hardsploit
play

HARDSPLOIT Framework for Hardware Security Audit a bridge between - PowerPoint PPT Presentation

Jun 14, 2023 •392 likes •803 views

HARDSPLOIT Framework for Hardware Security Audit a bridge between hardware & a so0ware pentester Who am I ? Julien Moinard - Electronic engineer @opale-security (French company) - Security consultant, Hardware & SoDware pentester -

  1. HARDSPLOIT Framework for Hardware Security Audit a bridge between hardware & a so0ware pentester

  2. Who am I ? • Julien Moinard - Electronic engineer @opale-security (French company) - Security consultant, Hardware & SoDware pentester - Team project leader of Hardsploit - DIY enthusiast 16/03/2016 2

  3. Opale Security in 1 slide 16/03/2016 3

  4. Internet of Things & Privacy concern ? • Any IoT object could reveal informa@on about individuals • Wearable Technology: clothes, watches, contact lenses with sensors, microphones with cameras embedded and so on • Quan@fied Self: pedometers, sleep monitors, and so on • Home Automa@on: connected households using smart fridges, smart ligh<ng and smart security systems, and so on • … 16/03/2016 4

  5. Internet of Things & Privacy concern ? • Last news : (you can update this slide every week L ) Firmware can be read without any problem (SPI memory) VTech was hacked in November, exposing millions of accounts. In response, the firm took some essen<al services offline, meaning products could not be registered on Christmas Day. 16/03/2016 5

  6. Iot Eco-system (20000 feet view) • Privacy Risk level : Where? HF communica<on (ISM Band) + Wifi + 3G-5G , Bluetooth, Sigfox, Lora etc.. IoT devices Central servers, User Interface, API, Backoffice etc. Classical wired connec<ons 16/03/2016 6

  7. Security speaking, hardware is the new soDware ? SOFTWARE To secure it: • Security products (Firewall, An<virus, IDS,…) • Security services (Pentest, Audit, …) • Tools (Uncountable number of them) HARDWARE To secure it: • Few or unimplemented solu<ons (Encryp<on with key in a secure area, an<-replay mechanisms, readout protec<on, …) 16/03/2016 7

  8. Hardsploit & hardware hacking basic procedure • 1/ Open it • 2/ Fingerprint all the component if you can else automa@c brute forcing • 3/ Use those that may contain data (Online / Offline analysis ?) • 4/ Perform read | write opera@on on them • 5/ Reverse engineering, find vulnerabili<es and exploit them 16/03/2016 8

  9. Global Purpose 16/03/2016 9

  10. Why ? • Because chips contain interes<ng / private data • Passwords • File systems • Firmware • … 16/03/2016 10

  11. How ? • A hardware pentester need to know electronic buses and he need to be able to interact with them PARALLEL CAN UART JTAG / SWD Custom 1-Wire 16/03/2016 11

  12. Hardsploit framework Hardsploit database Module (SWD, SMBus, I2C, SPI, etc..) Same hardware but a sofware update is needed to add a new protocols Input / Output IoT target 16/03/2016 12

  13. Hardsploit bus indenSficaSon & scanner (in progress, not published yet) Hardsploit Database of components Module (I2C, SPI, etc..) Database of pagerns Scanner IO hardware mixer Input / Output IoT target 16/03/2016 13

  14. Tool of trade FUNCTIONALITIES BUSPIRATE JTAGULATOR GOODFET HARDSPLOIT UART Bus iden<fica<on SPI PARALLEL I2C JTAG / SWD Bus iden<fica<on MODULARITY Microcontroller Microcontroller Microcontroller uC / FPGA EASE OF USE Cmd line + datasheet Command line Command line Official GUI / API / DB I/O NUMBER < 10 24 < 14 64 (plus power) WIRING TEXT (but MOSI = SDA J ) TEXT / AUTOMATIC TEXT LED / TEXT/ iden<fica<on AUTOMATIC iden<fica<on 16/03/2016 14

