luis ringzero net luis miras what i m not covering what i
play

luis@ringzero.net Luis Miras What Im Not Covering What I Will Be - PDF document

Nov 26, 2023 •12 likes •722 views

luis@ringzero.net Luis Miras What Im Not Covering What I Will Be Covering Attack Passive (Sniffing) authentication data sensitive data Active (Injection) Denial of Service Execution of arbitrary commands RF

  1. luis@ringzero.net Luis Miras

  2. What I’m Not Covering

  7. What I Will Be Covering

  12. Attack • Passive (Sniffing) – authentication data – sensitive data • Active (Injection) – Denial of Service – Execution of arbitrary commands

  13. RF • RF design is hard, not needed. • Scanners are not needed. • Devices come with TX and RX circuits. (use them) • Think of TX and RX circuits as a network socket.

  14. Let’s get HIDphy!!

  15. HID – human interface device • Keyboard – HID codes similar to ps/2 scan codes • Mice – Relative movements and buttons – Positional movement and buttons

  17. Device Research

  21. Device Internals

  28. Device Reversing

  29. Communication • One way traffic (replay attacks!) – except kb • No standard data protocol • Varied RF protocols and frequencies. – 27 Mhz – 900 Mhz – 2.4 Ghz

  31. 0111110 1010 1110 0110 0100 0111110 1010 1110 0110 0100

  32. 0111110 1010 1110 0110 0100 0111110 1010 1110 0110 0100

  33. Reversing the protocol • One way messages must include – Authentication data (serial number) – Data • Tap at the input to the TX Chip – No noise or errors • Tap at the output of RX to verify and build the sniffer.

  37. Clock Clock Clock Clock Sync Sync Sync Sync

  38. Data Data Data Data

  40. Reversing the Protocol Page Down 0111110 1010 1110 0110 0100 1001 0101 0010 1000001 Page Up 0111110 1010 1110 0110 0100 1101 0101 0110 1000001 “Hide” 0111110 1010 1110 0110 0100 1011 0101 1010 1000001

  41. Reversing the Protocol Page Down 0111110 0111110 1010 1110 0110 0100 1001 0101 0010 1000001 1000001 Page Up 0111110 0111110 1010 1110 0110 0100 1101 0101 0110 1000001 1000001 “Hide” 0111110 0111110 1010 1110 0110 0100 1011 0101 1010 1000001 1000001

  42. Reversing the Protocol Page Down 1010 1110 0110 0100 1001 0101 0010 Page Up 1010 1110 0110 0100 1101 0101 0110 “Hide” 1010 1110 0110 0100 1011 0101 1010

  43. Reversing the Protocol Page Down 1010 1110 0110 0100 1010 1110 0110 0100 1001 0101 0101 0010 Page Up 1010 1110 0110 0100 1010 1110 0110 0100 1101 0101 0101 0110 “Hide” 1010 1110 0110 0100 1010 1110 0110 0100 1011 0101 0101 1010

  44. Reversing the Protocol Page Down 1010 1110 0110 0100 1001 1001 0101 0010 0010 Page Up 1010 1110 0110 0100 1101 1101 0101 0110 0110 “Hide” 1010 1110 0110 0100 1011 1011 0101 1010 1010

  45. Reversing the Protocol header serial data serial data footer 0111110 xxxx xxxx xxxx xxxx xxxx xxxx xxxx 01001

  46. Attacks

  47. BYOM (bring your own MCU) • Ideally the original MCU would be reprogrammed – Most are OTP (One time programmable) – Can’t read them, security fuse blown • Our own MCUs are needed

  48. Sniffing at the chiplevel

  50. Injecting at the chiplevel

  52. Passive attacks • Needed to acquire authentication data • Sensitive data from keyboards (passwords) • Mouse data not very useful

  53. – Keyboards (including presenters) Attacks are HID type dependent Active attacks – Mice •

  54. + ‘R’ == (: Active Keyboard Attacks

  58. While at the cmd … Echo data to a bat file Run the bat file

  59. Active Mouse Attacks What can be done by being able to inject mouse movement and clicks? • Being able to see the screen. (Attacking a live presentation) • Blind

  60. Accessibility for the Attacker

  61. Mouse movement scripting No visual feedback. Educated guessing Blind Attacks • • •

  62. Getting Feedback • Attempt to connect to controlled webserver • Check logs • Readjust and reattack

  63. Microcontrollers

  67. More MCU uses • Custom bit stream sniffer/recorder/iterface • Custom bit generator driven by software

  68. Software controlled bit generation Scripting interface Future Work Keyboards • • •

  70. Summary • Find FCC ID info • Tap into data path. • Reverse the protocol • Inject/Sniff data using customized MCUs • Client enforced security is still client enforced security

  71. luis@ringzero.net Questions?

