"IoT and the Future of Pentesting" - Jeremy Goldstein
Show transcript [en]
right now we have Jeremy Gold sign who will be talking on IOT and the future of pen testing so let's welcome him to the stage
all right well first I just want to thank everyone for coming along to the talk hopefully we'll be able to take something away from it so of course based on the title here I'm going to be talking about the Internet of Things and how that plays into the future of pen testing and the security implications so let's start off with a an agenda as to what will be going over here of course we have to have the obligatory Who am I so you all know who I am then we'll get into the the background of Technology evolution and how that's affected pen testing so a bit of a you know history of computing so to speak then we'll look
at where we're heading from now in the kind of short term medium term and then take a bit of a deep dive into IOT and hardware hacking of course which should be the fun part and then we'll take a bit of a big step back and discuss why this kind of matters at a high level to us you know to society to our industry and some concluding thoughts as well so we're getting to our bigotry Who am I so you know said I'm Jeremy Goldstein I'm the head of security testing at TSS TSS was formerly datacom TSS we've rebranded TSS cyber and we provide managed security services security consultancy and red teaming interesting which is what I'm I lead a team for
previous to that I was the team lead of the KP and red team which is effectively Telstra in the Netherlands where I lived and worked for three years and before that I was the director of security testing in the tax office who I'm sure everyone is somewhat familiar with I've been an info sector about 15 years running technical teams for about 10 of those and you know all focused around contesting instant response threat intelligence so let's go through a bit of a a selective history of modern computing and how it's actually impacted interesting so I'm gonna start with the you know the humble PC as a lot of you'll probably know PC started as in
like homebrew Computer Club you know over in America this is a photo of Steve Wozniak and Steve Jobs working on some of the original pcs and they really started out in these enthusiasts type of clubs and what kind of kid computers he'd put together in that kind of thing but later on with people like beautiful Bill Gates here they started to gain traction in businesses and there were no longer this hobbyist you know like device that you'd put together and so you had marketing like that and then Steve Ballmer and with that kind of thing it's like how could business does not grab these these computers up and and use them so looking at what that
kind of brought us you know with PCs becoming pervasive in businesses enterprises that kind of thing you know that brought about a lot of desktop applications that that everyone would use to do their jobs and from a pen testing perspective this brought us you know thick client pen testing you know I'd alley debug that kind of thing after you know PC started become a bit more pervasive networking started to to you know rear its head to actually connect these computers together and the Internet of course and kind of you know you'll see a similar theme here at least with the way I see it is that the internet also started out a bit less commercial was largely like academic
quite casual you know bulletin board systems that kind of thing and and military as well and it wasn't till you know much later that businesses and enterprises started to you know started to adopt you know the internet and you know that that networking that internet that really brought us infrastructure up interesting so you know there's some there's some pretty common tools there that a lot of you would be very familiar with from the internet you know moving on from bulletin board systems and those kind of things we had websites and web applications and again they started out very very casual and consumer oriented so some of you might recognize some of these style of Geocities web pages which
were all the hotness back in the day and you know there was of course pornography and you know those kind of bits and pieces on the internet but businesses didn't really adopt it until it became way more pervasive and now I think you'd all agree that it's it's pretty rare for a company or a business not to have some kind of internet presence and so you know these rise of web apps websites that kind of thing brought us web application pen testing which you know most people are pretty pretty familiar with the next major iteration iteration that I saw was the rise of smartphones and apps but again we had this really consumer slant to them so I remember
buying my first iPhone the only iPhone ever bought as well by the way and the key selling point when it first got released was that I no longer had to have an iPod and a phone it was one one device and that was that was the really cool kind of I guess you know consumer slant to this device because the App Store didn't exist it wasn't invented yet when when the first iPhone was released but of course you know the App Store did get released Android did their version and then apps you know just became so pervasive but again these apps had a very consumer slant to start with the App Store was released in 2008 and
by Christmas 2008 the number one paid for app on the App Store was a far tap the tree press a button and it farts and I read that apparently the author of this fada made up to $10,000 in a day on at times through sales of it so it just goes to show how consumer apps work but now of course you know you do your banking on your phone and you know two-factor authentication tokens all sorts of business productivity enterprise type apps and that has brought us mobile app in testing next major major iteration you know the almighty cloud this is a little bit different but I still really see it as a consumer slant to start with from what I
