from printed circuit boards to exploits€¦ · about me head of research @ econocom digital...
TRANSCRIPT
![Page 1: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/1.jpg)
FROM PRINTEDFROM PRINTEDCIRCUIT BOARDS TOCIRCUIT BOARDS TO
EXPLOITSEXPLOITS(PWNING IOT DEVICES LIKE A BOSS)(PWNING IOT DEVICES LIKE A BOSS)
| Hack in Paris '18
@virtualabs
![Page 2: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/2.jpg)
ABOUT MEABOUT ME
Head of Research @ Econocom Digital SecurityHardware hacker (or at least pretending to be one)Speaker @ various conferencesSpecial interest in Bluetooth Low Energy since 2years
![Page 3: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/3.jpg)
A detailed referenceguide on how to p0wnIoT devices A list of tools you mayuse to test devices
WHAT THIS TALK IS NOTWHAT THIS TALK IS NOT
![Page 4: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/4.jpg)
IT IS ALL ABOUT HOW TO THINKIT IS ALL ABOUT HOW TO THINKAND ANALYZE AND EXPLOITAND ANALYZE AND EXPLOIT
LET'S DO IT THE HACKER WAY !LET'S DO IT THE HACKER WAY !
![Page 5: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/5.jpg)
METHODOLOGYMETHODOLOGY
![Page 6: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/6.jpg)
EXISTING METHODOLOGIESEXISTING METHODOLOGIES
Rapid7's methodology (7 basic steps) OWASP IoT Project (not really mature yet)
![Page 7: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/7.jpg)
PCB REVERSE-ENGINEERINGPCB REVERSE-ENGINEERING
![Page 8: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/8.jpg)
COMPONENTS IDENTIFICATIONCOMPONENTS IDENTIFICATION
![Page 9: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/9.jpg)
MEMORY EXTRACTIONMEMORY EXTRACTION
![Page 10: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/10.jpg)
SOFTWARE REVERSE-ENGINEEERINGSOFTWARE REVERSE-ENGINEEERING
![Page 11: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/11.jpg)
SNIFFING WIRED COMMS.SNIFFING WIRED COMMS.
![Page 12: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/12.jpg)
SNIFFING WIRELESS COMMS.SNIFFING WIRELESS COMMS.
![Page 13: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/13.jpg)
FIND VULNS & ATTACK !FIND VULNS & ATTACK !
![Page 14: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/14.jpg)
OUR VICTIM SMARTLOCKOUR VICTIM SMARTLOCK
![Page 15: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/15.jpg)
STEP #1: TEARDOWNSTEP #1: TEARDOWN
![Page 16: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/16.jpg)
USE THE RIGHT TOOLSUSE THE RIGHT TOOLS
![Page 17: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/17.jpg)
![Page 18: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/18.jpg)
KEEP CALM !KEEP CALM !
![Page 19: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/19.jpg)
STEP #2: GLOBAL ANALYSISSTEP #2: GLOBAL ANALYSIS
![Page 20: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/20.jpg)
ELECTRONICS ENGINEERS AREELECTRONICS ENGINEERS AREHUMANS TOOHUMANS TOO
Components position based on their global roleConnectors and components producing heat placednear the edges
![Page 21: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/21.jpg)
![Page 22: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/22.jpg)
nRF52832
2.4 GHz Bluetooth Low Energy capable System-on-Chip
COMPONENTS IDENTIFICATIONCOMPONENTS IDENTIFICATION
DRV8848
Dual H-Bridge Motor driver
![Page 23: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/23.jpg)
FUNCTIONS VS. COMPONENTSFUNCTIONS VS. COMPONENTS
![Page 24: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/24.jpg)
STEP #3: RECOVER SCHEMATICSSTEP #3: RECOVER SCHEMATICS
![Page 25: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/25.jpg)
PICTURES + SOFTWARE FTWPICTURES + SOFTWARE FTW
Using high-res pictures (or multimeter), followtracks and viasDetermine protocols used for Inter-ICcommunicationDraw a simplified schematics
![Page 26: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/26.jpg)
FOLLOW TRACKS AND VIASFOLLOW TRACKS AND VIAS
![Page 27: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/27.jpg)
DETERMINE PROTOCOLS USEDDETERMINE PROTOCOLS USED
![Page 28: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/28.jpg)
SIMPLIFIED SCHEMATICSSIMPLIFIED SCHEMATICS
Use Inkscape, Adobe Illustrator, MS Visio, orwhateverDraw only the interesting stuff, we do not want tocounterfeit
![Page 29: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/29.jpg)
![Page 30: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/30.jpg)
![Page 31: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/31.jpg)
STEP #4: GET FIRMWARESTEP #4: GET FIRMWARE
![Page 32: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/32.jpg)
USE DEBUGGING INTERFACES !USE DEBUGGING INTERFACES !
