Hardware Attack Vectors

Yashin Mehaboobe

Security Researcher

#whoami• Security Researcher, Open Security

• Conference Speaker

• Interested in :

• Embedded system security

• Radio/ RTL-SDR research

• Malware Analysis

• My little projects (Arcanum, PyTriage)

• Organizer, Defcon Kerala ( Mar 4. Be there! )

• Python aficionado

• Open source contributor.

Why Hardware?

• More interesting• Less well known = easier to exploit• More rewarding• Usually open entry point into an otherwise

secure network• It’s awesome!

Keys to the kingdom?

What is covered:

• The attack of the HID

• Simulating physical access for fun and profit.

• IR vector

• Let TVs be bygones.

• Radio

• Radio!= FM or Radio!= WiFi

• Bus attacks:

• Unprotected = Easy to pwn (mostly)

Usual suspects

Wireless LAN Web Applications

Client Side exploits

Remote exploits

Hardware attacks

HIDe it

• A little bit of physical access is a dangerous thing.

• Usually physical access = pwning

• Software can’t protect hardware

• HID attacks simulate an automated keyboard and mouse

• = Attacker gets to run code as if he is physically there.

The Rise of the Rubber Ducky

• USB Rubber Ducky by the Hak5 team.

• Comes with an automated script creator.

• Looks like a normal USB drive.

• Runs the payload burned into the memory when connected.

Teensy

• Arduino clone by PJRC

• Can emulate an HID device

• Existing tools like kautilya and SET to generate payloads.

• Again, multiplatform mayhem

DEMO

I R

•TV, Pedestrian lights, Old smartphones

•Uses one of four:

•Philips

•Sony

•NEC

•RAW

•IR Library already available for Arduino

Tools of the Trade:

• Arduino or a similar microcontroller

• TSOP382 IR receiver

• IR LED

• Little bit of mischief

IR Attack 1 : Replay

• Receive the code using TSOP382

• Check the code type

• Transmit accordingly whenever the button is pressed

TV-B-Gone

• Most TVs have predefined poweroff sequence

• Widely available

• Create a script that goes through the popular off codes one by one

• No more pesky TVs

DEMO

Tangoing with Radio

• SDR=Software Defined Radio

• Usually pretty expensive.

• Until the rise of RTL-SDR

• Scope=AIS,GSM, ADS-B, GPS you name it.

RTL-SDR or cheap radio sniffer

• Mainly two types:

• E4000: 52-2200 Mhz

• R820T: 24-1766 Mhz

• Software used:

• GQRX

• rtl_sdr

• SDRSharp

• Log most data broadcast within the frequency ranges

Sniffing Radio Traffic

• AIS (ship transmissions) are easily picked up

• So is Aircraft broadcasts

• You can sniff most protocols off the air

• Decode using baudline

• Possible attacks against : Home automation systems and car keyfobs

• Keyfobs are supposed to use rolling key codes

• “Supposed to”

Antennas

● Dependent on the frequency that you want to capture.

● Different types for different purposes:● Monopole: ACARS,ADS-B, AIS

(Airplanes/Ships)● Rubber Ducky Antennaes for short range● Discone for wide coverage (More noise)

Discone Monopole Rubber Ducky

DEMO TIME!

Bus Attacks

The Magic Electronic Buses

● Buses are used by components in an embedded system to communicate with each other

● Not secured● Most commonly used protocols are SPI,I2C and

UART● No authentication● I2C utilizes addressing

Attacking bus protocols● Sniffing:

● Logic analyzers pick up most of the protocols● Bus pirate is your friend

● Replay:● Sniffed sequences can be played back at later

times● Bus pirate is your best friend

● Debug ports:● UART/JTAG ports are left open for debugging

purposes● Can be used to dump firmware and mess with the

memory

Here there be Pirates

● Hardware hacker's multitool

● Read/write I2C,SPI,UART

● Midlevel JTAG support● AVR programmer too!● Can be accessed via

USB.

DEMO

Thank you!

Questions?

Contact Details

Twitter:twitter.com/yashin.mehaboobe

Email:yashinm92<at>gmail.com

Carrier pigeon works too.