internet of compromised things - hack in paris › data › slides › 2017 ›...
TRANSCRIPT
Internet of Compromised ThingsDamien CauquilHack In Paris, June 22nd, 2017
2
Who am I ?
• R&D director and senior security researcher at CERT-UBIK• Smart Things breaker and reverse-engineer• Special interest in DFIR
3
Agenda
• IoT smart stuff : pirates’ heaven• Mirai !• How tech people investigated the Mirai botnet• Why it is getting worse
• The role of a connected/smart device during an investigation• Digital forensics in the Internet of Things era
• A complex technical environment• Post-mortem analysis : tools and methodologies• Live analysis of connected devices and operational issues• Introducing the Hardware Forensic Database
• Traceability and accountability• Not all devices are concerned• Observed average security level of connected devices• Logging and traceability
• Conclusion
Internet of super-duper dumbIPv4-enabled connected smartthings that may make coffee andmaybe more but that would behacked in less than two minutes
5
IoT smart stuff : pirates’ heaven
6
IoT smart stuff : pirates’ heaven
7
IoT smart stuff : pirates’ heaven
8
IoT smart stuff : pirates’ heaven
• Mirai demonstrated how insecure our smart things are• used to launch DDoS attacks aroung the globe(KrebsOnSecurity, Dyn)
• source code quickly released to hide tracks ...• ... a lot of clones were developed and launched• uses telnet and ssh services to break into cameras, DVRs, etc.
• Why targeting connected devices rather than servers ?• usually not up-to-date• runs proprietary (unsecure) software• difficult to monitor
• It’s getting worse !• new botnets designed to fight against Mirai (Hajime,
BrickerBot)• used to mine Bitcoin, DogeCoin and other crypto-currencies
9
IoT smart stuff : pirates’ heaven
What could possibly go wrong ?
10
IoT smart stuff : pirates’ heaven
• Smart devices are now wide-spread and used• to secure our houses and flats : smartlocks• to detect burglars and intruders : smart alarms, smart CCTV• to make a patient’s life easier : smart insuline pumps, connected
glucose monitoring systems
• What happens if one of those fails ?• Don’t worry, you are covered by your insurance policy !• Are you sure ?• Last but not least, you might be dead.
The role of a connected deviceduring an investigation
12
The role of a connected device during an investigation
• Three major cases :• the device was a victim/target of a crime• the device has been used to commit a crime• the device contains some information related to a crime
13
The role of a connected device during an investigation
Pacemakers, insulin pumps and a lot more devicesmay injure people or cause death
14
The role of a connected device during an investigation
• The victim device may contain• information about how the attack was performed• traces related to the origin of the attacker• artefacts (exploits, malwares, backdoors, ...)
• Required to evaluate the damages and how bad thesituation is !
15
The role of a connected device during an investigationTV5 Monde hack
• In April 2015, TV5 Monde is attacked and its broadcastinginfrastructure shut off.
• The French ANSSI (National IT Security Agency) handled theincident
• They had a hard time figuring out how to forensically extractinformation from some embedded systems
• They asked the vendors about their systems• They had to determine how to extract and preserve the
evidences from these devices• No standard procedure for this particular case
16
The role of a connected device during an investigation
Quadcopters as bomb droppers
17
• The device may contain• Information that may reveal its owner’s identity : serial number,
email address, phone name or number, ...• Geographical information : GPS coordinates, Take off location• Photos, videos, records of previous activity
18
The role of a connected device during an investigation
Amazon’s Alexa device analyzed during an FBI investigation
19
• The device may contain• Information about someone’s activity : GPS coordinates, date
and time of various events, information about surroundingsactive devices (WiFi access points), ...
• Photos, videos• Logs
Digital forensics in the Internet ofThings era
21
Digital forensics in the Internet of Things era
Extracting information from devices may seem an easy task
• Easy-peasy, its Linux-based with known filesystem !• We just need to dump the Flash memory and extracteverything with Encase !
But wait ...
• What if the device uses a secure boot with military-gradeencryption ?
• What if the device has no filesystem at all ?• What if the device offers no way to access its system toextract live information ?
22
Digital forensics in the Internet of Things era
• It uses various electronic chips to store information• eMMC• SPI Flash• F-RAM• Internal flash memory (System on Chip)• Internal EEPROM
• It stores information at specific unknown locations• It may use proprietary encryption or obfuscation• It offers no easy way to access the information
Post-mortem analysis of a smartdevice
24
Post-mortem analysis of a smart device
We need moar tools !
• Tools to desolder and clean electronic memory chips• Tools to access memory devices and forensically extractinformation
• Tools to reverse-engineer firmwares and find where and howthe information is stored
• Tools to bypass memory protections and other anti-dumptechniques and tools (i.e. exploits !)
25
Post-mortem analysis of a smart device
We need a specific methodology !
• Maximum of information, minimum effort• allowing investigators to quickly extract valuable information• reducing risk of loss of information (when possible) andensuring evidences integrity
26
Post-mortem analysis of a smart device
• Determine if the device has an operating system• Identify the main component• Check the datasheet and development kit• Determine if it usually runs an operating system
• Locate external flash memory chips (SPI Flash, NAND,eMMC)
• Find the corresponding datasheet• Determine how to communicate with the memory chip : SPI,
Parallel Flash, Proprietary protocol• Use the correct adapter/tool to extract the information
• Desolder the memory chip if necessary• Use classic forensic tools on SD cards• Create a bit-stream image of the memory chips• Compute SHA512 and MD5 hashes for each image
• Analyze the images• Look for filesystems if an operating system is used• Look for chip-specific information (depending on the datasheet
and the associated memory map)• Keyword search !