Offers a proper way to access Flash memoryFound in > 50% of devices we have testedRequires the right adapter to connect to
![Page 33: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/33.jpg)
DUMPING FIRMWARE WITHDUMPING FIRMWARE WITHOPENOCDOPENOCD
$ openocd -f interface/stlink-v2.cfg -f target/nrf5x.cfg -c init -c halt -c "dump_image /tmp/firmware.bin 0x0 0x80000"
![Page 34: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/34.jpg)
WHEN DEBUGGING IS NOTWHEN DEBUGGING IS NOTENABLED, ABUSE ENABLED, ABUSE OTAOTA ! !
![Page 35: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/35.jpg)
OVER-THE-AIR UPDATESOVER-THE-AIR UPDATES
![Page 36: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/36.jpg)
OR DUMP EVERY AVAILABLE OR DUMP EVERY AVAILABLE STORAGE DEVICE 😎STORAGE DEVICE 😎
![Page 37: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/37.jpg)
![Page 38: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/38.jpg)
FIRMWARE DUMPED !FIRMWARE DUMPED !
![Page 39: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/39.jpg)
SPARE AREA IS EVILSPARE AREA IS EVIL
![Page 40: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/40.jpg)
REMOVE OOB DATA !REMOVE OOB DATA !
(AND USE ECC TO FIX ERRORS)(AND USE ECC TO FIX ERRORS)
![Page 41: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/41.jpg)
STEP #5: DETERMINE TARGETSTEP #5: DETERMINE TARGETARCHITECTUREARCHITECTURE
![Page 42: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/42.jpg)
ANSWER THE BASIC QUESTIONSANSWER THE BASIC QUESTIONS
What architecture is this ?Does it run an OS ?Does it use a FS ?
![Page 43: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/43.jpg)
WHAT ARCHITECTURE IS IT ?WHAT ARCHITECTURE IS IT ?
ARM CORTEX-M0 (ARMV7-M)ARM CORTEX-M0 (ARMV7-M)
![Page 44: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/44.jpg)
DOES IT RUN AN OS ?DOES IT RUN AN OS ?
NOPE.NOPE.
![Page 45: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/45.jpg)
DOES IT USE A FS ?DOES IT USE A FS ?
NOPE.NOPE.
![Page 46: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/46.jpg)
NRF51 SOFTDEVICENRF51 SOFTDEVICE
![Page 47: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/47.jpg)
SOFTDEVICE VERSION ?SOFTDEVICE VERSION ? EASY-PEASYEASY-PEASY ! !
$ strings firmware-original.bin | grep sdk /home/benoit/workspace/nrf51/firmware/sdk/sdk13.0/components/l/home/benoit/workspace/nrf51/firmware/sdk/sdk13.0/components/s/home/benoit/workspace/nrf51/firmware/sdk/sdk13.0/components/s/home/benoit/workspace/nrf51/firmware/sdk/sdk13.0/components/l/home/benoit/workspace/nrf51/firmware/sdk/sdk13.0/components/l/home/benoit/workspace/nrf51/firmware/sdk/sdk13.0/components/l/home/benoit/workspace/nrf51/firmware/sdk/sdk13.0/components/s
![Page 48: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/48.jpg)
QUICK REMINDERQUICK REMINDER
It runs an OS or use a known FS: You'd better drop binaries in IDA Pro
It uses no FS and looks like a crappy blob of data:
You'd better figure out the architecture andmemory layout.
![Page 49: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/49.jpg)
STEP #6: DISASSEMBLE !STEP #6: DISASSEMBLE !
![Page 50: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/50.jpg)
SPECIFY TARGET ARCHITECTURE ANDSPECIFY TARGET ARCHITECTURE ANDLAYOUTLAYOUT
Configure CPU accordinglyConfigure memory layout if requiredPerform a quick sanity check (strings xrefs, ...)
![Page 51: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/51.jpg)
![Page 52: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/52.jpg)
![Page 53: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/53.jpg)
AUTOMATED SDK FUNCTIONSAUTOMATED SDK FUNCTIONSDETECTION AND RENAMINGDETECTION AND RENAMING
We developed our own tool to ease So�Device-based firmware reverse-engineering It helps detecting So�Device version andautomatically rename SDK exported functions
![Page 54: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/54.jpg)
0:00 / 2:36
![Page 55: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/55.jpg)
NRF5X-TOOLS AVAILABLE ON GITHUBNRF5X-TOOLS AVAILABLE ON GITHUB
https://github.com/DigitalSecurity/nrf5x-tools
![Page 56: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/56.jpg)
MOBILE APPS TOOMOBILE APPS TOO
![Page 57: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/57.jpg)
STEP #7: SNIFF ALL THE THINGSSTEP #7: SNIFF ALL THE THINGS
![Page 58: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/58.jpg)
SNIFF/INTERCEPTSNIFF/INTERCEPTCOMMUNICATIONSCOMMUNICATIONS
May require various hardware: SPI, I2C, WiFi, BLE,nRF24, Sigfox, LoRa, ...PCAP compatible tools are greatBeware the cost (a lot of $$$) !