saw the the early adopters of the cloud were really your consumer facing apps you know Instagram Dropbox that kind of thing and it wasn't till later that you know your government's your businesses your enterprises started adopting cloud and similar they now it's unusual when you're assessing a system in some way shape or form that I won't have at least some component in the cloud or maybe cloud-first and everything's there and I'm sure some pen testers in the audience can attest to this when you're assessing a cloud environment it means you go to floors cloud and floors to cloud now and read through them to make sure that you actually remember all the different miss configurations and things
you need to check out for so we've had this brief brief history of where where we've come from from a penetration testing perspective you know web applications are generally the lion's share infrastructure of course is there external and internal mobile apps and the cloud is really involved in almost everything that we do these days but let's now have a look at where we're heading so really I see two major trends and I'm talking you know as I mentioned the kind of shorter to medium term you know we had the excellent keynote on day one about quantum computing and you know how that is coming but I'm talking more in the kind of shorter term than that
and what we're gonna be seeing in the next months and years from the perspective of you know security analyst pen testers that kind of thing and there's really two main trends that I see in that is cloud computing continuing and of course obviously the talks about the Internet of Things the Internet of Things so before we you know move into more of the details the Internet of Things I'll briefly touch on cloud computing you know which everyone is fairly familiar with but there's some I guess you know changes that are going there with the abstraction away from traditional computing that impact us as pen testers and security security people and I think like lambda you know serverless
functions that kind of thing are a really clean example of that where you no longer have kind of almost any of that stack below it you're just running code you know in the cloud and that's it and there's been some really good talks and research in in recent years on assessing or year maybe on assessing those those types of solutions so you know we're not going to go into that at all but one of the key points that I have with with this evolution of cloud and how to fix us as security Assessors pen testers that kind of thing is I really see it as that kind of continuous education and improvement and just kind
of staying ahead of the curve and you know understanding how to test for lambda function and you know reading up on it and then going and doing it using those existing skill sets that you have but IOT on the other hand I think is different so at the moment you know IOT is immature to me it feels like we're apps were when the fart app was the big app of the year it's full of fail so here's an article about a smart security app that crashed and it caused the customers to be locked inside and outside of their homes and you know there are plenty more examples this one also I thought was quite entertaining it was a smart heater that
failed off when the server's went down so it was then you had people all over Twitter complaining about the fact that their homes are freezing because some back-end servers were not operating and you know a special shout-out to Internet of a Twitter account because it's full of this kind of thing and it's it's it's worth a worth a scroll through but this is going to change Forbes here is pretty clear on what they're trying to say you know IOT is going to become making its way into enterprises it's gonna start being adopted more you know forget about the number but it's a clear signal I think and another example a little a little closer to home this is actually I
thought this kind of well I was able to extrapolate out my point very well out of this so the the article on the left is actually a an article that was placed on November 30 so about three and a half months ago it's in the technology and innovation IOT section of this Telstra exchange blog I think it is then only a couple of weeks ago I found this one on the right you know same kind of topic talking about IOT adoption at Telstra but what I thought was interesting is it's actually in the business and enterprise section of their blog so I thought it just made that nice transition showing how things go from consumer land into business and
enterprise land and you know based on these trends that that I've discussed so far and given IO T's current trajectory I believe it's only a matter of time until it makes its way into businesses and enterprises in a meaningful way and I was hoping to find someone more important than I who had said something similar to that but I couldn't find it so I'm quoting myself don't know if you're allowed to do that alright so up until now we've really just laid the foundation of of why you know I see IT adoption increasing and that we will actually make its way into enterprises and we'll start seeing it so you know what's the big deal about IOT
pen testing I mean it's already being done people do it but what's the big deal about it becoming more common why is it any more important than any other buzzword that we have around you know big data AI ml data lakes whatever you want to call them and for me there's there's one word that the differentiates IOT traduced to traditional solutions and that's hardware hardware presents a whole new world for pen testers and whole new playground as well it has a different threat model attack surface you need different technical and even physical skills when you're soldiering and things like that which I've been traditionally terrible at and so this is this is a real change and it will change
of direction from from all of us who just play in the software world most of the time and to to go on a small little anecdote when I moved to Amsterdam in 2015 to run the KP and red team there I had never touched Hardware before in this way and I got there and there are a lot of guys in the team that really enthusiastic about hardware hacking and I just didn't get it they'd show me getting like a you are a serial shell on a router and you know root shell and I'd kind of thing get that it's cool but what can you do with it you know isn't it more effective if you're able to
