hacking cell phone embedded systems
play

Hacking Cell Phone Embedded Systems Keegan Ryan RECON 2017 The - PowerPoint PPT Presentation

Jul 26, 2023 •224 likes •682 views

Hacking Cell Phone Embedded Systems Keegan Ryan RECON 2017 The Target The Target brendangates The Target Meriac (2010), Churchill Legacy ICLASS Introduced in 2007 Broken in 2010 Master key on every reader Security

  1. Hacking Cell Phone Embedded Systems Keegan Ryan – RECON 2017

  2. The Target

  3. The Target brendangates

  4. The Target Meriac (2010), Churchill

  5. Legacy ICLASS • Introduced in 2007 • Broken in 2010 • Master key on every reader • Security of card reader broken • Protocol reverse engineered • New version of iCLASS released, but many still use Legacy iCLASS • Uses ISO15693 Meriac (2010), Inside Contactless (2004)

  6. Nexus S • Introduced in 2010 • One of earliest to support NFC, including ISO15693 • Android source code available • Cheap

  7. Nexus S • Try Android app first Android • Transceive raw bytes Application • CRC added automatically, but we don’t want a CRC • Not added by libraries libnfc Library • Not added by kernel • Must be added by NFC controller chip Kernel Driver NFC Controller

  8. PN544 • Separate from Nexus S CPU • Powered by host or external field • Supports ISO 15693, Mifare, FeliCa • Supports firmware upgrades • Uses 80C51MX Processor DATA CODE NXP (2010), Wharton (1980)

  9. Investigating the PN544

  10. Firmware Recovery • PHDNLD_CMD_READ • Pull from update file • Code signing • Protected with SHA1 and RSA-1024 • Introduced after first devices shipped • Need a device never updated past Gingerbread Libnfc-nxp

  11. PATCH_TABLE EEPROM/CFG FW_CODE PATCH_CODE

  12. Reverse Engineering • There aren’t any. Look for strings. • They don’t exist. Look for CRC constants. • Look for usage of the XOR instruction. No help. • Just start reversing until we find something useful.

  13. PATCH_TABLE EEPROM/CFG FW_CODE PATCH_CODE

  14. Reverse Engineering • Reverse commonly called functions • Find switch function • Find command switching • Trace known command IDs through code

  15. Reverse Engineering Libnfc-nxp

  16. Problem: PATCH_TABLE EEPROM/CFG FW_CODE PATCH_CODE

  17. Problem: Missing Code PATCH_TABLE EEPROM/CFG FW_CODE ??? PATCH_CODE

  18. Problem: Missing Code PATCH_TABLE EEPROM/CFG FW_CODE KERNEL_CODE PATCH_CODE

  19. Kernel Recovery • We understand and can modify FW_CODE • FW_CODE doesn’t have access to kernel • We can modify PATCH_CODE • Don’t know how to trigger PATCH_CODE • Want to maximize chances of executing our code

  20. Kernel Recovery PATCH_CODE

  21. Kernel Recovery PATCH_CODE

  22. Kernel Recovery

  23. Problem: Missing Code PATCH_TABLE EEPROM/CFG FW_CODE KERNEL_CODE PATCH_CODE

  24. Problem: Missing Code PATCH_TABLE EEPROM/CFG FW_CODE KERNEL_CODE PATCH_CODE

  25. Reverse Engineering Kernel Reverse Engineering • Still aren’t any. Look for strings. • Still don’t exist. Look for CRC constants. • Look for usage of the XOR instruction. No help. • CRC creation is done by hardware • Still not impossible, but we need a new approach

  26. Wireless Protocols

  27. SDR Setup Signal Source Antenna Radio Upconverter

  28. SDR Setup <s> 10 01 10 00 01 00 00 00…

  29. Transfer Speed • ISO15693 has two modes: • Slow (1.65 kbps) • Fast (26.48 kbps) • Nexus S uses slow mode • ICLASS only uses fast mode Inside Contactless (2004)

  30. Problem: Transfer Speed • Capability probably exists, but is unused. • Find transmission code • Loads settings from EEPROM/CFG • Only uses one set of values • Swap around values in EEPROM/CFG • Fast mode!