![Page 59: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/59.jpg)
BLUETOOTH LOW ENERGY MITMBLUETOOTH LOW ENERGY MITM
https://github.com/DigitalSecurity/btlejuice
![Page 60: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/60.jpg)
HOW OUR SMARTLOCK WORKSHOW OUR SMARTLOCK WORKS(BASED ON A MITM ATTACK)(BASED ON A MITM ATTACK)
1. App retrieves a Nonce from the lock2. App encrypts a token and send it to the lock3. Lock decrypts token and react accordingly
![Page 61: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/61.jpg)
BY THE WAY ...BY THE WAY ...
The mobile app authenticates the smartlock only byits exposed service UUID:
![Page 62: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/62.jpg)
STEP #8: FIND BUGS & VULNSSTEP #8: FIND BUGS & VULNS
![Page 63: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/63.jpg)
SEARCH BUGS & VULNSSEARCH BUGS & VULNS
Default password/keyEscape shellBuffer overflowMisconfiguration...
![Page 64: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/64.jpg)
SMARTLOCK SECURITYSMARTLOCK SECURITYFEATURESFEATURES
Relies on a Nonce generated by the smartlock toavoid replay attacks True AES-based encryption used, cannot break it Resisted to fuzzing, we did not managed to forceopen the lock
![Page 65: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/65.jpg)
BUT ...BUT ...
![Page 66: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/66.jpg)
... IS IT «RANDOM» ?... IS IT «RANDOM» ?
![Page 67: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/67.jpg)
I'VE ALREADY SEEN THAT ...I'VE ALREADY SEEN THAT ...
(SOURCE: XKCD)(SOURCE: XKCD)
![Page 68: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/68.jpg)
SECURITY ISSUESSECURITY ISSUES
Spoofing: App does not authenticate the smartlockit connects to Random Nonce is not random at all !
![Page 69: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/69.jpg)
SO WHAT ?SO WHAT ?
An attacker may spoof the smartlock to force theApp to send an encrypted token He/she may be able to replay a valid token as thenonce is always the same
![Page 70: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/70.jpg)
![Page 71: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/71.jpg)
STEP #9: EXPLOIT !STEP #9: EXPLOIT !
![Page 72: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/72.jpg)
SPOOF SMARTLOCKSPOOF SMARTLOCK
Use NodeJS with Bleno FTW Exploit based on our Mockle library
https://github.com/DigitalSecurity/mockle
![Page 73: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/73.jpg)
SPOOFING SMARTLOCKSPOOFING SMARTLOCK
$ sudo node capture-token.js [setup] creating mock for device XXXXXXX (xx:xx:xx:6b:fc:88) [setup] services registered [ mock] accepted connection from address: 5e:74:79:1e:5f:a9 > Register callback for service 6e4...ca9e:6e4...ca9e > Read Random, provide default value 1. > End of transmission [i] Token written to `token.json`
![Page 74: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/74.jpg)
REPLAY TOKENREPLAY TOKEN
$ sudo node replay-token.js BTLE interface up and running, starting scanning ... [i] Target found, replaying token ... done
![Page 75: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/75.jpg)
0:00 / 1:23
![Page 76: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/76.jpg)
BUG IS NOW FIXEDBUG IS NOW FIXED
![Page 77: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/77.jpg)
CONCLUSIONCONCLUSION
![Page 78: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/78.jpg)
TO BE IMPROVEDTO BE IMPROVED
We have been using this methodology intensivelysince the last two years There is space for improvements, obviously Vendor fixed (some) of the vulnerabilities wedemonstrated
![Page 79: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/79.jpg)
PRO TIPSPRO TIPS
Take your time and document all the thingsRead datasheets carefullyLearn how to master Inkscape, it helps a lotStart from the bottom (PCB) and go up !
![Page 80: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/80.jpg)
PRO TIPS (CONT'D)PRO TIPS (CONT'D)
As usual, know your tools and how to use them Share and learn from others (many cool tricks todiscover)
![Page 81: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/81.jpg)
![Page 82: FROM PRINTED CIRCUIT BOARDS TO EXPLOITS€¦ · ABOUT ME Head of Research @ Econocom Digital Security Hardware hacker (or at least pretending to be one) Speaker @ various conferences](https://reader035.vdocuments.site/reader035/viewer/2022070109/60433c8e0106da781038a651/html5/thumbnails/82.jpg)
PRACTICE !PRACTICE !
Soldering (tiny wires)Desoldering with hot air gunUse the scopeUse the scope againCode on embedded devices...