access the web interface or whatever and it wasn't until I started seeing them actually you know going and extracting firmware off those devices and finding buffer overflow exploits on services running on the devices because they can actually analyze the code or getting credentials out of the devices through hardware hacking techniques or even finding getting the web source code off the web interface off them and finding like remote command injection as route on these web interfaces because they were using Hardware techniques and that's what started to really turn me around and I started to see the value in in testing these solutions in that way so you know all of that really sets up my premise about hardware
and you know testing IT solutions being part of our our InfoSec future so let's let's start to move into you know what I call the fun part and talk about IOT and hardware hacking but you know first a couple of little housekeeping items that I think are quite important what we're discussing here and going through is IOT and hardware solution and testing and that's a key differentiator I want to you'll hear me mention a lot of times because when you have this shiny device this IOT device or sensor or whatever it is it should really be part of a solution it should achieve something it shouldn't just be a shiny piece of hardware that for the sake of it and
when you're you know say a pen gesture you should be assessing this as a whole solution and how it actually interacts in an ecosystem and what it achieves for there for the business or whoever you're testing for another key point is that it's not it's not hardware hacking research that I'm talking about here so this was a point that you know as you saw in my Bible I've been pen testing for a lot of years but it took me a lot of years to realize the difference between security researchers and pen testers because I feel like with the mandatory impostor syndrome that we all we all get to wear and carry with us you'll see someone like a Charlie Miller
hacker Jeep or something like that and then you think about your pen test that you're doing day to day and you feel like well I couldn't do that on my two-week engagement and you know I certainly found it was lost on me the fact that there's months and months of research spent on single point solutions in order to discover these amazing vulnerabilities that help move the industry forward so you know similar there's some amazing hardware hacking things that can be done but I won't be discussing those I'll be talking about really you know what you can actually reasonably achieve within the norm time and budget constraints that you have as a as a pin tester so I also want to talk
about what a hardware pin test isn't and highlight a few pieces so I did our sylvio if I could put this up and he said yes so that's okay but this is besides organizer Sylvio this is a YouTube video where he's using dangerous dangerous chemicals to try and D Kappa chip in his own I believe and that's really cool and that's a genuine attack against hardware because you can you can D cap a chip and take off all the teeny-tiny layers using crazy chemicals or lasers or focused ion beams whatever they are and then you can actually zoom in and see the circuitry using like a crazy microscope or something and start to reverse-engineer the actual physical connections on a
tiny integrated circuit but doing these kind of attacks effectively can take months and months of time and there's a very good French Research Olivier Thomas who does this kind of work has a company that does it and I saw a presentation from him last year where he talked about how much the price is coming down on this but you know it's coming down from millions of dollars to hundreds of thousands of dollars and the time frames are coming down from a year to months it still it's not gonna be an effective attack when you know you've got a whole solution to assess in a couple of weeks or something like that so with that out
of the way we're talking about what a hardware pen test is I'm gonna be going through two real-world examples a personal safety device and an electrocardiogram test solution so for those of you who don't know because I certainly didn't and forgot many times while testing as well an ECG is a basically a heart test that you do with sensors on your heart to detect if you have potential problems that your physician may need to address but anyway we'll be going through these two to real-world examples focusing primarily on the personal safety device these are two penetration tests that I was was part of so they were real real tests and I also just want to kind of point out
that you know I'll be going through these examples again what you can reasonably do it's not of course a training course in this timeframe so it won't be every possible attack vector and that kind of thing so let's start with the personal safety device which is one of these they're a white label solution you can get them off Aliexpress there's retailers in Australia that have them all around the world basically the premise is that for elderly you know at-risk individuals people who are doing outdoor extreme sports people traveling that kind of thing you can use this to effectively press the SOS button and it'll send your location and you know the SOS message to your contacts that you've
mentioned or listed and it will also initiate a phone call on your behalf to them as well if needed it also has full detection which I believe the idea is if you're an elderly person and you fall over and don't get up again that the device should then alert your emergency contacts that something's probably gone wrong and it can also be used for geofencing which to me seemed a little more more creepy but wasn't part of this solution but you know there's that word again solution so you know we need to assess this as part of a solution it's not just a little device and you know in order to kind of you know visualize this solution I
