Download - Embedded government espionage
EMBEDDED GOVERNMENT ESPIONAGE
AND
CYBER CRIME
Ronald Nsale
Disclaimer
There is a need to discuss the problems in
order to find solutions
This doesn’t represent the current status of
malware/ security trends
I don’t know everything !!!!
Agenda
Motivation: State Level Back dooring ?
X86 architecture
National Level attacks
Cyber criminal advantage
Introducing plasnito
Why cryptography won’t save us
Who am I?
Security Consultant (EY)
MSc. Security and Mobile computing (University of
Massachusetts-Boston)
Author: Blindsecurity 2010 (A hacker’s perspective)
Projects: BlueRon v0.1 Backtrack 2 and Owasp Web
Exploitation. Google can list the rest
.
Motivation: State Level Back dooring ?
Could China a state backdoor all new
computers on earth?
Creating 16:9 Presentations
Creating 16:9 Presentations
Creating 16:9 Presentations
Creating 16:9 Presentations
A bit of X86 architecture
A bit of X86 architecture
Previous
Early 80s : Brain virus, targets the MBR
80s, 90s : thousands of such viruses
2007, John Heasman (NGS Software) Blackhat US: backdoor EFI bootloader
2009, Anibal Saco and Alfredo Ortega (Core security),
CanSecWest : patch/flash a Pheonix-Award BiosWindows, Truecrypt. Load arbitrary unsigned kernel module.
2010, Kumar and Kumar (HITB Malaysia) : vbootkit bootkitting of Windows 7.
Piotr Bania, Konboot : bootkit any Windows (32/64b)
2012 : Snare (Blackhat 2012) : UEFI rootkitting
Previous
Persistent
Stealth (0 hostile code on the machine)
Portable (OS independent)
Remote access, remote updates
State level quality : plausible deniability, non attribution
Cross network perimeters (firewalls, auth proxy)
Redundancy
Non detectable by AV (goes without saying...)
National Level attacks
Firewalls: JETPLOW
Cisco 500 series PIX firewall, ASA (5505,5510,5520,5540,5550)
Routers: HEADWATER
• HEADWATER PBD transferred remotely over internet to target router
• PBD is installed in the router’s boot ROM via upgrade command
• PBD activated after a system boot
NOTE:
HEADWATER is the cover term for the PBD for Huawei Technologies
routers. This was adopted for use in the joint NSA/CIA effort to exploit
Huawei network equipment under project name TURBOPANDA
Servers: IRONCHEF
HP Proliant 380DL G5 server
Computers: GINSU
Installed as a PCI bus hardware implant
Cyber criminal advantage
Cyber criminal advantage
Default usernames and passwords
Unsecured Debugging ports
Unencrypted Trojans and Back doors
Introduction to Plasnito
DEMO
Reality
This is not a vulnerability :
It is sheer bad design due to legacy.
Don't expect a patch.
Fixing those issues will probably require breaking
backward compatibility with most standards (PCI,
PCIe, TPM).
Why crypto won't save you
We can fake the bootking/password prompt by
booting a remote OS (Truecrypt/Bitlocker)
Once we know the password, the BIOS backdoor
can emulate keyboard typing in 16bit real mode by
programming the keyboard/motherboard PIC
microcontrollers
If necessary, patch back original BIOS/firmwares
remotely.
Why crypto won't save you
TPM + full disk encryption won't save you either :
It's a passive chip : if the backdoor doesn't want
explicit access to data on the HD, it can simply
ignore TPM.
Your HD is never encrypted when delivered to you.
You seal the TPM when you encrypt your HD only.
So TPM doesn't prevent backdooring from anyone in
the supply chain.
How about Antivirus?????
Putting an AV on a server to protect against unknown
threats is purely cosmetic.
You may as well put lipstick on your servers...
Example: 3 year old bootkit
Example: 3 year old bootkit
Remediation
Flash any firmware upon reception of new hardware with open source software you can verify
Perform checksums of all firmwares by physically extracting them (FPGA..) : costly !
Verify the integrity of all firmwares from time to time
Update forensics best practices :1) Include firmwares in SoW
2) Throw away your computer in case of intrusion
Even then... not entirely satisfying : the backdoor can flash the original firmwares back remotely.
