pentesting embedded

20
Pentesting Embedded Introduction

Upload: antitree

Post on 05-Jun-2015

1.169 views

Category:

Documents


6 download

TRANSCRIPT

Page 1: Pentesting embedded

Pentesting Embedded

Introduction

Page 2: Pentesting embedded

Thesis

Everything is insecureWe should hack insecure thingsWe should hack everything

Page 3: Pentesting embedded

Summary

• Show why embedded security doesn’t exist• Attack vectors (real world and

theoretical)• Mitigations• Tools used for identification of

issues in a product

Page 4: Pentesting embedded

Embedded Security

• The security features built into a device or circuit– i.e. Juke Box Remote controls, router

circuit board, TV’s, mobile phones

• AKA Hardware Hacking

Page 5: Pentesting embedded

Risk

• Threat: how likely the attack occurs based on its frequency in the “real” world

• Exploitability: how likely is it that it will work• Cost: How much it’s going to hurt when it gets popped• The amount of security invested into an embedded

device is directly influenced by risk• The lack of these attacks being exploited in the wild,

and the skills required to exploit them, keep the risk level appearing low

Risk = Threat x Exploitability x Cost

Page 6: Pentesting embedded

Attackers Perspective

• Theft-of-service – getting something for free• IP Theft – cloning and idea and remaking it

(China)• Information disclosure – find the secrets

hidden on a device• Spoofing – horizontal privilege escalation • DoS – causing un-servicable issues means

loss of revenue

Page 7: Pentesting embedded

Attack Surface

• Cases and enclosures – to prevent attackers from accessing internals• Circuit board• Firmware

Page 8: Pentesting embedded

External Interfaces Attacks

• JTAG, USB, interfaces, Bluetooth, WIFI, RF*• Accessing debug/diag operation modes• Cut traces able to be repaired• Fuzzing the interface to deobfuscate the

protocol• Sensitive information disclosure

(encryption, server side info)• EMI emissions leak info

Page 9: Pentesting embedded

Mitigations

• Diag/debug modes should be disabled at the circuit level

• JTAG should be removed ideally from production else disabled

• Protect against malformed communication

• EMI shielding• Tamper protections

Page 10: Pentesting embedded

Mitigations: Tamper Protections

• Tamper Resistant: difficult to access components– One-way screws, steel case, epoxy on Ics

• Tamper Evident: If access happens, it is easily identifiable– Sealed cases, glues, tapes

• Tamper Detection: the hardware knows when it’s been tainted– Pressure switches, temperature sensors, puncture detection

• Tamper Response: the hardware reacts when tainted (like detection but with a counter-measure)– Flash memory, self destruct with explosive charge

Page 11: Pentesting embedded

Circuit Board Attacks

• Reverse engineer components and gather information– PCB hooking – access traces and test points

• Probe boards• Delid chips • Access memory: EEPROMS, RAM• Simple and Differential Power Analysis• EMI attacks• Clock/Timing attacks – muck with the clock to cause

issues• Epoxy removal – dremel or chemical based• Use an X-ray to determine location of components

Page 12: Pentesting embedded

Mitigations

• Remove ID’s from Ics (“black topping”)• Hide vias and test points when possible• Epoxy critical areas• Implement probe detection on unused pins• Add digital watermarks that uniquely ID

your product• Noise generators to defend against power

analysis

Page 13: Pentesting embedded

Cryptographic Attacks

• No matter what algorithm or key size you use, a static key must be stored somewhere on the device. Find it

• Algorithm mis-implementations are exploitable

• Custom crypto means custom pwning• Side-channel attacks (power analysis,

etc)

Page 14: Pentesting embedded

Firmware Attacks

• Extracting the firmware is the first step to exploitation• Reversing the firmware

usually means death• Bad programming flaws

cause exploitation

Page 15: Pentesting embedded

Mitigations

• Be a good programmer :)• Limit attack vectors - remove

unnecessary components• Protect firmware from being

easily extracted

Page 16: Pentesting embedded

Tools For Attack

• Standard hardware hacking components– DMM, O-Scope, dremel, hobby knife, soldering iron, wire

strippers, microscope, logic analyzer

• Probe adapter: – emulation.com, advintcorp.com, ironwoodelectronics.com

• RF Analysis– SDR like USRP,

• USB: SnoopyPro, Facedancer, Bus Pirate• JTAG – GoodFET,

Page 17: Pentesting embedded

Insane Tools

• Scanning electron microscope• Voltage contrast microscopy• Focused Ion Beam (FIB)

Page 18: Pentesting embedded

Attack In Practice

• Passive Recon – learn about the device, manuals, data sheets

• Active Recon – perform the initial inspection. – Can you see ICs? Components? Tamper protections?

• Risk Assessment – determine threats, risky areas, loot to focus your time on. – Make sure your end goal is either an exploit or more information (skip time

wasters)

• Collect necessary tools for attack• Probe and interface: Connect to serial interfaces, hook

vias or test points, use a probe board• Extract and reverse firmware or sensitive information

Page 19: Pentesting embedded

Defense In Practice

• Make breaking into the device cost more than the value of the result

• Built in vs Bolt On later (same old story)• Test your own security (at least the

basics)• When in doubt, epoxy (but know that if

you do this, you are dead to me)

Page 20: Pentesting embedded

No questions

I don’t know the answer