Recommend

Attacking SMS BlackHat USA 2009 Zane Lackey (zane@isecpartners.com) Luis Miras

Attacking SMS BlackHat USA 2009 Zane Lackey (zane@isecpartners.com) Luis Miras

Attacking SMS BlackHat USA 2009 Zane Lackey (zane@isecpartners.com) Luis Miras (luis@ringzero.net) RingZero https://luis.ringzero.net Agenda SMS Background Overview SMS in mobile security Testing Challenges

877 views • 66 slides
Jug Tutorial: Coarse-Level Parallel Programming in Python Luis Pedro Coelho luis@luispedro.org

Jug Tutorial: Coarse-Level Parallel Programming in Python Luis Pedro Coelho luis@luispedro.org

Jug Tutorial: Coarse-Level Parallel Programming in Python Luis Pedro Coelho luis@luispedro.org May 15, 2013 Luis Pedro Coelho (luis@luispedro.org) Jug Tutorial 0 May 15, 2013 (1 / 24) Problem Brute force a password. Luis Pedro

741 views • 24 slides
Who is Luis? PhD in architecture, multiprocessors, parallelism, compilers. University of

Who is Luis? PhD in architecture, multiprocessors, parallelism, compilers. University of

University of Washington The Hardware/Software Interface CSE351 Autumn20111st Lecture, September 28 Instructor: Luis Ceze Teaching Assistants: Nick Hunt, Michelle Lim, Aryan Naraghi, Rachel Sobel University of Washington Who is Luis? PhD in

436 views • 39 slides
On the adequacy of SDN and TSN for Industry 4.0 Luis Silva, Paulo Pedreiras , Pedro Fonseca, Luis

On the adequacy of SDN and TSN for Industry 4.0 Luis Silva, Paulo Pedreiras , Pedro Fonseca, Luis

On the adequacy of SDN and TSN for Industry 4.0 Luis Silva, Paulo Pedreiras , Pedro Fonseca, Luis Almeida UA/FEUP/IT/Cister Valencia, May 7-9 2019 This work is funded by FCT/MEC through national funds and when applicable co funded by FEDER

434 views • 24 slides
COUNTY OF SAN LUIS OBISPO www.slocounty.ca.gov COUNTY OF SAN LUIS OBISPO www.slocounty.ca.gov

COUNTY OF SAN LUIS OBISPO www.slocounty.ca.gov COUNTY OF SAN LUIS OBISPO www.slocounty.ca.gov

COUNTY OF SAN LUIS OBISPO www.slocounty.ca.gov COUNTY OF SAN LUIS OBISPO www.slocounty.ca.gov Department of Planning and Building Community Advisory Councils Training Agenda Welcome Role of CACs in County Government Your Role in

815 views • 25 slides
Luis C. E. De Bona Marcos Castilho Fabiano Silva Daniel Weingartner Luis H. A. Louren co

Luis C. E. De Bona Marcos Castilho Fabiano Silva Daniel Weingartner Luis H. A. Louren co

Introduction and Motivation A Model for Maintenance and Management of Computing Laboratories Paran a Digital Project Conclusion Managing a Grid of Computer Laboratories for Educational Purposes Luis C. E. De Bona Marcos Castilho Fabiano

337 views • 31 slides
{Behat & BDD} Luis Ribeiro Systems Architect ciandt.com Presenter Luis Ribeiro >

{Behat & BDD} Luis Ribeiro Systems Architect ciandt.com Presenter Luis Ribeiro >

{Behat & BDD} Luis Ribeiro Systems Architect ciandt.com Presenter Luis Ribeiro > Systems Architect at CI&T > +5Years Drupal experience > Large Open Source experience > Working with ~150 Drupallers ciandt.com Why