thought I'd draw a very slick high-end diagram for you it's definitely not done in paintbrush so everyone can actually see and understand what what we're talking about and kind of use it to help I guess threat model and visualize what we're what we're looking at so we have a user in the kind of middle bottom there they they have the SOS device on them they also have a companion app in both Android and iOS that was part of the solution to be tested there's a web server they can log in to a website and also set their contacts that way the mobile app talks to the web server and the device itself apparently talked to
some cloud somewhere that we had no idea anything about but we'll work from there and that you know cloud somewhere would alert the friend you know the happy friend that you know they need to help or anything like that so when we started testing this solution we actually started looking at the Android app the web site you know those kind of components because they're obviously important and we thought they'd be the easy win as well but there was really nothing interesting so the Android app nothing website pretty much nothing calms nothing of interest that cloud somewhere no idea where it was so you know that's nice because we're here to talk about hardware so we get to jump
into the hardware device now so one of the first things when you're analyzing you know a piece of hardware is you want to analyze the attack service you want to understand what functionality that device actually has does it have Wi-Fi does it every Ethernet does it have an SD card you know all of those kind of things because that'll really influence what kind of testing you'll actually do you know if it's got Wi-Fi you'll probably hook it up to your access point and try view the traffic if it's got USB you'll probably look at USB are into the tax you know you can get this information from from the manual from marketing material data sheets it's normally
readily available because of course the someone's normally trying to sell a product and they want to speak to the benefits of it so you know as I said we'll be running through our example here so with our SOS device analyzing the functionality it had had a 3G you know GSM module on it had GPS of course for location had a microUSB port had some charging ports at the bottom which were just charging pins for a cradle and an accelerometer to do do the fault detection basically that's good we know that about it the next thing really wants to kind of understand what your device does is to try the easy stuff first so even though you're looking at a
bit of hardware it doesn't mean you have to do invasive level attacks straight away you might be able to just remove the SD card out of it stick it in your computer and have full access to the root filesystem and passwords you should try to tell that to it with default credentials you know Moriah botnet certainly prove that that can be pretty effective so there's a whole bunch of simple things that you want to try the for actually going deep especially on a pen test so for our device you know three G's a bit complicated we'll get to that later GPS not that interesting accelerometer very uninteresting the microUSB port really was the only kind
of easy easy access for us but it turned out to just be charging so we had no easy roads basically so once we've gone through that we're going to open up the device and actually look inside it so to do this you want you know screwdrivers sharp tools things like that to be able to actually crack open a device and get into it and it can be difficult sometimes other times it can be very easy you want to be wary of tamper switches as well here which can can bite you so we there we're service device it was actually designed to be unscrewed which was really nice because you had to put a sim card in it so that made it
really easy and when I pulled it apart and started looking at it I was also happy to see it didn't have a tamper switch at all and we tested and retested and you know we're trying to assess it and after a while I was realizing that one particular portion of it wasn't working right just wasn't phoning home at all and I was asking my colleague if he was having these problems and he said no and then he asked me have you got the tamper switch now I said there's no tamper switch on this and he said no see that very obvious button right there if you push it down the tamper detection goes off so I'm very embarrassed leave and
leave them went back and pushed the button down and everything worked perfectly so it is really important to take a check for those those tamper detection once you you know got it open and operating and that kind of thing you want to identify you know what's on the board there what are the chips how do they communicate with each other what are the lines look like are there any debug ports there but probably the most important step in here is reading data sheets so I personally bricked multiple devices because I haven't paid enough attention to the data sheets and what different pins are and different chips are and that kind of thing but it is
really important to actually read them so with our example this is the actual board highlighted in green there is an arm stm32 processor in red is like a flash EEPROM style storage chip basically and and no real debug ports were found there you'd also probably can see that where the SIM card clearly goes and on the other side of the board is the baseband chip with a bit of a copper on it but yeah no real debug ports which was gonna be one of our first first goes at it some people with a keen eye might be able to see that there's some JTAG looking ports maybe some newer ones that had just exposed pads but in our testing
we just found they were not not working at all and maybe it should have been removed or something but I do want to have a quick tangent on debug ports because they can often be one of the first avenues of attack on a hardware device so because that last twice didn't have any obvious debug ports I went to my garage and found a 3g router I had lying around opened it up and lo and behold as is highlighted on the picture there there's two ports that look very much like you are and one that looks very much like JTAG so I wanted to kind of demonstrate what they can look like but there is no stand
