HARDSPLOIT Framework for Hardware Security Audit - PowerPoint Presentation

351 views
Uploaded On 2018-12-13

HARDSPLOIT Framework for Hardware Security Audit - PPT Presentation

a bridge between hardware amp a software pentester Who am I Julien Moinard Electronic engineer opale security Security consultant Hardware amp Software pentester ID: 740579

amp hardsploit hardware security hardsploit amp security hardware spi i2c automatic write module software api swd wiring opale component

Link:

Copy

Embed:

<iframe width="560" height="315" src="https://www.docslides.com/embed/740579" frameborder="0" allowfullscreen></iframe>

Download Presentation from below link

Download Presentation The PPT/PDF document "HARDSPLOIT Framework for Hardware Securi..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript

Slide1

HARDSPLOITFramework for Hardware Security Audita bridge between hardware & a software pentesterSlide2

Who am I ?Julien Moinard

Electronic

engineer @opale-securitySecurity consultant, Hardware & Software pentesterTeam project leader of HardsploitDIY enthusiastSlide3

Opale Security in 1 slideSlide4

Internet of Things & Privacy concern?Any

IoT

object could reveal information about individualsWearable Technology: clothes, watches, contact lenses with sensors, microphones with cameras embedded and so onQuantified Self: pedometers,

sleep monitors, and so onHome Automation: connected

households

using

smart fridges, smart lighting and smart security systems, and so on…Slide5

Internet of Things & Privacy concern?Multiple Targets ?Slide6

Internet of Things & Privacy concern?Last news : (you

can

update this slide every week )

Firmware

can

read withoutany

problem (SPI memory)

VTech

was

hacked

November

exposing

millions of

accounts

response

, the

firm

took

some

essential services offline,

meaning

products

could

not

registered

on Christmas Day.Slide7

Iot Eco-system (20000 feet view)Privacy Risk

level

: Where?HF communication (ISM Band

) + Wifi + 3G-5G , Bluetooth, Sigfox, Lora etc..

Classical

ired

connectionsCentral servers, User Interface, API, Backoffice etc.

IoT

devicesSlide8

Security speaking, hardware is the new software ?

SOFTWARE

secure it:Security products (Firewall, Antivirus, IDS,…)Security services (Pentest, Audit, …)

Tools (Uncountable

number

them

)HARDWARE

To secure it:

Few or

unimplemented

solutions(

Encryption

with

key in a

secure

area, anti-

replay

mechanisms

readout

protection,

…

)

Direct

access

« Bridge »

accessSlide9

Hardsploit & hardware hacking basic procedure 1/

Open

2/ Fingerprint all the component if you can else automatic brute forcing3/ Use those that may contain

data (Online / Offline analysis ?)4/

Perform

read

write operation on

them5/ Reverse engineering, find vulnerabilities

and exploit

themSlide10

Global PurposeSlide11

Why ?Because chips contain interesting / private

data

Passwords

File systemsFirmware…Slide12

How ?A hardware pentester need

to know

electronic

buses and be able to interact with themSPI

I²C

1-Wire

JTAG / SWD

UART

CAN

PARALLEL

CustomSlide13

Hardsploit frameworkSame hardware but a software update is

needed

to add a new protocols

Hardsploit

IoT

target

Input / Output

database

Module

(SWD,

SMBus

, I2C, SPI, etc..)Slide14

Hardsploit bus indentification & scanner(in progress, not published yet)

Hardsploit

IoT

target

Input / Output

Database

of patterns

database

Module

(I2C, SPI, etc..)

IO hardware mixer

Scanner

Click to

hack

audit hardwareSlide15

Tool of trade

FUNCTIONALITIES

BUSPIRATE

JTAGULATORGOODFETHARDSPLOITUART

Bus identification

SPI

PARALLEL

I2C

JTAG / SWD

us identification

MODULARITY

Microcontroller

FPGA

EASE OF USE

Cmd

line +

datasheet

Command line

Official GUI / API / DB

I/O NUMBER

< 14

64 (plus power)

WIRING

TEXT

(but MOSI = SDA



)

TEXT / AUTOMATIC identification

TEXT

LED / TEXT/ AUTOMATIC identificationSlide16

Hardsploit: CommunicationSlide17

Prototype makingApplying soldering paste (low

budget

style

)Slide18

Prototype makingManual reflow oven (DIY style)Slide19

Prototype V0.1 aka The Green Goblin Slide20

Prototype making (with a budget)The rebirthSlide21

The board – Final version64 I/O channelsESD ProtectionTarget voltage: 3.3 & 5VUse a Cyclone II FPGA

USB 2.0

20cm x 9cmSlide22

Hardsploit organizationSlide23

Chip managementSearchCreateModifyInteractSlide24

Wiring helper

Datasheet

representation

Hardsploit

Wiring

module

representation

GUI <–>

Board

interactionSlide25

SettingsSlide26

Command editorSlide27

Open source : What available on github ?Microcontroller (c)

API (

ruby

)GUI (ruby)Create your own Hardsploit module : VHDL & API (ruby)Slide28

Already available (github)

Parallel

non multiplexed memory dump32 bits for address8/16 bits for data

Helping wiring

I2C

100Khz 400Khz

and 1 Mhz

ddresses scanRead, write,

automatic full and partial dump

SPI mode 0,1,2,3 up to 25

Mhz

ead

write

automatic

full and partial

dump

SWD interface (

JTAG but for ARM

core

)

Dump and

write

firmware

most

ARM CPU

GPIO

interact

bitbanging

(API

only

for the moment)

Low

speed < 500Hz

read & write

operations on 64 bitsSlide29

More to come (see online roadmap)…

Automatic

bus indentification & Scanner

(@30%)Component & commands sharing

platform (@90%)

TTL UART Module

with

automatic

detection speed (@80%)

Parallel communication

with

multiplexed

memory

I2C

sniffing

(

shot

of 4000 bytes up to 1 Mhz)

SPI

sniffing

(

shot

8000

4000 byte

half

/ full

up to 25Mhz)

RF Wireless transmission

training

plateform

(

ordic

NRF24, 433Mhz, 868Mhz

transcievers

)

Metasploit

integration

(module) ??

JTAG

Wire

CanBUS

(

with

level

adapter)

…Slide30

Concrete caseAn electronic lock system4 characters pin code A – B – C – DGood combinaison –

Door

opens, green L.E.D

turn onWrong combinaison – Door closes, red L.E.D turn onSlide31

1/ Open itSlide32

2/ Fingerprint

I2C MEMORIES 24LC64

STM32F103RBT6

SPI MEMORY 25LC08Slide33

Online / Offline analysis ?Slide34

ScenarioOpen Hardsploit to create the component (if not exist)Connect

the component to

Hardsploit

(wiring helping)Enter and save the component settings (if not exist)Dump the content of the memories (1 click)Change the door password by using commands (few clicks)Try the new

password on the lock system (enjoy)Slide35

Read | Write operation, I2C, SPI, SWD …Time for a live demo ?Slide36

Parallel bus memorySlide37

1/ FingerprintSlide38

2/ Offline analysisSlide39

3/ Ready to dump the contentSlide40

ConclusionIoT Device are (also) prone to

vulnerabilities

help

you to find themSecurity policy need to be adpated, nowadays, it is not so difficult to extract data on IoTDesigners

need to design with security in mind

Skills