vectors
TRANSCRIPT
![Page 1: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/1.jpg)
Hardware Attack Vectors
Yashin Mehaboobe
Security Researcher
![Page 2: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/2.jpg)
#whoami• Security Researcher, Open Security
• Conference Speaker
• Interested in :
• Embedded system security
• Radio/ RTL-SDR research
• Malware Analysis
• My little projects (Arcanum, PyTriage)
• Organizer, Defcon Kerala ( Mar 4. Be there! )
• Python aficionado
• Open source contributor.
![Page 3: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/3.jpg)
Why Hardware?
• More interesting• Less well known = easier to exploit• More rewarding• Usually open entry point into an otherwise
secure network• It’s awesome!
![Page 4: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/4.jpg)
Keys to the kingdom?
![Page 5: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/5.jpg)
What is covered:
• The attack of the HID
• Simulating physical access for fun and profit.
• IR vector
• Let TVs be bygones.
• Radio
• Radio!= FM or Radio!= WiFi
• Bus attacks:
• Unprotected = Easy to pwn (mostly)
![Page 6: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/6.jpg)
Usual suspects
Wireless LAN Web Applications
Client Side exploits
Remote exploits
Hardware attacks
![Page 7: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/7.jpg)
HIDe it
• A little bit of physical access is a dangerous thing.
• Usually physical access = pwning
• Software can’t protect hardware
• HID attacks simulate an automated keyboard and mouse
• = Attacker gets to run code as if he is physically there.
![Page 8: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/8.jpg)
The Rise of the Rubber Ducky
• USB Rubber Ducky by the Hak5 team.
• Comes with an automated script creator.
• Looks like a normal USB drive.
• Runs the payload burned into the memory when connected.
![Page 9: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/9.jpg)
Teensy
• Arduino clone by PJRC
• Can emulate an HID device
• Existing tools like kautilya and SET to generate payloads.
• Again, multiplatform mayhem
![Page 10: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/10.jpg)
DEMO
![Page 11: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/11.jpg)
I R
•TV, Pedestrian lights, Old smartphones
•Uses one of four:
•Philips
•Sony
•NEC
•RAW
•IR Library already available for Arduino
![Page 12: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/12.jpg)
Tools of the Trade:
• Arduino or a similar microcontroller
• TSOP382 IR receiver
• IR LED
• Little bit of mischief
![Page 13: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/13.jpg)
IR Attack 1 : Replay
• Receive the code using TSOP382
• Check the code type
• Transmit accordingly whenever the button is pressed
![Page 14: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/14.jpg)
TV-B-Gone
• Most TVs have predefined poweroff sequence
• Widely available
• Create a script that goes through the popular off codes one by one
• No more pesky TVs
![Page 15: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/15.jpg)
DEMO
![Page 16: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/16.jpg)
Tangoing with Radio
• SDR=Software Defined Radio
• Usually pretty expensive.
• Until the rise of RTL-SDR
• Scope=AIS,GSM, ADS-B, GPS you name it.
![Page 17: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/17.jpg)
RTL-SDR or cheap radio sniffer
• Mainly two types:
• E4000: 52-2200 Mhz
• R820T: 24-1766 Mhz
• Software used:
• GQRX
• rtl_sdr
• SDRSharp
• Log most data broadcast within the frequency ranges
![Page 18: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/18.jpg)
Sniffing Radio Traffic
• AIS (ship transmissions) are easily picked up
• So is Aircraft broadcasts
• You can sniff most protocols off the air
• Decode using baudline
• Possible attacks against : Home automation systems and car keyfobs
• Keyfobs are supposed to use rolling key codes
• “Supposed to”
![Page 19: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/19.jpg)
Antennas
● Dependent on the frequency that you want to capture.
● Different types for different purposes:● Monopole: ACARS,ADS-B, AIS
(Airplanes/Ships)● Rubber Ducky Antennaes for short range● Discone for wide coverage (More noise)
![Page 20: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/20.jpg)
Discone Monopole Rubber Ducky
![Page 21: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/21.jpg)
DEMO TIME!
![Page 22: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/22.jpg)
Bus Attacks
![Page 23: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/23.jpg)
The Magic Electronic Buses
● Buses are used by components in an embedded system to communicate with each other
● Not secured● Most commonly used protocols are SPI,I2C and
UART● No authentication● I2C utilizes addressing
![Page 24: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/24.jpg)
Attacking bus protocols● Sniffing:
● Logic analyzers pick up most of the protocols● Bus pirate is your friend
● Replay:● Sniffed sequences can be played back at later
times● Bus pirate is your best friend
● Debug ports:● UART/JTAG ports are left open for debugging
purposes● Can be used to dump firmware and mess with the
memory
![Page 25: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/25.jpg)
Here there be Pirates
● Hardware hacker's multitool
● Read/write I2C,SPI,UART
● Midlevel JTAG support● AVR programmer too!● Can be accessed via
USB.
![Page 26: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/26.jpg)
DEMO
![Page 27: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/27.jpg)
Thank you!
Questions?
![Page 28: Vectors](https://reader033.vdocument.in/reader033/viewer/2022052600/557629abd8b42a4e1c8b53bd/html5/thumbnails/28.jpg)
Contact Details
Twitter:twitter.com/yashin.mehaboobe
Email:yashinm92<at>gmail.com
Carrier pigeon works too.