hardsploit - pwn2own · i2c 100khz 400khz and 1 mhz • addresses scan • read, write, automac...
TRANSCRIPT
![Page 1: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/1.jpg)
HARDSPLOITFrameworkforHardwareSecurityAudit
abridgebetweenhardware&aso0warepentester
![Page 2: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/2.jpg)
Who am I ?
• Julien Moinard - Electronic engineer @opale-security (French company) - Security consultant, Hardware & SoDware pentester - Team project leader of Hardsploit - DIY enthusiast
16/03/2016 2
![Page 3: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/3.jpg)
Opale Security in 1 slide
16/03/2016 3
![Page 4: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/4.jpg)
Internet of Things & Privacy concern ?
• AnyIoTobjectcouldrevealinforma@onaboutindividuals
• WearableTechnology:clothes,watches,contactlenseswithsensors,microphoneswithcamerasembeddedandsoon• Quan@fiedSelf:pedometers,sleepmonitors,andsoon• HomeAutoma@on:connectedhouseholdsusingsmartfridges,smartligh<ngandsmartsecuritysystems,andsoon• …
16/03/2016 4
![Page 5: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/5.jpg)
Internet of Things & Privacy concern ?
• Lastnews:(youcanupdatethisslideeveryweekL)
Firmwarecanbereadwithoutanyproblem(SPImemory)
VTechwashackedinNovember,exposingmillionsofaccounts.Inresponse,thefirmtooksomeessen<alservicesoffline,meaningproductscouldnotberegisteredonChristmasDay.
16/03/2016 5
![Page 6: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/6.jpg)
Iot Eco-system (20000 feet view)
• PrivacyRisklevel:Where?
HFcommunica<on(ISMBand)+Wifi+3G-5G,Bluetooth,Sigfox,Loraetc..
Classicalwiredconnec<ons
Centralservers,UserInterface,API,Backofficeetc.
IoTdevices
16/03/2016 6
![Page 7: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/7.jpg)
SOFTWARETosecureit:• Securityproducts(Firewall,An<virus,IDS,…)• Securityservices(Pentest,Audit,…)• Tools(Uncountablenumberofthem)
HARDWARETosecureit:• Feworunimplementedsolu<ons(Encryp<onwithkeyinasecurearea,an<-replaymechanisms,readoutprotec<on,…)
Security speaking, hardware is the new soDware ?
16/03/2016 7
![Page 8: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/8.jpg)
• 1/Openit• 2/Fingerprintallthecomponentifyoucanelseautoma@cbruteforcing• 3/Usethosethatmaycontaindata(Online/Offlineanalysis?)• 4/Performread|writeopera@ononthem• 5/Reverseengineering,findvulnerabili<esandexploitthem
Hardsploit & hardware hacking basic procedure
16/03/2016 8
![Page 9: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/9.jpg)
Global Purpose
16/03/2016 9
![Page 10: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/10.jpg)
Why ?
• Becausechipscontaininteres<ng/privatedata• Passwords• Filesystems• Firmware• …
16/03/2016 10
![Page 11: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/11.jpg)
How ?
• Ahardwarepentesterneedtoknowelectronicbusesandheneedtobeabletointeractwiththem
1-Wire
JTAG/SWDUART
CAN
PARALLEL
Custom16/03/2016 11
![Page 12: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/12.jpg)
Hardsploit framework
Samehardwarebutasofwareupdateisneededtoaddanewprotocols
Hardsploit
IoTtarget
Input/Output
database Module(SWD,SMBus,I2C,SPI,etc..)
16/03/2016 12
![Page 13: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/13.jpg)
Hardsploit bus indenSficaSon & scanner (in progress, not published yet)
Hardsploit
IoTtarget
Input/Output
Databaseofpagerns
Databaseofcomponents Module(I2C,SPI,etc..)
IOhardwaremixer
Scanner
16/03/2016 13
![Page 14: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/14.jpg)
Tool of trade
FUNCTIONALITIES BUSPIRATE JTAGULATOR GOODFET HARDSPLOIT
UART Busiden<fica<on
SPI
PARALLEL
I2C
JTAG/SWD Busiden<fica<on
MODULARITY Microcontroller Microcontroller Microcontroller uC/FPGA
EASEOFUSE Cmdline+datasheet Commandline Commandline OfficialGUI/API/DB
I/ONUMBER <10 24 <14 64(pluspower)
WIRING TEXT(butMOSI=SDAJ) TEXT/AUTOMATICiden<fica<on
TEXT LED/TEXT/AUTOMATICiden<fica<on
16/03/2016 14
![Page 15: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/15.jpg)
Hardsploit: CommunicaSon
16/03/2016 15
![Page 16: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/16.jpg)
Prototype making
• Applyingsolderingpaste(lowbudgetstyle)
16/03/2016 16
![Page 17: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/17.jpg)
Prototype making
• Manualreflowoven(DIYstyle)
16/03/2016 17
![Page 18: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/18.jpg)
Prototype V0.1 aka The Green Goblin J
16/03/2016 18
![Page 19: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/19.jpg)
Prototype making (with a budget)
• Therebirth
16/03/2016 19
![Page 20: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/20.jpg)
The board – Final version
• 64I/Ochannels• ESDProtec<on• Targetvoltage:3.3&5V• UseaCycloneIIFPGA• USB2.0• 20cmx9cm
16/03/2016 20
![Page 21: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/21.jpg)
Hardsploit organizaSon
16/03/2016 21
![Page 22: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/22.jpg)
Chip management
• Search• Create• Modify• Interact
16/03/2016 22
![Page 23: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/23.jpg)
Wiring helper
Datasheetrepresenta<on
HardsploitWiringmodulerepresenta<on
GUI<–>Boardinterac<on
16/03/2016 23
![Page 24: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/24.jpg)
Se[ngs
16/03/2016 24
![Page 25: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/25.jpg)
Command editor
16/03/2016 25
![Page 26: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/26.jpg)
What are available on github (Open) ?
