions● Disable debug ports on hardware● Enforce update authentication
![Page 45: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/45.jpg)
Resources● http://theglitch.sourceforge.net
● http://hackaday.com
● http://www.instructables.com/
● http://goodfet.sourceforge.net
● http://dangerousprototypes.com/docs/Bus_Pirate
● http://servicemanuals.pro
● http://minipwner.com
● http://digikey.com
● http://mouser.com
![Page 46: Building Trojan Hardware at Home](https://reader036.vdocument.in/reader036/viewer/2022062513/557629a6d8b42a4e1c8b53bb/html5/thumbnails/46.jpg)
Thanks
● IronGeek, Hak5, Dave Kennedy, Dragorn, Mike Ossmann for their work in this and relating project
● Community support from Kickstarter● BlackHat