447 views • 40 slides
Mquinas Elctricas I Generalidades Luis Pestana Luis Pestana ndice Generalidades

Mquinas Elctricas I Generalidades Luis Pestana Luis Pestana ndice Generalidades

Mquinas Elctricas I Generalidades Luis Pestana Luis Pestana ndice Generalidades Motor de corrente continua Equaes de funcionamento Gerador de corrente contnua Motor Shunt Principio de funcionamento

977 views • 70 slides
Homeless Services San Luis Obispo County CALCAPA Annual Conference In the late 1980s

Homeless Services San Luis Obispo County CALCAPA Annual Conference In the late 1980s

Homeless Services San Luis Obispo County CALCAPA Annual Conference In the late 1980s various local groups were trying to assist homeless in San Luis Obispo. City and County of San Luis Obispo partnered with then EOC to oversee and

496 views • 30 slides
Bijections for tree-decorated map and applications to random maps. Luis Fredes (Work in progress

Bijections for tree-decorated map and applications to random maps. Luis Fredes (Work in progress

Bijections for tree-decorated map and applications to random maps. Luis Fredes (Work in progress with Avelio Seplveda (Univ. Lyon 1)) ALEA 2019 Luis Fredes (Universit de Bordeaux) Tree-decorated maps 1 / 24 MAPS Luis Fredes (Universit

763 views • 47 slides
nations heroes into agriculture. What is Veteran Fields? A San Luis Valley Veteran to Farmer

nations heroes into agriculture. What is Veteran Fields? A San Luis Valley Veteran to Farmer

A San Luis Valley partnership bringing our nations heroes into agriculture. What is Veteran Fields? A San Luis Valley Veteran to Farmer Initiative Our Goals: Support veterans seeking work in farming and ranching. Launch new veteran-led

424 views • 19 slides
What next for the Eurozone? London School of Economics, Jan 23, 2013 Luis Garicano , London School

What next for the Eurozone? London School of Economics, Jan 23, 2013 Luis Garicano , London School

What next for the Eurozone? London School of Economics, Jan 23, 2013 Luis Garicano , London School of Economics Credits Present work joint with Euro-nomics economists: Markus Brunnermeier, Luis Garicano, Philip Lane, Stijn Van Nieuwerburgh,

921 views • 77 slides
Atlas Tracking Optimization on GPU Luis Domingues Professor: Frdric Bapst Supervisors:

Atlas Tracking Optimization on GPU Luis Domingues Professor: Frdric Bapst Supervisors:

Master Thesis Atlas Tracking Optimization on GPU Luis Domingues Professor: Frdric Bapst Supervisors: Paolo Calafiura Wim Lavrijsen Expert: Mathieu Monney 02/25/2015 Target Luis Domingues - January 2015 2 Code we started from

555 views • 23 slides
Bijections for tree-decorated map and applications to random maps. Luis Fredes (Work in progress

Bijections for tree-decorated map and applications to random maps. Luis Fredes (Work in progress

Bijections for tree-decorated map and applications to random maps. Luis Fredes (Work in progress with Avelio Seplveda (Univ. Lyon 1)) LIX 2019 Luis Fredes (Universit de Bordeaux) Tree-decorated maps 1 / 30 MAPS Luis Fredes (Universit

914 views • 57 slides
75 Year Anniversary NCSU Statistics Department Perspectives from Cal Poly San Luis Obispo

75 Year Anniversary NCSU Statistics Department Perspectives from Cal Poly San Luis Obispo

75 Year Anniversary NCSU Statistics Department Perspectives from Cal Poly San Luis Obispo October 2016 Jimmy Doi jdoi@calpoly.edu California Polytechnic State University San Luis Obispo Department of Statistics Introduction

649 views • 28 slides
Memory Systems Survey on the Off-Chip Scheduling of Memory Accesses in the Memory Interface of

Memory Systems Survey on the Off-Chip Scheduling of Memory Accesses in the Memory Interface of

