Internet of Compromised Things Damien Cauquil & Nicolas Kovacs RMLL, July 4th, 2017
Who are we ? • Nicolas Kovacs • Security Consultant at CERT-UBIK • DFIR team leader • Bounty Hunter • Damien Cauquil • R&D director and senior security researcher at CERT-UBIK • Smart Things breaker and reverse-engineer • Special interest in DFIR 2
Agenda I. IoT smart stuff : pirates’ heaven II. The role of a connected/smart device during an investigation III. Digital forensics in the Internet of Things era IV. Traceability and accountability V. Conclusion 3
Internet of super-duper dumb IPv4-enabled connected smart things that may make coffee and maybe more but that would be hacked in less than two minutes
IoT smart stuff : pirates’ heaven • Mirai demonstrated how insecure our smart things are • used to launch DDoS attacks aroung the globe (KrebsOnSecurity, Dyn) • source code quickly released to hide tracks ... • ... a lot of clones were developed and launched • uses telnet and ssh services to break into cameras, DVRs, etc. • Why targeting connected devices rather than servers ? • usually not up-to-date • runs proprietary (unsecure) software • difficult to monitor • It’s getting worse ! 5
IoT smart stuff : pirates’ heaven The Cayla doll case 6
IoT smart stuff : pirates’ heaven What could possibly go wrong ? 7
IoT smart stuff : pirates’ heaven • Smart devices are now wide-spread and used • to secure our houses and flats : smartlocks • to detect burglars and intruders : smart alarms, smart CCTV • to make a patient’s life easier : smart insuline pumps, connected glucose monitoring systems, smart pacemakers, etc. • What happens if one of those fails ? • Don’t worry, you are covered by your insurance policy ! • Are you sure ? • Last but not least, you might be dead . 8
The role of a connected device during an investigation
The role of a connected device during an investigation • Three major cases : • the device was a victim/target of a crime • the device has been used to commit a crime • the device contains some information related to a crime 10
The role of a connected device during an investigation Device as a victim/target Pacemakers, insulin pumps and a lot more devices may injure people or cause death 11
The role of a connected device during an investigation Device as a victim/target • The victim device may contain • information about how the attack was performed • traces related to the origin of the attacker • artefacts (exploits, malwares, backdoors, ...) • Required to evaluate the damages and how bad the situation is ! 12
The role of a connected device during an investigation Device used to commit a crime Quadcopters as bomb droppers 13
The role of a connected device during an investigation Device used to commit a crime • The device may contain • Information that may reveal its owner’s identity : serial number, email address, phone name or number, ... • Geographical information : GPS coordinates, Take off location • Photos, videos, records of previous activity 14
The role of a connected device during an investigation Device contains information related to a case Amazon’s Alexa device analyzed during an FBI investigation 15
The role of a connected device during an investigation Device contains information related to a case • The device may contain • Information about someone’s activity : GPS coordinates, date and time of various events, information about surroundings active devices (WiFi access points), ... • Photos, videos • Logs 16
Digital forensics in the Internet of Things era
Digital forensics in the Internet of Things era Extracting information from devices may seem an easy task • Easy-peasy, its Linux-based with known filesystem ! • We just need to dump the Flash memory and extract everything with Encase ! But wait ... • What if the device uses a secure boot with military-grade encryption ? • What if the device has no filesystem at all ? • What if the device offers no way to access its system to extract live information ? 18
Digital forensics in the Internet of Things era • It uses various electronic chips to store information • eMMC • SPI Flash • F-RAM • Internal flash memory (System on Chip) • Internal EEPROM • It stores information at specific unknown locations • It may use proprietary encryption or obfuscation • It offers no easy way to access the information 19
Digital forensics in the Internet of Things era We need : • standardized procedures • forensic tools with proper documentation • training ! 20
Post-mortem analysis of a smart device
Post-mortem analysis of a smart device Case Study : TheQuickLock padlock 22
Post-mortem analysis of a smart device 1. Open the smartlock 23
Post-mortem analysis of a smart device 2. Remove the screw to unlock the shackle 24
Post-mortem analysis of a smart device 3. Get your hands on the PCB 25
Post-mortem analysis of a smart device • Main component : Texas Instruments CC2541 • Does it run an OS : NO • No external memory chip : data is stored in the CC2541 SoC • Memory access : We need a CC Debugger to dump the flash 26
Post-mortem analysis of a smart device 4. Access the memory and dump 27
Post-mortem analysis of a smart device • Where is the interesting information stored ? • No OS, information is stored in Flash • We need to find where the interesting information is stored • It is not a trivial task, but requires some time to figure out 28
Post-mortem analysis of a smart device 5. Extract the PIN code from Flash 29
Post-mortem analysis of a smart device 6. Extract the event log 30
Post-mortem analysis of a smart device We need moar tools ! • Tools to desolder and clean electronic memory chips • Tools to access memory devices and forensically extract information • Tools to reverse-engineer firmwares and find where and how the information is stored • Tools to bypass memory protections and other anti-dump techniques and tools (i.e. exploits !) 31
Post-mortem analysis of a smart device We need a specific methodology ! • Maximum of information, minimum effort • allowing investigators to quickly extract valuable information • reducing risk of loss of information (when possible) and ensuring evidences integrity 32
Live analysis of compromised devices
Live analysis of compromised devices • Analysis is often difficult • no easy way to communicate with the device • no system access while the system is active (if we want to keep it active) • no standard procedure , it’s not a computer ! • Lack of proper tools • We have to deal with U(S)ART or BLE interfaces • Standard DFIR toolkits provide no way to interact with these protocols 34
Live analysis of compromised devices • If it’s on, keep it on ! • Powering off the device may destroy evidence • The device may provide an easy way to extract valuable information • Identify the best way to extract information from the device • Find a working communication channel • Ensure it offers access to valuable information • Use this communication channel to gather as much information as possible • Available information depends on the device • The device MUST provide a feature to get valuable information (error codes, logs, ...) 35
Live analysis of compromised devices • Use available tools to access the device • Linux’ GATT client to communicate through BLE • screen or minicom to communicate through U(S)ART • Collect every valuable piece of information, following the Order of Volatility • Active memory • Processes list • Active connections • IP Addresses • BD Addresses • Files (or assimilated) • Serial numbers 36
Live analysis of compromised devices Case Study : Fora Glucose Monitoring System 37
Live analysis of compromised devices • The device relies on its own protocol over Bluetooth LE • Old serial protocol ported to BLE • Offers a lot of features • May be used to extract information 38
Live analysis of compromised devices 39
Live analysis of compromised devices • We can then collect • All records stored in the device • Firmware information • Serial Number • Dedicated tool available in the HFDB • Collect all the measures stored on a device • Features in development : serial number and firmware info 40
Live analysis of compromised devices $ node diamondmini.js -t XX:XX:XX:XX:XX:XX Number of records: 1 Newest record index is: 0 --- Records ---- 16/8/16 16:43 - 147 mg/dL 41
42
Introducing the Hardware Forensic Database
Introducing the Hardware Forensic Database • Origins • We needed a central place to report the tools/methodologies required to extract information from various devices • We wanted it to be collaborative as other CERTs may want to add more information about other devices • What does it contain ? • Detailed information about various devices (electronics, available interfaces) • Curated methodologies to investigate each device • Forensically-sound open-source tools to collect information • Known vulnerabilities that may be used to bypass protections and access information 44
Recommend
More recommend