for them so you know it's just indicative but you kind of want to look for things that look a bit like it once you've found it things like the venerable multimeter will help you actually assess what what whether they're live whether they're power whether they're ground that kind of thing if it's JTAG something like a jtagulator can help you interact with it you are you might just have a USB to TTL like a USB serial adapter but I also under action do a special mention to last year's b-sides badge the bus side which is actually a serial okay you add adapter and it also does JTAG detection as well so I thought that was really
cool that I actually got a badge last year that I can actually use on engagements now but I also want to point out that just like in traditional pen testing creativity can really help so those you know you art and JTAG ports ports I pointed out are effectively most of the time just basically a pin out that comes out and is traceable on the board to the actual processor itself so what this this person is actually done is used some some very fine handiwork and some micro soldiering techniques to solder directly to the pins on the processor that happened to be JTAG because he's read the datasheet and then he's able to interact with it directly
even though there's no JTAG pronounced on the board and we'll see a little bit more of that later on - so now that we've had a quick quick diversion under debug ports I wanted to have a little review on where we're at and and start to kind of hone in on attacking this device because we've got a bit of an idea of what the device is functionality in components you know inputs and outputs the internals we've got a bit of an idea on but we haven't really done much yet so let's have a look at where we're at so going back to a very high-end diagram we've gotten rid of the mobile app and the web server not much
there you know we started looking the device but we don't know what the firmware looks like on it we don't know if there's any sensitive data stored on it either and that some cloud somewhere we have no idea about yet we haven't seen how this device talks to it so that whole communication streams is still very unknown so with a bit of a kind of step back and looking at this we can kind of threat model it a bit and actually work out what do we really want to attack and we have to two main attacks that we want to do at this stage and that is extract that firmware off that chip that we saw see if there's any sensitive data
see what the firmware does to try and find other vulnerabilities in the solution and also work out what that communications is and where that back-end cloud even is so let's let's go through those attacks now the first one extracting the firmware in data there's a whole bunch of ways to do that you know whatever works works often you can just download it off the internet you could probably all sometimes you can just email the manufacturer and ask for it you know using social engineering techniques there's a whole bunch of ways but for us a lot of them weren't applicable so desoldering the chip was the the chosen solution for us so going back to our board we can see here the
the flash chip highlighted it's got the the four kind of legs on each side which are soldered to the board so you need to get them off but you can't just use brute force because you'll probably break something so there's a few techniques to do this probably one of the the neatest and easiest and quickest is to use a rework station so on the left is a soldering iron and a hot-air gun commonly referred to as a rework station so the black handle on the left actually has a tip at the end and it will blow out hot air at you know three to four hundred degrees Celsius and what you effectively do is take that hot air put
it over the the feet of the chip it'll actually melt the solder and then you grab some tweezers and just pluck the chip right off so that's nice and easy but then you've got a chip and you need to read that chip and of course you can't just stick it in a USB port because that would do God knows what so you have a device programmer or a universal programmer and that's what you can actually use to have an individual chip that's separated from a board you effectively get that chip stick it in the appropriate adapter and then stick it in a device programmer like that one on the right plug it in to your computer
and then hope that you can just do auto detect chip download flash contents and at least in my experience luckily that's almost always worked quite cleanly and easily and if you've got an eight mega ship and you go and use this technique you'll have an eight megabyte binary file sitting on your laptop which is great but then you need to analyze it and it might be encrypted as well so you need to work that out for our example luckily it wasn't encrypted it was actually the firmware which means you got to analyze this firmware now and that's that's a whole discipline in and of itself so what what we can see here is actually a screenshot of of the
firmware in raid re so I mean some of you may have noticed I am wearing a red Irish shirt I'm a little bit of a retiree fanboy I thought of replacing this with Deidre you know given the hype around it but I just couldn't do that because in order to get this to work when we did the engagement a colleague of mine did the reverse engineering he did it all in Ida Pro and then you know being the Rideau a fanboy I am I thought well I'm gonna do it in red arrow now and I loaded in radar and it completely failed not a single string no cross-references nothing and I generally take the approach of it's not radar it's
me it can do everything and I don't know how to do it so I went very very far down the rabbit hole and spent excessive amounts of time trying to work out why radar II couldn't analyze his firmware to the point where I actually found that radar his interpretation of a particular arm instruction was incorrect and I actually did a pull request and fixed the code in red re so that it would actually analyze the code correctly and then it all worked from there so that that was very much my like not so humble brag and the reason why I absolutely must have a read re screenshot in here and nothing else because it took a lot