  31. Mifare Libnfc-nxp

  32. Problem: Checksum Generation Find differences here Android Apply difference here FW_CODE Command Handler MIFARE Setup MIFARE Setup ISO15693 Setup (CRC) (No CRC) (CRC) RF Transmit

  33. Patching the Kernel PATCH_TABLE EEPROM/CFG FW_CODE KERNEL_CODE PATCH_CODE

  34. Exploitation

  35. Patching Checksum Generation PATCH_TABLE EEPROM/CFG FW_CODE KERNEL_CODE PATCH_CODE

  37. Putting It All Together PATCH_TABLE EEPROM/CFG FW_CODE KERNEL_CODE PATCH_CODE

  38. Demo

  39. Demo

  40. Future Research What can be done with a hacked NFC controller? • Surreptitiously read a badge • Information storage • Information exfiltration

  41. Future Research • What other embedded systems do we carry everywhere? • Bluetooth • USB controller • Baseband radio • Camera • Fingerprint reader • What could you make these systems do?

  42. The End Keegan Ryan Keegan.Ryan@nccgroup.trust @inf_0_

  43. Bypassing Firmware Signing? if (*flag == 0xa55a) doInsecureDownload(); else doSecureDownload();

  44. Bibliography Brendangates . “Badge reader.” Licensed under a Creative Commons Attribution 2.0 Generic (CC BY-NC-ND 2.0). Accessed 11 June 2017. https://www.flickr.com/photos/brendangates/2384518688. Churchill, Sam. “ nfc.phone .” Licensed under a Creative Commons Attribution 2.0 Generic (CC BY 2.0). Accessed 11 June 2017. https://www.flickr.com/photos/samchurchill/5181496553 Inside Contactless. "Datasheet PicoPass 2KS." Rapport technique (2004). Libnfc-nxp Library. Accessed June 11, 2017. https://android.googlesource.com/platform/external/libnfc-nxp. Meriac, Milosch. "Heart of darkness-exploring the uncharted backwaters of hid iclass (TM) security." In 27th Chaos Communication Congress . 2010. NXP. “NXP NFC controller PN544 for mobile phones and portable equipment." On Line: http://www.nxp.com/documents/leaflet/75016890.pdf (2010). Wharton, John. "An Introduction to the Intel-MCS-51 Single-Chip Microcomputer Family." Intel Corporation (1980).

Recommend

Building Tools for Hacking Deeply Embedded Systems Travis Goodspeed Recon, Montral -- 11 July,

Building Tools for Hacking Deeply Embedded Systems Travis Goodspeed Recon, Montral -- 11 July,

Building Tools for Hacking Deeply Embedded Systems Travis Goodspeed Recon, Montral -- 11 July, 2010 Sunday, July 25, 2010 Brief Introduction 8, 16-bit Embedded Systems No operating system, no symbol table, etc. Very different

902 views • 74 slides
Real-Time Embedded Computing Systems Giorgio Buttazzo Scuola Superiore SantAnna, Pisa

Real-Time Embedded Computing Systems Giorgio Buttazzo Scuola Superiore SantAnna, Pisa

Real-Time Embedded Computing Systems Giorgio Buttazzo Scuola Superiore SantAnna, Pisa Computers everywhere Today, 98% of all processors in the planet are embedded in other objects: Increasing complexity # functions in a cell phone 200

728 views • 59 slides
Sign In Directions Please take out cell phone If you do not have a cell phone, there is a

Sign In Directions Please take out cell phone If you do not have a cell phone, there is a

Sign In Directions Please take out cell phone If you do not have a cell phone, there is a sign up sheet in the back. Send text message to: 37607 Type in message area: Joemac30 Wait for the brief response Type in your

891 views • 68 slides
HW/SW Codesign w/ FPGAs Embedded Systems ECE 495/595 Overview (Slides from Embedded Systems

HW/SW Codesign w/ FPGAs Embedded Systems ECE 495/595 Overview (Slides from Embedded Systems

HW/SW Codesign w/ FPGAs Embedded Systems ECE 495/595 Overview (Slides from Embedded Systems Design, F. Vahid and T. Givargis) Embedded computing systems definition: Computing systems embedded within electronic devices. Hard to define

396 views • 26 slides
1 Production Cell Set-up Pervasive Systems Robotics and Mechatronics Bio-inspired wireless

