Download - Pentesting embedded
Pentesting Embedded
Introduction
Thesis
Everything is insecureWe should hack insecure thingsWe should hack everything
Summary
• Show why embedded security doesn’t exist• Attack vectors (real world and
theoretical)• Mitigations• Tools used for identification of
issues in a product
Embedded Security
• The security features built into a device or circuit– i.e. Juke Box Remote controls, router
circuit board, TV’s, mobile phones
• AKA Hardware Hacking
Risk
• Threat: how likely the attack occurs based on its frequency in the “real” world
• Exploitability: how likely is it that it will work• Cost: How much it’s going to hurt when it gets popped• The amount of security invested into an embedded
device is directly influenced by risk• The lack of these attacks being exploited in the wild,
and the skills required to exploit them, keep the risk level appearing low
Risk = Threat x Exploitability x Cost
Attackers Perspective
• Theft-of-service – getting something for free• IP Theft – cloning and idea and remaking it
(China)• Information disclosure – find the secrets
hidden on a device• Spoofing – horizontal privilege escalation • DoS – causing un-servicable issues means
loss of revenue
Attack Surface
• Cases and enclosures – to prevent attackers from accessing internals• Circuit board• Firmware
External Interfaces Attacks
• JTAG, USB, interfaces, Bluetooth, WIFI, RF*• Accessing debug/diag operation modes• Cut traces able to be repaired• Fuzzing the interface to deobfuscate the
protocol• Sensitive information disclosure
(encryption, server side info)• EMI emissions leak info
Mitigations
• Diag/debug modes should be disabled at the circuit level
• JTAG should be removed ideally from production else disabled
• Protect against malformed communication
• EMI shielding• Tamper protections
Mitigations: Tamper Protections
• Tamper Resistant: difficult to access components– One-way screws, steel case, epoxy on Ics
• Tamper Evident: If access happens, it is easily identifiable– Sealed cases, glues, tapes
• Tamper Detection: the hardware knows when it’s been tainted– Pressure switches, temperature sensors, puncture detection
• Tamper Response: the hardware reacts when tainted (like detection but with a counter-measure)– Flash memory, self destruct with explosive charge
Circuit Board Attacks
• Reverse engineer components and gather information– PCB hooking – access traces and test points
• Probe boards• Delid chips • Access memory: EEPROMS, RAM• Simple and Differential Power Analysis• EMI attacks• Clock/Timing attacks – muck with the clock to cause
issues• Epoxy removal – dremel or chemical based• Use an X-ray to determine location of components
Mitigations
• Remove ID’s from Ics (“black topping”)• Hide vias and test points when possible• Epoxy critical areas• Implement probe detection on unused pins• Add digital watermarks that uniquely ID
your product• Noise generators to defend against power
analysis
Cryptographic Attacks
• No matter what algorithm or key size you use, a static key must be stored somewhere on the device. Find it
• Algorithm mis-implementations are exploitable
• Custom crypto means custom pwning• Side-channel attacks (power analysis,
etc)
Firmware Attacks
• Extracting the firmware is the first step to exploitation• Reversing the firmware
usually means death• Bad programming flaws
cause exploitation
Mitigations
• Be a good programmer :)• Limit attack vectors - remove
unnecessary components• Protect firmware from being
easily extracted
Tools For Attack
• Standard hardware hacking components– DMM, O-Scope, dremel, hobby knife, soldering iron, wire
strippers, microscope, logic analyzer
• Probe adapter: – emulation.com, advintcorp.com, ironwoodelectronics.com
• RF Analysis– SDR like USRP,
• USB: SnoopyPro, Facedancer, Bus Pirate• JTAG – GoodFET,
Insane Tools
• Scanning electron microscope• Voltage contrast microscopy• Focused Ion Beam (FIB)
Attack In Practice
• Passive Recon – learn about the device, manuals, data sheets
• Active Recon – perform the initial inspection. – Can you see ICs? Components? Tamper protections?
• Risk Assessment – determine threats, risky areas, loot to focus your time on. – Make sure your end goal is either an exploit or more information (skip time
wasters)
• Collect necessary tools for attack• Probe and interface: Connect to serial interfaces, hook
vias or test points, use a probe board• Extract and reverse firmware or sensitive information
Defense In Practice
• Make breaking into the device cost more than the value of the result
• Built in vs Bolt On later (same old story)• Test your own security (at least the
basics)• When in doubt, epoxy (but know that if
you do this, you are dead to me)
No questions
I don’t know the answer