Download - War Texting Weaponizing Machine 2 Machine
-
8/2/2019 War Texting Weaponizing Machine 2 Machine
1/85
War TextingWeaponizing Machine 2 Machine
mailto:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
2/85
whois donb?
mailto:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
3/85
whatis iSEC Partners?
mailto:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
4/85
whyare we here?
mailto:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
5/85
No, really.
Cellular enabled pill bottles
Track pill usage remotely
Email alerts when
Pill count is low
Pills havent been taken
When its time to take your pill
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
6/85
Wait. That sounds bad.
mailto:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
7/85
But, its helping people.
Alzheimers patients
Children with severe diseases
Physically disabled patients
Overworked security consultants
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
8/85
Wait. That soundsgood.
mailto:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
9/85
-
8/2/2019 War Texting Weaponizing Machine 2 Machine
10/85
-
8/2/2019 War Texting Weaponizing Machine 2 Machine
11/85
Everything will be a computer
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
12/85
Examples?
Medical devices (personal, industrial)
Industrial monitoring
Automated Teller Machines
Industrial/Commercial Alarm Systems
Home Alarm Systems
Car security systems
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
13/85
I would have owned ATMs, but
mailto:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
14/85
-
8/2/2019 War Texting Weaponizing Machine 2 Machine
15/85
Elegant Attacks Against M2M
mailto:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
16/85
Attack methods
Firmware Over The Air (FOTA)
Long Range Baseband Compromise
Access Point Name (APN) Private Networkcompromise
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
17/85
FOTA Hacking?
mailto:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
18/85
FOTA
A methodology for
Devising a firmware patch/update
Securely packaging the patch/update
Shipping it OTA to be applied
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
19/85
FOTA Attacks Benefits
Elegant
Mass compromise of multiple types of devices Multiple vendors use the same baseband
Negatives Very chip specific
Impacts the update lifecycle Requires specialized firmware Corner cases = potential detection FOTA compromise != Application compromise FOTA may not be used in specific M2M deployments
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
20/85
FOTA Conclusion?
mailto:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
21/85
-
8/2/2019 War Texting Weaponizing Machine 2 Machine
22/85
So you thought baseband attacks were
local only, eh?
mailto:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
23/85
Long Range Baseband Compromise Yep, Basebands have TCP/IP stacks Oh, and these too
HTTP FTP DNS ICMP
TCP client/server UDP client/server POP3 SMTP
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
24/85
Long Range Baseband Attacks Benefits
Elegant
Mass persistent compromise Doesnt mess up firmware updates Backdoors are light weight Potential detection is slim to none
Negatives Very chip specific Requires zero-day Large time to deployment Target could be Java VM, could be C/C++
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
25/85
Long Range Baseband Conclusion?
mailto:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
26/85
-
8/2/2019 War Texting Weaponizing Machine 2 Machine
27/85
APN Private Network Attacks?
mailto:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
28/85
APN Private Network Attacks
Benefits
None
Negatives
Uninteresting
Boring Pointless
Repetitive
The Grugq would laugh at me
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
29/85
You dont need to see a conclusion for
this one.
mailto:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
30/85
So, what shouldwe do?
mailto:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
31/85
Common M2M Example from Microchip
mailto:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
32/85
Find Architectural Commonalities Baseband
modules must be approved
The approved list ispublic fewfeatures cant driveApplication Logic
Microcontrollers Small RAM Small Code Space (flash) Minimal security surface (if any)
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
33/85
Find Architectural Commonalities Communication
Network Comm = Baseband
Peripheral Comm = uC
Comm between Baseband & uC = UART
Cryptographic Capability Onlysome Basebands provide HTTPS/SSL Usually only Java VM capable
uC is usually baked (or non-existent)
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
34/85
Basebands Accept Hayes AT For network requests
AT+UHTTPC
AT^SISS
AT^USORF
For Incoming/Outgoing SMS AT+CMGL
AT^SMGL
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
35/85
The PayloadMayBe Encrypted If the payload is encrypted
Finite ways the Application can generate a key
IMSI
GSM Timestamp
IMEI
Static Secret
Value from Network (Data or SMS)
Some applications dont even encrypt
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
36/85
If encrypted, how do we analyze?
mailto:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
37/85
How do we extract it? Use datasheet to find pins
Dont have the uC datasheet?
Most baseband datasheets are public
Use multimeter to
trace baseband UART -> uC UART
Trace VCC, VSS = Now you know 4 pins on your unknown uC
Scan leftovers for JTAG/etc
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
38/85
How do we extract it? Logic Analyzer
Tap the UART pins
Find test pads, if available
Solder only when necessary (limit damage)
Most basebands will only talk
Async Serial 9600 8N1 Async Serial 115200 8N1
Process data at both speeds
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
39/85
-
8/2/2019 War Texting Weaponizing Machine 2 Machine
40/85
-
8/2/2019 War Texting Weaponizing Machine 2 Machine
41/85
Next, we reverse.
mailto:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
42/85
Its not always easy Difficult to determine crypto keys
Protocol may be dynamic
Nonces may get in the way
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
43/85
Some light Hardware Hacking?
