internet of compromised things
play

Internet of Compromised Things Damien Cauquil & Nicolas Kovacs - PowerPoint PPT Presentation

Internet of Compromised Things Damien Cauquil & Nicolas Kovacs RMLL, July 4th, 2017 Who are we ? Nicolas Kovacs Security Consultant at CERT-UBIK DFIR team leader Bounty Hunter Damien Cauquil R&D director and senior


  1. Internet of Compromised Things Damien Cauquil & Nicolas Kovacs RMLL, July 4th, 2017

  2. Who are we ? • Nicolas Kovacs • Security Consultant at CERT-UBIK • DFIR team leader • Bounty Hunter • Damien Cauquil • R&D director and senior security researcher at CERT-UBIK • Smart Things breaker and reverse-engineer • Special interest in DFIR 2

  3. Agenda I. IoT smart stuff : pirates’ heaven II. The role of a connected/smart device during an investigation III. Digital forensics in the Internet of Things era IV. Traceability and accountability V. Conclusion 3

  4. Internet of super-duper dumb IPv4-enabled connected smart things that may make coffee and maybe more but that would be hacked in less than two minutes

  5. IoT smart stuff : pirates’ heaven • Mirai demonstrated how insecure our smart things are • used to launch DDoS attacks aroung the globe (KrebsOnSecurity, Dyn) • source code quickly released to hide tracks ... • ... a lot of clones were developed and launched • uses telnet and ssh services to break into cameras, DVRs, etc. • Why targeting connected devices rather than servers ? • usually not up-to-date • runs proprietary (unsecure) software • difficult to monitor • It’s getting worse ! 5

  6. IoT smart stuff : pirates’ heaven The Cayla doll case 6

  7. IoT smart stuff : pirates’ heaven What could possibly go wrong ? 7

  8. IoT smart stuff : pirates’ heaven • Smart devices are now wide-spread and used • to secure our houses and flats : smartlocks • to detect burglars and intruders : smart alarms, smart CCTV • to make a patient’s life easier : smart insuline pumps, connected glucose monitoring systems, smart pacemakers, etc. • What happens if one of those fails ? • Don’t worry, you are covered by your insurance policy ! • Are you sure ? • Last but not least, you might be dead . 8

  9. The role of a connected device during an investigation

  10. The role of a connected device during an investigation • Three major cases : • the device was a victim/target of a crime • the device has been used to commit a crime • the device contains some information related to a crime 10

  11. The role of a connected device during an investigation Device as a victim/target Pacemakers, insulin pumps and a lot more devices may injure people or cause death 11

  12. The role of a connected device during an investigation Device as a victim/target • The victim device may contain • information about how the attack was performed • traces related to the origin of the attacker • artefacts (exploits, malwares, backdoors, ...) • Required to evaluate the damages and how bad the situation is ! 12

  13. The role of a connected device during an investigation Device used to commit a crime Quadcopters as bomb droppers 13

  14. The role of a connected device during an investigation Device used to commit a crime • The device may contain • Information that may reveal its owner’s identity : serial number, email address, phone name or number, ... • Geographical information : GPS coordinates, Take off location • Photos, videos, records of previous activity 14

  15. The role of a connected device during an investigation Device contains information related to a case Amazon’s Alexa device analyzed during an FBI investigation 15

  16. The role of a connected device during an investigation Device contains information related to a case • The device may contain • Information about someone’s activity : GPS coordinates, date and time of various events, information about surroundings active devices (WiFi access points), ... • Photos, videos • Logs 16

  17. Digital forensics in the Internet of Things era

  18. Digital forensics in the Internet of Things era Extracting information from devices may seem an easy task • Easy-peasy, its Linux-based with known filesystem ! • We just need to dump the Flash memory and extract everything with Encase ! But wait ... • What if the device uses a secure boot with military-grade encryption ? • What if the device has no filesystem at all ? • What if the device offers no way to access its system to extract live information ? 18

  19. Digital forensics in the Internet of Things era • It uses various electronic chips to store information • eMMC • SPI Flash • F-RAM • Internal flash memory (System on Chip) • Internal EEPROM • It stores information at specific unknown locations • It may use proprietary encryption or obfuscation • It offers no easy way to access the information 19