of effort to get it there but you know back to the firmware disassembly so we analyzed the firmware to see you know what are the end points where does it go - is there any sensitive data there and you know ultimately we only had a limited time we couldn't find any end points no IP addresses we understood now that the firmware from the firmware that only communicated over 3G so you know that was going to be an important part and it'll you know it all goes through the baseband but still no endpoints that we could see no sensitive data either so we've effectively you know kind of tick that off in a way we've learnt a bit
more still nothing very interesting no no nice vulnerabilities dry it up except unencrypted firmware so we really needed to see these communications between the device and the back end and there's a couple of different ways you could do that like obviously if there's Wi-Fi you could do that but in this case we had 3G so you can intercept 3G over the airwaves and another technique is what's called bus snooping which we'll go into where you actually intercept the the communications on the board itself and within 3G inception there's a couple of different techniques that will we'll quickly go over as well but first the equipment if you want to do a 3G interception which is illegal
and we'll go over that more so don't do it you need to have a good quality SDR but this goes for any other kind of radio analysis of you know more proprietary protocols so this is a picture of us RP which is generally considered to be one of the best best SDR there are and when you're doing something as high bandwidth there's a 3G 4G connection you need something that's full duplex so like a hack RF won't cut it and you need to be able to have that that family to go through there and you'll likely need test SIM cards as well so IMSI caching or MC caching is a technique mostly used by law enforcement
which you know has a whole bunch of steps there's specialized devices you can buy online to do it but look the real takeaway for imci caching is that it's illegal so in this case in this engagement we knew that this was theoretically an option but we weren't going to go and do it the next shop next option though also illegal but this one you know in this case we were in a telecommunications provider and we had their appropriate authorizations to stand up a appropriately-named test 3G network so we actually could do this attack but you need to have the appropriate approvals and it depends on the country and that kind of thing as well but basically you need to set up a
test 3G network using your SDR and software like open BTS BTS you need a SIM card programmed for it there's a lot of buggy instructions that are out of date and don't work and a bit of prayer involved and whatnot but ultimately we had these test SIM cards we stuck him in our SOS devices and they would never ever connect to our base station it just absolutely failed we tried a lot of different things but at the end we just had to you know put a pin in it and say we're gonna leave that one it's not working for us it's you know too complicated we don't know why it's not working so we we moved on
and that led us to bus moving so the snooping is the easiest way I can describe it is it's like Wireshark for electrical signals so basically you are trying to sniff and analyze and decode the the signals that you know the actual electrical signals that are traversing along a board so let's look at our device again and how we're gonna you know theoretically do this in green again we have our arm CPU and in red is the the SIM card slot which as I said has the baseband processor underneath it now based on our firmware analysis and data sheet analysis as well we we basically figured out that that arm CPU through some of its serial pins is going
to instruct the baseband processor to talk to the Internet to talk to that back-end server so therefore between those two there must be something interesting there but in order to do that you can't destroyed our by shark of course and the tool you need is a logic analyzer so this is a Salette which is an example of a logic analyzer again generally considered to be one of the better ones and you basically need to connect it up and it will analyze the signals so we've got this theory now of how we think we can really break in and understand how it communicates so let's put this into practice so this is a picture of you know similar to what we
saw earlier some very skillful soldering which was absolutely not done by me it was done by a much more skilled solder in my team but basically we worked out you know as I said we're the serial pins were that might communicate with the baseband processor sold it onto those pins so that and glued it on as well so that it wouldn't keep breaking like it initially did then we hook that up to the Salette and then hook the Sligh up to the laptop and start decoding signals across the wire now I don't expect you or anybody to see the details here the only thing I expect you to see is that there's an up and down going along there
and that is actually the signal on the wire being captured by the Select and when we actually looked at what this one was it interpreted out to this now some of you may be something old people in the room might recognize what this is this is actually a modem command so the 80 series of commands are the protocol to communicate with a modem it actually stands for attention which I didn't know so it's like attention do this and this is what we saw so we saw now we were really looking at what this processor was telling the baseband this was a completely benign instruction that doesn't make sense to me no matter how many times I read it but we knew were in
the right spot so it was a case then of doing more captures getting the device to do something and seeing what actually happens and this was the interesting sequence that we saw so this first 80 command the CIP status is basically asking the baseband are you connected to the Internet and the base man says yes yes I'm to exit the internet which is cool then it says all right great you've got a connection can you connect to this custom access point name for me the user name and password are in between those quotes so blank but still connect to this custom APN and it says ok done so we're now connected up to where we need