  15. Hardsploit: CommunicaSon 16/03/2016 15

  16. Prototype making • Applying soldering paste (low budget style) 16/03/2016 16

  17. Prototype making • Manual reflow oven (DIY style) 16/03/2016 17

  18. Prototype V0.1 aka The Green Goblin J 16/03/2016 18

  19. Prototype making (with a budget) • The rebirth 16/03/2016 19

  20. The board – Final version • 64 I/O channels • ESD Protec<on • Target voltage: 3.3 & 5V • Use a Cyclone II FPGA • USB 2.0 • 20cm x 9cm 16/03/2016 20

  21. Hardsploit organizaSon 16/03/2016 21

  22. Chip management • Search • Create • Modify • Interact 16/03/2016 22

  23. Wiring helper GUI <–> Board interac<on Datasheet representa<on Hardsploit Wiring module representa<on 16/03/2016 23

  24. Se[ngs 16/03/2016 24

  25. Command editor 16/03/2016 25

  26. What are available on github (Open) ? • Microcontroller (c) • API (ruby) • GUI (ruby) • Create your own Hardsploit module : VHDL & API (ruby) 16/03/2016 26

  27. Already available (github) Parallel non mul<plexed memory dump • 32 bits for address • 8/16 bits for data Helping wiring I2C 100Khz 400Khz and 1 Mhz • Addresses scan • Read, write, automa<c full and par<al dump SPI mode 0,1,2,3 up to 25 Mhz • Read, write, automa<c full and par<al dump SWD interface (like JTAG but for ARM core) • Dump and write firmware of most ARM CPU GPIO interact / bitbanging (API only for the moment) • Low speed < 500Hz read & write opera<ons on 64 bits 16/03/2016 27

  28. More to come (see online roadmap)… • Automa<c bus inden<fica<on & Scanner (@30%) • Component & commands sharing platorm (@90%) • TTL UART Module with automa<c detec<on speed (@80%) • Parallel communica<on with mul<plexed memory • I2C sniffing (shot of 4000 bytes up to 1 Mhz) • SPI sniffing (shot of 8000 / 4000 byte half / full up to 25Mhz) • RF Wireless transmission training plateform (Nordic NRF24, 433Mhz, 868Mhz transcievers) • Metasploit integra<on (module) ?? • JTAG • 1 Wire • CanBUS (with hardware level adapter) • … 16/03/2016 28

  29. Concrete case • An electronic lock system • 4 characters pin code A – B – C – D • Good combinaison – Door opens, green L.E.D turn on • Wrong combinaison – Door closes, red L.E.D turn on 16/03/2016 29

  30. Concrete case: Open it 16/03/2016 30

  31. Concrete case: Fingerprint SPI MEMORY 25LC08 STM32F103RBT6 I2C MEMORIES 24LC64 16/03/2016 31

  32. Concrete case: Online / Offline analysis ? 16/03/2016 32

  33. Concrete case: hardsploit scenario 1. Open Hardsploit to create the component (if not exist) 2. Connect the component to Hardsploit (wiring helping) 3. Enter and save the component seungs (if not exist) 4. Dump the content of the memories (1 click) 5. Change the door password by using commands (few clicks) 6. Try the new password on the lock system (enjoy) 16/03/2016 33

  34. Concrete case: Read | Write operaSon, I2C, SPI, SWD … • Time for a live demo ? 16/03/2016 34

  35. Parallel bus memory 16/03/2016 35

  36. Concrete case: Fingerprint 16/03/2016 36

  37. Concrete case: Offline analysis 16/03/2016 37

  38. Concrete case: Ready to dump the content 16/03/2016 38

  39. Conclusion • IoT Device are (also) prone to vulnerabili<es help you to find them • Security policy need to be adpated, nowadays, it is not so difficult to extract data on IoT • Designers need to design with security in mind • Skills related to pentest a hardware device is mandatory for Security Experts (but training exist) • Industry need to take care about device security 16/03/2016 39

  40. Thank you ! Hardsploit board is available at shop-hardsploit.com (250 € / 277 USD / 370 CAD excluding VAT) To learn more about Hardsploit and follow the development Hardsploit.io & Opale-Security.com • Julien MOINARD (Project leader of Hardsploit) • Yann ALLAIN (CEO) • julien.moinard@opale-security.com • yann.allain@opale-security.com • +33 9 72 43 87 07 • +33 6 45 45 33 81 Hardware & Sofware, Pentest, Audit, Training 16/03/2016 40

Recommend

More recommend