1 Production Cell Set-up Pervasive Systems Robotics and Mechatronics Bio-inspired wireless

Programme Today Master programme Embedded Systems Bert Molenkamp (programme mentor) Demo 4TU MASTER EMBEDDED SYSTEMS Gerwin Hoogsteen (ZI 5078); smart grid Masoud Abbasi Alaei (ZI 5098); wireless communication Tour

413 views • 4 slides
Embedded systems and the role of programmable logic devices in embedded systems Embedded system :

Embedded systems and the role of programmable logic devices in embedded systems Embedded system :

Embedded systems and the role of programmable logic devices in embedded systems Embedded system : a combination of computer hardware and software, and perhaps additional mechanical or other parts, designed to perform a dedicated function. In some

415 views • 20 slides
Location Models and Their Cell Phone Applications May 31st, 2005 Seminar: Distributed Systems

Location Models and Their Cell Phone Applications May 31st, 2005 Seminar: Distributed Systems

Location Models and Their Cell Phone Applications May 31st, 2005 Seminar: Distributed Systems Gabor Cselle gabor@student.ethz.ch Advisor: Christian Frank Overview 1. An introduction to location models 2. Automatic identification of

415 views • 29 slides
4TU MASTER EMBEDDED SYSTEMS Bert Molenkamp 19/03/2020 Master Embedded Systems 1 Table of

4TU MASTER EMBEDDED SYSTEMS Bert Molenkamp 19/03/2020 Master Embedded Systems 1 Table of

4TU MASTER EMBEDDED SYSTEMS Bert Molenkamp 19/03/2020 Master Embedded Systems 1 Table of contents What is an embedded system Examples of research topics Admission Overview of the programme Success rates Master Embedded

814 views • 31 slides
Contents 1. Introduction 2. How do Cell Phone Towers work? 3. What is the radiation produced by

Contents 1. Introduction 2. How do Cell Phone Towers work? 3. What is the radiation produced by

Contents 1. Introduction 2. How do Cell Phone Towers work? 3. What is the radiation produced by a cell phone? 4. How are people exposed to the energy from cellular phone towers? 5. Do cellular phone towers cause cancer? 6. what CAN we do? 7.

570 views • 14 slides
Embedded Systems (ESII) Prof. Dr. J. Henkel, Dr. M. Shafique CES - Chair for Embedded Systems

Embedded Systems (ESII) Prof. Dr. J. Henkel, Dr. M. Shafique CES - Chair for Embedded Systems

1 ESII: ASIPs_ISEs Design and Architectures for Embedded Systems (ESII) Prof. Dr. J. Henkel, Dr. M. Shafique CES - Chair for Embedded Systems Karlsruhe Institute of Technology, Germany Today: Embedded Processor Platforms ASIPs and Extensible

1.5k views • 89 slides
Software Engineering for Embedded Systems Software Engineering for Embedded Systems Dr.-Ing.

Software Engineering for Embedded Systems Software Engineering for Embedded Systems Dr.-Ing.

Software Engineering for Embedded Systems Software Engineering for Embedded Systems Dr.-Ing. Mohammad. Abdullah Al Faruque Dipl.-Inform. Sebastian Kobbe CES - C hair for E mbedded S ystems (Prof. Dr. Jrg Henkel) Department of Computer Science

847 views • 72 slides
Hacking on the Fairphone 2 About Fairphone Mission to create and improve the mobile phone

Hacking on the Fairphone 2 About Fairphone Mission to create and improve the mobile phone

Hacking on the Fairphone 2 About Fairphone Mission to create and improve the mobile phone industry one step at the time. About Fairphone If you cant open it, you dont own it Fairphone 2 hardware overview Samsung 32 GB eMMC NAND

601 views • 32 slides
ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Embedded Systems Programming Trends of Embedded Systems (Module 2) Yann-Hang Lee Arizona State

Embedded Systems Programming Trends of Embedded Systems (Module 2) Yann-Hang Lee Arizona State

Embedded Systems Programming Trends of Embedded Systems (Module 2) Yann-Hang Lee Arizona State University yhlee@asu.edu (480) 727-7507 Summer 2014 Real-time Systems Lab, Computer Science and Engineering, ASU Trends of RT Embedded Systems

332 views • 10 slides
Networked Embedded Systems Ezio Bartocci Overview Networked Embedded Systems (182.717): 6 weeks

Networked Embedded Systems Ezio Bartocci Overview Networked Embedded Systems (182.717): 6 weeks

