Internet of Compromised Things Damien Cauquil Hack In Paris, June - PowerPoint PPT Presentation

Internet of Compromised Things Damien Cauquil Hack In Paris, June 22nd, 2017

Who am I ? • R&D director and senior security researcher at CERT-UBIK • Smart Things breaker and reverse-engineer • Special interest in DFIR 2

Agenda • IoT smart stuff : pirates’ heaven • Mirai ! • How tech people investigated the Mirai botnet • Why it is getting worse • The role of a connected/smart device during an investigation • Digital forensics in the Internet of Things era • A complex technical environment • Post-mortem analysis : tools and methodologies • Live analysis of connected devices and operational issues • Introducing the Hardware Forensic Database • Traceability and accountability • Not all devices are concerned • Observed average security level of connected devices • Logging and traceability • Conclusion 3

Internet of super-duper dumb IPv4-enabled connected smart things that may make coffee and maybe more but that would be hacked in less than two minutes

IoT smart stuff : pirates’ heaven 5

IoT smart stuff : pirates’ heaven 6

IoT smart stuff : pirates’ heaven 7

IoT smart stuff : pirates’ heaven • Mirai demonstrated how insecure our smart things are • used to launch DDoS attacks aroung the globe (KrebsOnSecurity, Dyn) • source code quickly released to hide tracks ... • ... a lot of clones were developed and launched • uses telnet and ssh services to break into cameras, DVRs, etc. • Why targeting connected devices rather than servers ? • usually not up-to-date • runs proprietary (unsecure) software • difficult to monitor • It’s getting worse ! • new botnets designed to fight against Mirai (Hajime, BrickerBot) • used to mine Bitcoin, DogeCoin and other crypto-currencies 8

IoT smart stuff : pirates’ heaven What could possibly go wrong ? 9

IoT smart stuff : pirates’ heaven • Smart devices are now wide-spread and used • to secure our houses and flats : smartlocks • to detect burglars and intruders : smart alarms, smart CCTV • to make a patient’s life easier : smart insuline pumps, connected glucose monitoring systems • What happens if one of those fails ? • Don’t worry, you are covered by your insurance policy ! • Are you sure ? • Last but not least, you might be dead . 10

The role of a connected device during an investigation

The role of a connected device during an investigation • Three major cases : • the device was a victim/target of a crime • the device has been used to commit a crime • the device contains some information related to a crime 12

The role of a connected device during an investigation Pacemakers, insulin pumps and a lot more devices may injure people or cause death 13

The role of a connected device during an investigation • The victim device may contain • information about how the attack was performed • traces related to the origin of the attacker • artefacts (exploits, malwares, backdoors, ...) • Required to evaluate the damages and how bad the situation is ! 14

The role of a connected device during an investigation TV5 Monde hack • In April 2015, TV5 Monde is attacked and its broadcasting infrastructure shut off. • The French ANSSI (National IT Security Agency) handled the incident • They had a hard time figuring out how to forensically extract information from some embedded systems • They asked the vendors about their systems • They had to determine how to extract and preserve the evidences from these devices • No standard procedure for this particular case 15

The role of a connected device during an investigation Quadcopters as bomb droppers 16

• The device may contain • Information that may reveal its owner’s identity : serial number, email address, phone name or number, ... • Geographical information : GPS coordinates, Take off location • Photos, videos, records of previous activity 17

The role of a connected device during an investigation Amazon’s Alexa device analyzed during an FBI investigation 18

• The device may contain • Information about someone’s activity : GPS coordinates, date and time of various events, information about surroundings active devices (WiFi access points), ... • Photos, videos • Logs 19

Digital forensics in the Internet of Things era

Digital forensics in the Internet of Things era Extracting information from devices may seem an easy task • Easy-peasy, its Linux-based with known filesystem ! • We just need to dump the Flash memory and extract everything with Encase ! But wait ... • What if the device uses a secure boot with military-grade encryption ? • What if the device has no filesystem at all ? • What if the device offers no way to access its system to extract live information ? 21

Digital forensics in the Internet of Things era • It uses various electronic chips to store information • eMMC • SPI Flash • F-RAM • Internal flash memory (System on Chip) • Internal EEPROM • It stores information at specific unknown locations • It may use proprietary encryption or obfuscation • It offers no easy way to access the information 22

Post-mortem analysis of a smart device

Post-mortem analysis of a smart device We need moar tools ! • Tools to desolder and clean electronic memory chips • Tools to access memory devices and forensically extract information • Tools to reverse-engineer firmwares and find where and how the information is stored • Tools to bypass memory protections and other anti-dump techniques and tools (i.e. exploits !) 24

Post-mortem analysis of a smart device We need a specific methodology ! • Maximum of information, minimum effort • allowing investigators to quickly extract valuable information • reducing risk of loss of information (when possible) and ensuring evidences integrity 25

Post-mortem analysis of a smart device • Determine if the device has an operating system • Identify the main component • Check the datasheet and development kit • Determine if it usually runs an operating system • Locate external flash memory chips (SPI Flash, NAND, eMMC) • Find the corresponding datasheet • Determine how to communicate with the memory chip : SPI, Parallel Flash, Proprietary protocol • Use the correct adapter/tool to extract the information • Desolder the memory chip if necessary • Use classic forensic tools on SD cards • Create a bit-stream image of the memory chips • Compute SHA512 and MD5 hashes for each image • Analyze the images • Look for filesystems if an operating system is used • Look for chip-specific information (depending on the datasheet and the associated memory map) • Keyword search ! 26

Post-mortem analysis of a smart device Case Study : TheQuickLock padlock 27

Post-mortem analysis of a smart device 1. Open the smartlock 28

Post-mortem analysis of a smart device 29

Post-mortem analysis of a smart device 2. Get your hands on the PCB 30

Post-mortem analysis of a smart device • Main component : Texas Instruments CC2541 • Does it run an OS : NO • No external memory chip : data is stored in the CC2541 SoC • Memory access : We need a CC Debugger to dump the flash 31

Post-mortem analysis of a smart device 3. Access the memory and dump 32

Post-mortem analysis of a smart device • Where is the interesting information stored ? • No OS, information is stored in Flash • We need to find where the interesting information is stored • It is not a trivial task, but requires some time to figure out 33

Post-mortem analysis of a smart device 4. Extract the PIN code from Flash 34

Post-mortem analysis of a smart device 5. Extract the event log 35

Live analysis of compromised devices

Live analysis of compromised devices • Analysis is often difficult • no easy way to communicate with the device • no system access while the system is active (if we want to keep it active) • no standard procedure , it’s not a computer ! • Lack of proper tools • We have to deal with U(S)ART or BLE interfaces • Standard DFIR toolkits provide no way to interact with these protocols 37

Live analysis of compromised devices • If it’s on, keep it on ! • Powering off the device may destroy evidence • The device may provide an easy way to extract valuable information • Identify the best way to extract information from the device • Find a working communication channel • Ensure it offers access to valuable information • Use this communication channel to gather as much information as possible • Available information depends on the device • The device MUST provide a feature to get valuable information (error codes, logs, ...) 38

Live analysis of compromised devices • Use available tools to access the device • Linux’ GATT client to communicate through BLE • screen or minicom to communicate through U(S)ART • Collect every valuable piece of information, following the Order of Volatility • Active memory • Processes list • Active connections • IP Addresses • BD Addresses • Files (or assimilated) • Serial numbers 39

Live analysis of compromised devices Case Study : Fora Glucose Monitoring System 40