mailto:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
44/85
Nothing too new Simple/Differential Power Analysis
Extract keys
Glitching Extract firmware
Bypass fuses to set DEBUG mode
Blue wire fixes Enable DEBUG mode
Add/remove resistors
Enable DEBUG mode
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
45/85
Revenge (REVerse ENGinEering) uC are easy
Small code base
Predictable vectors Simple opcode architecture
Typicallyno MMU (used)
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
46/85
The STM8 example stm8s207xx
24MHz clock
6KB RAM 128KB Flash
96 assembly instructions
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
47/85
-
8/2/2019 War Texting Weaponizing Machine 2 Machine
48/85
-
8/2/2019 War Texting Weaponizing Machine 2 Machine
49/85
-
8/2/2019 War Texting Weaponizing Machine 2 Machine
50/85
Disassembling & Emulating = Easy Few registers (X, Y, PC, SP, A, C)
Instructions are easy to decode
A common bit represents a type of memory access
No Store, just Load
Emulation requirements are minimal
Inject interrupts as desired Managing the Clock isnt complex
Simple buffer for UART bytes
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
51/85
-
8/2/2019 War Texting Weaponizing Machine 2 Machine
52/85
Releasable Tools GPLv2 License
This week
STM8 disassembler
STM8 emulator
At HITB KL
STM8 SWIM for GoodFET
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
53/85
Point of Reverse Engineering? Determine vectors for communication
SMS
Internet Voice calls
Extract messages for Comm Channels Develop Protocol APIs
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
54/85
With comm channel Identify commands
Build payloads
Assess delivery mechanisms
Essentially: Build a strategy for attack
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
55/85
Building a Fingerprint
mailto:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
56/85
Device Profiling Network fingerprint
Which network provider?
Is it allocated an MSISDN? Is voice allowed? Is SMS allowed? Caller ID? NPA NXX? HLR?
Physical fingerprint Recognizable SIM Baseband Capabilities
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
57/85
Why Device Profile? SMS is Noisy
Hundreds of thousands of MSISDN
Decrease cost Evade SMS SPAM filters
Dont tip off your Target
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
58/85
Simple Profiling Tools Scripts by donb and NickDE!
Hello, Carmen Sandiego :)
Snarf Caller ID Scan HLR
Build MSC databases
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
59/85
-
8/2/2019 War Texting Weaponizing Machine 2 Machine
60/85
Quick Example: iPad on AT&T Provider?
AT&T (MCC: 310, MNC: 410)
Caller ID? Billable name BAILEY DON
MSISDN & MSC
MSC location != NPA NXX Voice capability
Error
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
61/85
Phew! Thats a lot of stuff!
mailto:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
62/85
Overall Strategy? Identify target industry
Build doc library
Intercept initial command set
Attack hardware
Reverse engineer firmware
Extract commands Identify command channels
Devise network fingerprint
Attack!
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
63/85
Case Study: Zoombak Tracking Device
mailto:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
64/85
Zoombak Advanced GPS Tracker Sold in over 12,500 stores in USA
Smart Phone App (iPhone, Android, Blackberry)
2x as big as your 6th Generation iPod Nano Track your
Car
Family Pet
Valuables
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
65/85
Zoombak Architecture Renesas SH microprocessor
Cinterion Wireless MC56
GR-520 GPS Module
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
66/85
Intercept Initial AT Command Set Accepts SMS commands
Uploads data to Internet
Retrieves IMSI, IMEI, Network Timestamp, etc Monitors Base Station Info (RSSI, LAC, CI, etc)
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
67/85
-
8/2/2019 War Texting Weaponizing Machine 2 Machine
68/85
-
8/2/2019 War Texting Weaponizing Machine 2 Machine
69/85
Zoombak Communication Channel Comm Vectors
SMS
Internet
Control Channel
Use SMSsubmit to ship the SMS via Kannel
Callbacks
SIM in GSM Modem
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
70/85
Zoombak Network Fingerprint HLR
Caller ID
Voice capability MSC vs. MSISDN
Specialized SMS
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
71/85
-
8/2/2019 War Texting Weaponizing Machine 2 Machine
72/85
Fingerprint Result? 72% Success Rate
Several hundred Zoombak
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
73/85
Zoombak Overall Result?
mailto:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
74/85
-
8/2/2019 War Texting Weaponizing Machine 2 Machine
75/85
-
8/2/2019 War Texting Weaponizing Machine 2 Machine
76/85
Case Study: Car Security Module
mailto:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
77/85
Strategy Target industry
Doc library
Intercept initial command set Attack hardware
RevEng firmware
Identify command channels Devise network fingerprint
Attack!
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
78/85
Car Security Overall Result?
mailto:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
79/85
-
8/2/2019 War Texting Weaponizing Machine 2 Machine
80/85
-
8/2/2019 War Texting Weaponizing Machine 2 Machine
81/85
Embedded Security is Hard.
mailto:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
82/85
Dont make it harder Increase crypto usage
Ensure APN security
Use Nonces/Tokens Dont embed IP addresses in SMS ;)
Dont push insecure architecture
Require PKI/SSL Decrease Prices of Security uC
Atmel
ST
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
83/85
All tools can be downloaded https://wartexting.org/
Simple Zoombak Scanner FindMe HLR/MSC snarfer
WhoIs Caller ID client
Soon to come (end of next week) STM8 Disassembler
STM8 Emulator
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
84/85
Thanks to iSEC Partners, NCC Group, and Alex Stamos Mat Solnik Joe Gratz Nick DePetrillo Mike Ossmann Travis Goodspeed Patrick McCanna
Justine Osborne Heidi Cuda David Munson Robot insect image Mike Libby
mailto:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected]:[email protected] -
8/2/2019 War Texting Weaponizing Machine 2 Machine
85/85
Even if my collar bones crush or crumble.
- Eminem
mailto:[email protected]:[email protected]