Networked Embedded Systems Ezio Bartocci Overview Networked Embedded Systems (182.717): 6 weeks for semester ECTS: 6.0 Web: http://ti.tuwien.ac.at/rts/teaching/courses/networked-embedded-systems Type: Lessons (VU Vorlesung) with

700 views • 20 slides
Supporting National Hydrogen and Fuel Cell Innovation Systems: Germany and the UK Compared Nick

Supporting National Hydrogen and Fuel Cell Innovation Systems: Germany and the UK Compared Nick

Supporting National Hydrogen and Fuel Cell Innovation Systems: Germany and the UK Compared Nick Hacking &amp; Prof. Malcolm Eames Low Carbon Research Institute (LCRI), WSA, Cardiff University SUPERGEN Delivery of Sustainable Hydrogen (DoSH 2 )

713 views • 20 slides
Embedded Systems Engineering VO + LU Overview The module Embedded Systems Engineering is split

Embedded Systems Engineering VO + LU Overview The module Embedded Systems Engineering is split

Embedded Systems Engineering VO + LU Overview The module Embedded Systems Engineering is split in 2 parts: Lectures: ESE VO (182.721) ECTS: 3.0 Web: http://ti.tuwien.ac.at/rts/teaching/courses/esevo Staff: Prof. Radu Grosu,

859 views • 7 slides
When Embedded Systems Attack Embedded systems can fail for a variety of reasons

When Embedded Systems Attack Embedded systems can fail for a variety of reasons

22.1 22.2 When Embedded Systems Attack Embedded systems can fail for a variety of reasons Electrical problems Unit 22 Mechanical problems Errors in the programming Incorrectly specified Errors caused by users Embedded

201 views • 5 slides
Large-Scale Distributed Systems and Networks TDDE35 Lectures on Embedded Systems Petru Eles

Large-Scale Distributed Systems and Networks TDDE35 Lectures on Embedded Systems Petru Eles

Large-Scale Distributed Systems and Networks TDDE35 Lectures on Embedded Systems Petru Eles Institutionen fr Datavetenskap (IDA) Linkpings Universitet email: petru.eles@liu.se http://www.ida.liu.se/~petel71/ phone: 28 1396 B building,

1.52k views • 128 slides
1 How are embedded systems different Timing and Concurrency than traditional software? Fire

1 How are embedded systems different Timing and Concurrency than traditional software? Fire

What is an Embedded System? Definition of an embedded computer system: Embedded Systems is a digital system. Introduction uses a microprocessor (usually). runs software for some or all of its functions. frequently used as a

158 views • 3 slides
Appropriate Use of Social Media and Cell Phones Karen Haase karen@ksbschoollaw.com KSB School

Appropriate Use of Social Media and Cell Phones Karen Haase karen@ksbschoollaw.com KSB School

Appropriate Use of Social Media and Cell Phones Karen Haase karen@ksbschoollaw.com KSB School Law @KarenHaase 0 Raise your hand if You have a cell phone You use text messaging Youve taken photos with a cell phone camera

566 views • 24 slides
Introduction to Embedded Systems Introduction to Embedded Systems CS/ECE 6780/5780 CS/ECE

Introduction to Embedded Systems Introduction to Embedded Systems CS/ECE 6780/5780 CS/ECE

Introduction to Embedded Systems Introduction to Embedded Systems CS/ECE 6780/5780 CS/ECE 6780/5780 Al Davis Al Davis Todays topics: logistics - minor synopsis of last lecture software desig finite state machine based

466 views • 19 slides
Last Time Embedded systems introduction u Definition of embedded system Common

Last Time Embedded systems introduction u Definition of embedded system Common

Last Time Embedded systems introduction u Definition of embedded system Common characteristics Kinds of embedded systems Crosscutting issues Software architectures Choosing a processor Choosing a

931 views • 39 slides
demystifying systemd for embedded systems OpenIoT &amp; ELC Europe 2016 Agenda - Who am I? -

demystifying systemd for embedded systems OpenIoT &amp; ELC Europe 2016 Agenda - Who am I? -

demystifying systemd for embedded systems OpenIoT &amp; ELC Europe 2016 Agenda - Who am I? - Embedded Systems? - Background - Systemd for Embedded Systems Myths - Baseline - Scaling Up - Super-tiny Systems - Brazilian - Software

446 views • 32 slides

More recommend