27
Post-mortem analysis of a smart device
Case Study : TheQuickLock padlock
28
Post-mortem analysis of a smart device
1. Open the smartlock
29
Post-mortem analysis of a smart device
30
Post-mortem analysis of a smart device
2. Get your hands on the PCB
31
Post-mortem analysis of a smart device
• Main component : Texas Instruments CC2541• Does it run an OS : NO• No external memory chip : data is stored in the CC2541 SoC• Memory access : We need a CC Debugger to dump the flash
32
Post-mortem analysis of a smart device
3. Access the memory and dump
33
Post-mortem analysis of a smart device
• Where is the interesting information stored ?• No OS, information is stored in Flash• We need to find where the interesting information is stored• It is not a trivial task, but requires some time to figure out
34
Post-mortem analysis of a smart device
4. Extract the PIN code from Flash
35
Post-mortem analysis of a smart device
5. Extract the event log
Live analysis of compromiseddevices
37
Live analysis of compromised devices
• Analysis is often difficult• no easy way to communicate with the device• no system access while the system is active (if we want to keep
it active)• no standard procedure, it’s not a computer !
• Lack of proper tools• We have to deal with U(S)ART or BLE interfaces• Standard DFIR toolkits provide no way to interact with these
protocols
38
Live analysis of compromised devices
• If it’s on, keep it on !• Powering off the device may destroy evidence• The device may provide an easy way to extract valuable
information
• Identify the best way to extract information from thedevice
• Find a working communication channel• Ensure it offers access to valuable information
• Use this communication channel to gather as muchinformation as possible
• Available information depends on the device• The device MUST provide a feature to get valuable information(error codes, logs, ...)
39
Live analysis of compromised devices
• Use available tools to access the device• Linux’ GATT client to communicate through BLE• screen or minicom to communicate through U(S)ART
• Collect every valuable piece of information, following theOrder of Volatility
• Active memory• Processes list• Active connections• IP Addresses• BD Addresses• Files (or assimilated)• Serial numbers
40
Live analysis of compromised devices
Case Study : Fora Glucose Monitoring System
41
Live analysis of compromised devices
• The device relies on its own protocol over Bluetooth LE• Old serial protocol ported to BLE• Offers a lot of features• May be used to extract information
42
Live analysis of compromised devices
43
Live analysis of compromised devices
• We can then collect• All records stored in the device• Firmware information• Serial Number
• Dedicated tool available in the HFDB• Collect all the measures stored on a device• Features in development : serial number and firmware info
44
Live analysis of compromised devices
$ node diamondmini.js -t XX:XX:XX:XX:XX:XXNumber of records: 1Newest record index is: 0
--- Records ----16/8/16 16:43 - 147 mg/dL
45
Live analysis of compromised devicesOther tools you may need
Introducing the HardwareForensic Database
47
Introducing the Hardware Forensic Database
• Origins• We needed a central place to report the tools/methodologies
required to extract information from various devices• We wanted it to be collaborative as other CERTs may want to
add more information about other devices
• What does it contain ?• Detailed information about various devices (electronics,
available interfaces)• Curated methodologies to investigate each device• Forensically-sound open-source tools to collect information• Known vulnerabilities that may be used to bypass protections
and access information
48
Introducing the Hardware Forensic Database
• Goals• To allow a quick and efficient incident response• To provide all the required materials to investigate a device• To provide the right methodology when handling a device
In short, to speed up investigations !
49
Introducing the Hardware Forensic DatabaseHFDB home page
50
Introducing the Hardware Forensic DatabaseForensic Summaries
51
Introducing the Hardware Forensic DatabaseDetailed methodology for each device
52
Introducing the Hardware Forensic DatabaseOpensource forensic tools
53
Introducing the Hardware Forensic Database
54
Introducing the Hardware Forensic Database
• Only 4 devices listed at this time in this database• We are working with vendors/organisms to publicly disclose
forensic tools related to some other devices (get rid of NDAs)• Other devices are currently investigated, but it takes time !
• The HFDB is still in development• We regularly add content to this database• We hope other CERTs and security researchers will jump in the
band wagon !
Traceability & Accountability
57
Traceability & Accountability
• Traceability & Accountability are important• Who did what and when• Imputability / Non-repudiation
• Not always mandatory at object level• It depends on how the connected/smart thing is used / was
designed• optional for non-critical devices : smart hairbrushes, smart
toothbrushes• mandatory for access control devices and healthcare devices
58
Traceability & Accountability
• Observed average security level of connected devices• Level is low !• Lots of attacks in the news : teddy bears, thermostats,
smartlocks, ...• Difficult to secure the whole chain : servers, communication
protocols and connected objects
59
Traceability & Accountability
• IoT investigation is currently difficult• Many devices simply do not keep logs (not enough memory,
time consuming)• No information on where to find valuable information :
reverse-engineering is mandatory !• We still have to exploit vulnerabilities to retrieve critical
information
• TV5 Monde hack : The French ANSSI investigated theattack
• They had an hard time figuring out how to forensically collectand analyze data from multiple embedded systems
• They had to ask the vendor about the procedure they shoulduse to extract the filesystem
• No standard procedure, vendor did not take into account thefact its device may be hacked ...
60
Traceability & AccountabilitySummary
• Lack of logging and documentation• Unlike computers, embedded systems do not have a standardway to log and keep tracks
• Every vendor does it his way, we have to figure out every oneof them
• Security vs. Forensic investigations• Vendors harden their systems to avoid IP theft or hacking• Since they do not provide a way to securely extract valuable
information, we too need to hack into these systems !
• Still some efforts to do !• Why not use SD cards to log information (if any) ?• Vendors may document their logging mechanisms or• provide tools and features to extract information
Questions ?
62
Contact
Websote : www.digitalsecurity.fr
Email : [email protected]
Twitter Digital Security : @iotcert
Twitter Personal account : @virtualabs