• Microcontroller(c)• API(ruby)• GUI(ruby)• CreateyourownHardsploitmodule:VHDL&API(ruby)
16/03/2016 26
![Page 27: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/27.jpg)
Already available (github) Parallelnonmul<plexedmemorydump• 32bitsforaddress• 8/16bitsfordata
HelpingwiringI2C100Khz400Khzand1Mhz• Addressesscan• Read,write,automa<cfullandpar<aldump
SPImode0,1,2,3upto25Mhz• Read,write,automa<cfullandpar<aldump
SWDinterface(likeJTAGbutforARMcore)• DumpandwritefirmwareofmostARMCPU
GPIOinteract/bitbanging(APIonlyforthemoment)• Lowspeed<500Hzread&writeopera<onson64bits
16/03/2016 27
![Page 28: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/28.jpg)
More to come (see online roadmap)… • Automa<cbusinden<fica<on&Scanner(@30%)• Component&commandssharingplatorm(@90%)• TTLUARTModulewithautoma<cdetec<onspeed(@80%)• Parallelcommunica<onwithmul<plexedmemory• I2Csniffing(shotof4000bytesupto1Mhz)• SPIsniffing(shotof8000/4000bytehalf/fullupto25Mhz)• RFWirelesstransmissiontrainingplateform(NordicNRF24,433Mhz,868Mhztranscievers)• Metasploitintegra<on(module)??• JTAG• 1Wire• CanBUS(withhardwareleveladapter)• …
16/03/2016 28
![Page 29: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/29.jpg)
Concrete case
• Anelectroniclocksystem• 4characterspincodeA–B–C–D
• Goodcombinaison–Dooropens,greenL.E.Dturnon• Wrongcombinaison–Doorcloses,redL.E.Dturnon
16/03/2016 29
![Page 30: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/30.jpg)
Concrete case: Open it
16/03/2016 30
![Page 31: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/31.jpg)
Concrete case: Fingerprint
I2CMEMORIES24LC64
STM32F103RBT6
SPIMEMORY25LC08
16/03/2016 31
![Page 32: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/32.jpg)
Concrete case: Online / Offline analysis ?
16/03/2016 32
![Page 33: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/33.jpg)
Concrete case: hardsploit scenario
1. OpenHardsploittocreatethecomponent(ifnotexist)2. ConnectthecomponenttoHardsploit(wiringhelping)3. Enterandsavethecomponentseungs(ifnotexist)4. Dumpthecontentofthememories(1click)5. Changethedoorpasswordbyusingcommands(fewclicks)6. Trythenewpasswordonthelocksystem(enjoy)
16/03/2016 33
![Page 34: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/34.jpg)
Concrete case: Read | Write operaSon, I2C, SPI, SWD …
• Timeforalivedemo?
16/03/2016 34
![Page 35: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/35.jpg)
Parallel bus memory
16/03/2016 35
![Page 36: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/36.jpg)
Concrete case: Fingerprint
16/03/2016 36
![Page 37: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/37.jpg)
Concrete case: Offline analysis
16/03/2016 37
![Page 38: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/38.jpg)
Concrete case: Ready to dump the content
16/03/2016 38
![Page 39: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/39.jpg)
Conclusion
• IoTDeviceare(also)pronetovulnerabili<eshelpyoutofindthem• Securitypolicyneedtobeadpated,nowadays,itisnotsodifficultto
extractdataonIoT• Designersneedtodesignwithsecurityinmind• SkillsrelatedtopentestahardwaredeviceismandatoryforSecurity
Experts(buttrainingexist)• Industryneedtotakecareaboutdevicesecurity
16/03/2016 39
![Page 40: HARDSPLOIT - Pwn2Own · I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automac full and par](https://reader033.vdocument.in/reader033/viewer/2022050103/5f41cc614b998218cf54b74c/html5/thumbnails/40.jpg)
Thank you ! Hardsploitboardisavailableatshop-hardsploit.com(250€/277USD/370CADexcludingVAT)
TolearnmoreaboutHardsploitandfollowthedevelopment
Hardsploit.io&Opale-Security.com• YannALLAIN(CEO)• [email protected]• +33645453381 Hardware&Sofware,Pentest,Audit,Training
• JulienMOINARD(ProjectleaderofHardsploit)• [email protected]• +33972438707
16/03/2016 40