IEE5008 Autumn 2012 Memory Systems Survey on the Off-Chip Scheduling of Memory Accesses in the Memory Interface of GPUs Garrido Platero, Luis Angel EECS Graduate Program National Chiao Tung University luis.garrido.platero@gmail.com Luis

891 views • 36 slides
Planning by Rewriting Jos-Luis Ambite University of Southern California Information Sciences

Planning by Rewriting Jos-Luis Ambite University of Southern California Information Sciences

Planning by Rewriting Jos-Luis Ambite University of Southern California Information Sciences Institute and Computer Science Department Jos-Luis Ambite Outline Planning by Rewriting (PbR): A new paradigm for efficient high-quality

645 views • 38 slides
Maximizing the Value of Your Payments to Hospital-Based Service Providers LUIS A. ARGUESO,

Maximizing the Value of Your Payments to Hospital-Based Service Providers LUIS A. ARGUESO,

1 Maximizing the Value of Your Payments to Hospital-Based Service Providers LUIS A. ARGUESO, PARTNER, HEALTHCARE APPRAISERS ROBERT STIEFEL, MD, PRINCIPAL, ENHANCE HEALTHCARE CONSULTING Speaker Backgrounds 2 Robert Stiefel, MD Luis A.

395 views • 26 slides
Self-Sorting SSD: Producing Sorted Data Inside Active SSDs Luis Cavazos Quero

Self-Sorting SSD: Producing Sorted Data Inside Active SSDs Luis Cavazos Quero

Self-Sorting SSD: Producing Sorted Data Inside Active SSDs Luis Cavazos Quero Jin-Soo Kim Young-Sik Lee luis@skku.edu jinsookim@skku.edu yslee@calab.kaist.ac.kr Sungkyunkwan

332 views • 11 slides
Invariant measures of discrete interacting particles systems: algebraic aspects Luis Fredes

Invariant measures of discrete interacting particles systems: algebraic aspects Luis Fredes

Invariant measures of discrete interacting particles systems: algebraic aspects Luis Fredes (joint work with J.F. Marckert). cole dt St. Flour 2018 Luis Fredes Invariant measures of discrete IPS 1 / 23 Particle system Define a set

658 views • 62 slides
Planning as X X {SAT, CSP, ILP, } Jos Luis Ambite* [* Some slides are taken from

Planning as X X {SAT, CSP, ILP, } Jos Luis Ambite* [* Some slides are taken from

Planning as X X {SAT, CSP, ILP, } Jos Luis Ambite* [* Some slides are taken from presentations by Kautz, Selman, Weld, and Kambhampati. Please visit their websites: http://www.cs.washington.edu/homes/kautz/

631 views • 39 slides
PBLCACHE PBLCACHE A client side persistent block cache for the data center Vault Boston 2015 -

PBLCACHE PBLCACHE A client side persistent block cache for the data center Vault Boston 2015 -

PBLCACHE PBLCACHE A client side persistent block cache for the data center Vault Boston 2015 - Luis Pabn - Red Hat ABOUT ME ABOUT ME LUIS PAB N LUIS PAB N Principal Software Engineer, Red Hat Storage IRC, GitHub: lpabon QUESTIONS:

665 views • 40 slides
Early Childhood Education and Crime Jorge Luis Garc a John E. Walker Department of Economics

Early Childhood Education and Crime Jorge Luis Garc a John E. Walker Department of Economics

Early Childhood Education and Crime Jorge Luis Garc a John E. Walker Department of Economics Clemson University 2019 Boys at Risk Conference II Santa Fe, New Mexico Santa Fe Community Convention Center May 1, 2019 Jorge Luis Garc a

196 views • 17 slides
Environmental Impact Report Scoping Meeting - August 14, 2017 COUNTY OF SAN LUIS OBISPO Las

Environmental Impact Report Scoping Meeting - August 14, 2017 COUNTY OF SAN LUIS OBISPO Las

Environmental Impact Report Scoping Meeting - August 14, 2017 COUNTY OF SAN LUIS OBISPO Las Pilitas Quarry Conditional Use Permit www.slocounty.ca.gov COUNTY OF SAN LUIS OBISPO www.slocounty.ca.gov Environmental Review California

477 views • 31 slides

More recommend