embedded government espionage

Click here to load reader

Post on 01-Jul-2015




0 download

Embed Size (px)


This was an ISACA presentation by Nsale Ronnie a top hacker in Africa working with Ernst and Young. He demonstrated how other governments are leading by far in the nature of their espionage through hardware.



2. DisclaimerThere is a need to discuss the problems in order to find solutionsThis doesnt represent the current status of malware/ security trendsI dont know everything !!!! 3. AgendaMotivation: State Level Back dooring?X86 architectureNational Level attacksCyber criminal advantageIntroducing plasnitoWhy cryptography wont save us 4. Who am I?Security Consultant (EY)MSc. Security and Mobile computing (University of Massachusetts-Boston)Author: Blindsecurity2010 (A hackers perspective)Projects: BlueRonv0.1 Backtrack 2 and OwaspWeb Exploitation. Google can list the rest 5. .Motivation: State Level Back dooring? 6. Could Chinaa state backdoor all new computers on earth? 7. Creating 16:9 Presentations 8. Creating 16:9 Presentations 9. Creating 16:9 Presentations 10. Creating 16:9 Presentations 11. A bit of X86 architecture 12. A bit of X86 architecture 13. PreviousEarly 80s : Brain virus, targets the MBR80s, 90s : thousands of such viruses2007, John Heasman(NGS Software) BlackhatUS: backdoor EFI bootloader2009, Anibal Saco and Alfredo Ortega (Core security),CanSecWest: patch/flash a Pheonix-Award BiosWindows, Truecrypt. Load arbitrary unsigned kernel module.2010, Kumar and Kumar (HITB Malaysia) : vbootkit bootkitting of Windows 7.Piotr Bania, Konboot : bootkit any Windows (32/64b)2012 : Snare (Blackhat 2012) : UEFI rootkitting 14. PreviousPersistentStealth (0 hostile code on the machine)Portable (OS independent)Remote access, remote updatesState level quality : plausible deniability, non attributionCross network perimeters (firewalls, authproxy)RedundancyNon detectable by AV (goes without saying...) 15. National Level attacks 16. Firewalls: JETPLOWCisco 500 series PIX firewall, ASA (5505,5510,5520,5540,5550) 17. Routers: HEADWATERHEADWATER PBD transferred remotely over internet to target routerPBD is installed in the routers boot ROM via upgrade commandPBD activated after a system bootNOTE:HEADWATER is the cover term for the PBD for Huawei Technologies routers. This was adopted for use in the joint NSA/CIA effort to exploit Huawei network equipment under project name TURBOPANDA 18. Servers: IRONCHEFHP Proliant380DL G5 server 19. Computers: GINSUInstalled as a PCI bus hardware implant 20. Cyber criminal advantage 21. Cyber criminal advantageDefault usernames and passwordsUnsecured Debugging portsUnencrypted Trojans and Back doors 22. Introduction to Plasnito 23. DEMO 24. RealityThis is not a vulnerability :It is sheer bad design due to legacy.Don't expect a patch.Fixing those issues will probably require breaking backward compatibility with most standards (PCI, PCIe, TPM). 25. Why crypto won't save youWe can fake the bootking/password prompt by booting a remote OS (Truecrypt/Bitlocker)Once we know the password, the BIOS backdoor can emulate keyboard typing in 16bit real mode by programming the keyboard/motherboard PIC microcontrollersIf necessary, patch back original BIOS/firmwaresremotely. 26. Why crypto won't save youTPM + full disk encryption won't save you either :It's a passive chip : if the backdoor doesn't want explicit access to data on the HD, it can simply ignore TPM.Your HD is never encrypted when delivered to you. You seal the TPM when you encrypt your HD only. So TPM doesn't prevent backdooringfrom anyone in the supply chain. 27. How about Antivirus?????Putting an AV on a server to protect against unknown threats is purely cosmetic.You may as well put lipstick on your servers... 28. Example: 3 year old bootkit 29. Example: 3 year old bootkit 30. RemediationFlash any firmware upon reception of new hardware with open source software you can verifyPerform checksums of all firmwaresby physically extracting them (FPGA..) : costly !Verify the integrity of all firmwaresfrom time to timeUpdate forensics best practices :1) Include firmwaresin SoW2) Throw away your computer in case of intrusionEven then... not entirely satisfying : the backdoor can flash the original firmwaresback remotely. 31. Questions ?Contact [email protected]