Enterprise companies are using consumer and IoT devices to complete (or expand) their services such as broadband, IPTV, media streaming, satellite, voice and 3G/4G services. Although the devices are owned by the service providers, subscribers have limited (or full) access to them with service agreements. In addition to that, some of consumer devices also have roles on corporate communications, environment security or employee services. Consumer devices are located at subscriber premises; therefore, the traditional security testing approach only covers backend services security, not the devices.
Consumer and IoT devices are susceptible to hardware hacking based attacks such as firmware dumping, re-flashing with a custom firmware, and getting low level access using the physical management interfaces such as SPI, JTAG and UART. Low level access obtained can be used to modify device behaviours or their initial states. This helps attackers to debug consumer devices and operator services, to find new vulnerabilities, and to obtain the device configuration which may contain credentials for the service infrastructure.
Embedded device and hardware hacking is a rising skill set for penetration testers. It is required to understand targeted attacks which may include hardware implants, modified hardware attacking their own infrastructure or compromised devices that target the human factor. Some of advanced testing examples to be discussed are preparing a custom hardware for persistent access during a red teaming exercise, preparing a compromised consumer device for human factor pen-testing, attacking TR-069 services of a provider using smart home modems or altering the security controls of a device to abuse the service.
The presentation focuses on how the existing security testing techniques should be evolved with hardware and IoT hacking, and how service providers can make their infrastructure secure for cutting-edge attacks. Essential hardware hacking information, identifying and using physical management interfaces, hardware hacking toolset, well-known hardware attacks and hardware testing procedure will be presented in a road map for consumer devices security testing. Also a security testing approach will be explained to develop new security testing services and to improve existing ones such as red teaming, human factor pen-testing and infrastructure pen-testing.
7. 7
Combining testing skills
Design reviews do not show business
logic issues
Tech must be tested for various
perspectives
Traditional tests do not cover
Devices’ firmware and hardware
Management in a protected network
Very limited days for testing
May'16
8. 8
Testing methodology must be flexible
Various devices – ARM vs MIPS, Phone vs Modem
Various OSes – Android vs Linux vs VxWorks
Testing must always focus on the device’s roles
May'16
12. 12
Weaknesses are already known
Configuration dump for credentials
Editing the conf to enable a feature
Vulnerabilities are public and easy
Telnet authentication bypass
Sagem: https://www.exploit-db.com/exploits/17670
Netgear:
https://wiki.openwrt.org/toh/netgear/telnet.console
E.g. admin password leak
wget http://1.1.1.1/password.html -t 1 -q -O - | grep pwd
May'16
13. Console Debugging
TX, RX, GND, V
May'16
Debugging On-Chip
Debug TDI, TDO,
TCK…
Access to Flash
Read/Write Data
SCK, MOSI, MISO...
13
19. 19
Usually 4 PINs
TX, RX, GND, Voltage
Provides device access
Bootloader, console access
Real-time debugging
Access without a password
May'16
20. Find the ground
Find the voltage
Set the target voltage
Try to send/receive
TX vs RX
Various baud rates
Analyse the output
Jtagulator
May'16 20
26. 26
Debugging standard
Everything depends on the vendor
Device or system testing
Daisy-chained JTAG
TDI (Test Data In)
TDO (Test Data Out)
TCK (Test Clock)
TMS (Test Mode Select)
TRST (Test Reset)
May'16
30. 30
Broadband, IPTV, Satellite…
Devices are
connected to the infrastructure
managing by service provider
in the consumer promises
Relying on vendors for security
Default configuration
Legacy or unpatched software
Management interfaces
May'16
31. 31
Various vendors in a pool
Device provisioning
Software & configuration
management
Call centre connections
Generic information in the wild
Custom software (e.g OpenWRT)
Bypassing controls is common
BYOD on subscriber services
May'16
39. 39
Backdoors on devices are common
Open source, distribution, vendors…
Expensive to replicate the attack
Red teaming engagements
Putting a Raspberry Pi in everything
Collecting keyboard & mouse input
Human factor pen-testing
Sending backdoored devices
May'16
40. 40
3G/4G Modems
WiFi models with services and features
USB models require drivers
Internal storage and card reader
Unauthorised access via services
Firmware operations
Dumping and reversing the firmware
Backdooring the firmware
Using their shelves for USB duckies
May'16
41. 41
Keysweeper by SamyKamkar
Arduino/Teensy based sniffer
Sniffing Microsoft Wireless Keyboard
Mousejack by Bastille Security
RF keyboard & mouse receivers
Force pairing vulnerability
Force pairing a remote keyboard
May'16
42. 42
Efficient for persistent access
Raspberry Pi, Arduino
Can fit in many devices
Find a suitable device to backdoor
Find a power source
Find a network connection
Solder and connect the pieces
Broadcast the network connected
Advanced implants take time
May'16
46. 46
Enforcing vendors to
Disable physical interfaces
Use encryption and access keys
Follow a security standard
Network isolation for subscribers
Tailored research for
Vendor product vulnerabilities
CPE management services
Backdoor analysis
May'16
47. 47
Devices are IN SCOPE
Think different and combine skills
Everything is a target
Home automation, CCTV, phones…
Testing service operator networks
Test services through devices
Extract information from devices
Access and fuzz tests through
devices
May'16
48. 48
Focuses on all components
Devices, infrastructure, software…
Focuses on exploitable issues
Combines various disciplines
Embedded systems, mobile, network…
Closes the gap between offense
and defense
May'16