  20. Digital forensics in the Internet of Things era We need : • standardized procedures • forensic tools with proper documentation • training ! 20

  21. Post-mortem analysis of a smart device

  22. Post-mortem analysis of a smart device Case Study : TheQuickLock padlock 22

  23. Post-mortem analysis of a smart device 1. Open the smartlock 23

  24. Post-mortem analysis of a smart device 2. Remove the screw to unlock the shackle 24

  25. Post-mortem analysis of a smart device 3. Get your hands on the PCB 25

  26. Post-mortem analysis of a smart device • Main component : Texas Instruments CC2541 • Does it run an OS : NO • No external memory chip : data is stored in the CC2541 SoC • Memory access : We need a CC Debugger to dump the flash 26

  27. Post-mortem analysis of a smart device 4. Access the memory and dump 27

  28. Post-mortem analysis of a smart device • Where is the interesting information stored ? • No OS, information is stored in Flash • We need to find where the interesting information is stored • It is not a trivial task, but requires some time to figure out 28

  29. Post-mortem analysis of a smart device 5. Extract the PIN code from Flash 29

  30. Post-mortem analysis of a smart device 6. Extract the event log 30

  31. Post-mortem analysis of a smart device We need moar tools ! • Tools to desolder and clean electronic memory chips • Tools to access memory devices and forensically extract information • Tools to reverse-engineer firmwares and find where and how the information is stored • Tools to bypass memory protections and other anti-dump techniques and tools (i.e. exploits !) 31

  32. Post-mortem analysis of a smart device We need a specific methodology ! • Maximum of information, minimum effort • allowing investigators to quickly extract valuable information • reducing risk of loss of information (when possible) and ensuring evidences integrity 32

  33. Live analysis of compromised devices

  34. Live analysis of compromised devices • Analysis is often difficult • no easy way to communicate with the device • no system access while the system is active (if we want to keep it active) • no standard procedure , it’s not a computer ! • Lack of proper tools • We have to deal with U(S)ART or BLE interfaces • Standard DFIR toolkits provide no way to interact with these protocols 34

  35. Live analysis of compromised devices • If it’s on, keep it on ! • Powering off the device may destroy evidence • The device may provide an easy way to extract valuable information • Identify the best way to extract information from the device • Find a working communication channel • Ensure it offers access to valuable information • Use this communication channel to gather as much information as possible • Available information depends on the device • The device MUST provide a feature to get valuable information (error codes, logs, ...) 35

  36. Live analysis of compromised devices • Use available tools to access the device • Linux’ GATT client to communicate through BLE • screen or minicom to communicate through U(S)ART • Collect every valuable piece of information, following the Order of Volatility • Active memory • Processes list • Active connections • IP Addresses • BD Addresses • Files (or assimilated) • Serial numbers 36

  37. Live analysis of compromised devices Case Study : Fora Glucose Monitoring System 37

  38. Live analysis of compromised devices • The device relies on its own protocol over Bluetooth LE • Old serial protocol ported to BLE • Offers a lot of features • May be used to extract information 38

  39. Live analysis of compromised devices 39

  40. Live analysis of compromised devices • We can then collect • All records stored in the device • Firmware information • Serial Number • Dedicated tool available in the HFDB • Collect all the measures stored on a device • Features in development : serial number and firmware info 40

  41. Live analysis of compromised devices $ node diamondmini.js -t XX:XX:XX:XX:XX:XX Number of records: 1 Newest record index is: 0 --- Records ---- 16/8/16 16:43 - 147 mg/dL 41

  42. 42

  43. Introducing the Hardware Forensic Database

  44. Introducing the Hardware Forensic Database • Origins • We needed a central place to report the tools/methodologies required to extract information from various devices • We wanted it to be collaborative as other CERTs may want to add more information about other devices • What does it contain ? • Detailed information about various devices (electronics, available interfaces) • Curated methodologies to investigate each device • Forensically-sound open-source tools to collect information • Known vulnerabilities that may be used to bypass protections and access information 44

Recommend


More recommend