physical (in)security: it’s not all about cyber…
DESCRIPTION
Physical (In)security: It’s not all about Cyber…. Inbar Raz Malware & Security Research Manager Check Point Software Technologies. Background. Who am I? I like to reverse things – software, hardware, ideas, rules. I like to find problems and have them fixed (by others…) What do I do? - PowerPoint PPT PresentationTRANSCRIPT
©2013 Check Point Software Technologies Ltd.
Physical (In)security:
It’s not all about Cyber…
Inbar RazMalware & Security Research ManagerCheck Point Software Technologies
2©2013 Check Point Software Technologies Ltd.
Background
Who am I?– I like to reverse things – software, hardware, ideas, rules.– I like to find problems and have them fixed (by others…)
What do I do?– Run Malware & Security Research at Check Point– Create Responsible Disclosures– Concentrate on “little to no-skills needed”
– Easier to demonstrate and convince
3©2013 Check Point Software Technologies Ltd.
Example #1: Movie Ticket Kiosk
On-site Kiosk
Touch Screen
Credit CardReader
Ticket Printer
No peripherals,No interfaces
4©2013 Check Point Software Technologies Ltd.
The Attack
Improper interface settingsallow the opening of menuoptions.
Menus can be used tobrowse for a new printer.
5©2013 Check Point Software Technologies Ltd.
A limited Windows Exploreris not restricted enough.
A right-click can be used…
To open a full, unrestrictedWindows Explorer.
The Attack
6©2013 Check Point Software Technologies Ltd.
The Attack
Browsing through thefile system revealsinteresting directory names…
And even more interestingfile names.
7©2013 Check Point Software Technologies Ltd.
The Attack
Bingo: Credit Card Data(Unencrypted!)
Tools of the trade: Notepad
We can use the ticketprinter to take it home
8©2013 Check Point Software Technologies Ltd.
The Attack
But that’s not all:RSA Keys and Certificatesare also found on the drive!
Which we can print, takehome and then use afree OCR software to read…
9©2013 Check Point Software Technologies Ltd.
The Attack
The result:
RSA Keys used tobill credit cards.
10©2013 Check Point Software Technologies Ltd.
Example #1: Summary
Device purpose: Print purchased Movie Tickets
Data on device: Credit Card data and Encryption Keys
Method used to hack: 1 finger
11©2013 Check Point Software Technologies Ltd.
Example #2: Point-of-Sale Device
Point-Of-Sale devicesare all around you.
12©2013 Check Point Software Technologies Ltd.
The Attack
PoS Device located outside business during the day
At the end of the day, it is locked inside the business
13©2013 Check Point Software Technologies Ltd.
The Attack
But one thing is left outside, in the street:
14©2013 Check Point Software Technologies Ltd.
The Attack
In the past – play hacker/script kiddie with BackTrack.
Today: Fire up wireshark, discover IPs of live machines.
15©2013 Check Point Software Technologies Ltd.
The Attack
In the past – play hacker/script kiddie with BackTrack.
Today: Fire up wireshark, discover IPs of live machines.
Detected IP addresses:– 192.168.0.1– 192.168.0.2– 192.168.0.4– 192.168.0.250– 192.168.0.254
Confirm by ping (individual and broadcast)
16©2013 Check Point Software Technologies Ltd.
The Attack
Evidence of SMB (plus prior knowledge) leads to the next step:
And the response:
17©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Things to do with an open share
#1: Look around– Establish possible attack vectors
18©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Things to do with an open share
#1: Look around– Establish possible attack vectors
#2: Create a file list– Not like stealing data, but very helpful
19©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
The mystery of 192.168.0.250
Answers a ping, but no SMB.
First guess: the ADSL Modem.
Try to access the Web-UI:
20©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
The mystery of 192.168.0.250
Use the full URL:
21©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Reminder: We actually had this information.
Going for the ADSL router
22©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Going for the ADSL router
Naturally, there is access control:
Want to guess?
23©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Example #2: Summary
Device purpose: Cash Register and Local Server
Data on device: Credit Card data, Customer Database
Method used to hack: MacBook Pro, Free Software
24©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Other opportunities
A Medical Clinic in Tel-Aviv– Complete disregard for
attendance systems
25©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Other opportunities
A Hospital in Tel-Aviv
26©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Other opportunities
An ATM at a shopping mall
27©2013 Check Point Software Technologies Ltd.
Example #3: Hospital Smart TV
Features– Watch TV– Listen to music– VOD– Browse the Internet
Peripherals:– Touch Screen– Credit Card Reader– Earphones
And…
– USB…
28©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
The Attack
Start with a USB Keyboard– Numlock works– Nothing else does
Power off, Power on, F11
29©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Our options are opening up.
Let’s boot something else
BackTrack (kali):Never leave homewithout it
30©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Even though I’m set to DHCP, I have no IP address.
An examination of the config files reveals the problem:
But I’m facing a problem
# The loopback interface, this is the default configuration:auto loiface lo inet loopback
pre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autoneg offpre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autoneg off
# The first network interface.# In this case we want to receive an IP-address through DHCP:auto eth0iface eth0 inet dhcp
# In this case we have a wired network:wpa-driver wired
# Tell the system we want to use WPA-Supplicant # with our configuration file:wpa-conf /etc/wpa_supplicant.confpre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autoneg off
31©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Even though I’m set to DHCP, I have no IP address.
An examination of the config files reveals the problem.
But this is linux, everything is in text files
But I’m facing a problem
network={ key_mgmt=IEEE8021X eap=TTLS MD5 identity="a*****c“ anonymous_identity="a*****c“ password=“*****“ phase1="auth=MD5“ phase2="auth=PAP password=*****“ eapol_flags=0}
32©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Even though I’m set to DHCP, I have no IP address.
An examination of the config files reveals the problem.
But this is linux, everything is in text files I copy the files, and try again.
But I’m facing a problem
33©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
What next?
Find out where we are (external IP)
Proof-of-Concept: Open reverse shell
34©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Further analysis of files reveals a lead:
http://192.168.0.250/client/
This is the actual User Interface:
But it’s not enough…
35©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
So the next logical step is…
36©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
So what’s next?
We lost access to the devices– At least easy access
Complete the report and go for disclosure
However…
Turns out other hospitals have the same device– So now we wait for someone to get sick…
37©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Example #3: Summary
Device purpose: Smart TV for Hospital Patients
Data on device: Network Encryption Keys, Possible access to other networks
Method used to hack: USB Drive, Free Software, Keyboard, Mouse
38©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Questions?