to be then it says can you please start a TCP connection - you know in this case hidden dot server com on port 50,000 138 and at this stage we're you know really pretty happy we're seeing a TCP connection going out to our back-end server you know along the wire here right on the board and then our next one is it's sending data over that TCP socket actually communicating with the backend so at this stage this is you know pretty much how we felt we were quite excited about this and you know we we really had kind of cracked in there and we're right where we wanted to be but we still need to understand what
these communications were because this is the string that got sent and when you first look at that it's kind of not much but because you know we've been analyzing this solution a lot it quickly stood out to us that those numbers in red which are changed but those numbers in red are actually the I mean number the unique identifier of the device because everything with the you know SIM card based man has an ID number so we realized that the protocol in this case was just exclamation mark 1 comma I me and semicolon and then hex value one a but the beautiful beautiful part about this is it's actually the login request to the back-end server and some of you
might have noticed that it's missing a factor of authentication just any factor of authentication it's pretty much just saying here's me and the service is great come on in tell me where you are send some SOS alerts whatever you want to do so then we were just able to rip that out stick it in a Python script and actually interact with that back-end server which was great we've really gotten under something there so what do we have so obviously there's no authentication you just need to know the I mean number but you know you saw the army numbers pretty big that's a fairly big key space but you know after five minutes of research we quickly realized
that an army number is not unlike a MAC address it has kind of an organizational part few components to it but in the solution there were six digits that actually reflected the unique identifier of these devices so it's a really small key space and then so that's great you could probably brute force it but to make it even easier the server also responded nicely and told you if that I me existed in the system so we were now now able to enumerate every device in this solution and you know log in and be them and spoof location data and SOS messages and that kind of thing so we'd really broken the system at this stage
but you know how how bad is this and you know we were just kind of happy because we've done the technical hacks and that was cool but we started discussing it and we realized well I mean an attacker could actually go and basically spoof the location data of every single user and send out constant SOS alerts to all their contacts all the time and that would completely undermine the solution and they'd all throw it in the bin and the company you'd go bankrupt that's pretty bad but we also realized that you know it could be worse and it's a bit of a long shot but we realized that you could actually spoof location data for user and if that
user actually was in a life-threatening situation and there SOS alone went out it would go to the wrong location that you've sent and they could actually die so you know that's very more but of course but you know that was like our worst case scenario and it's not very you or normal when your pentesting a solution that can kind of breach out into that human layer and have impact like that so you know because I put so much effort into these diagrams let's revisit it one more time and just see what we've what we've done here so we've got a stock photo hardware hacker who's used his chisel and hammer to basically hack the device work out how it
communicates with that back-end completely compromised the backend of the solution and our poor user is not doing too well and for those of you with better eyesight the friend is also a frowny face now so not a very good situation so that's that's the the meaty one that I wanted to go through but you know as I keep talking about the word testing the solution I want to go over this ECG it's electrocardiogram example as well so let's start with with what it is on before we get into this I just like to point out that no hearts are exploited or anything like that this is not not that bad kind of so basically this this ECG solution is effectively as
I think I mentioned normally you need like 12 leads giant machine physician all done very properly this was you know some kind of medical breakthrough where people can actually you know plug a dongle into their iPhone attached for leads themselves and take accurate measurements and and then see the results straight away and share with their doctor that was pretty cool it was a really interesting solution like actually improving people's lives you might have heart problems and that kind of thing again it's part of a solution then so we need to analyze it in that way so we have a user there with a very well drawn heart and they use this mobile app with the dongle attached to it the mobile app
talks to the web server and we have a doctor there who also logs into that web server to see the results of the of the ECG so let's let's go and actually assess this solution quickly so we started out with the hardware because it was shiny and groundbreaking and all of that and look you know I had to tell it but there's nothing interesting there at all it literally just took these signals off the users chest you know rather than to digital and then the the app itself basically interpreted them to get results so it really wasn't very very interesting at all so we moved on to the to the app and again really nothing very interesting but meanwhile
the website itself and this is what I'm talking about the actual you know assessing the whole solution it was vulnerable to good old-fashioned SQL injection so we had a shiny little device meanwhile the website complete SQL injection which actually affected every single user on the platform and this is obviously medical data here so with this SQL injection you could extract all the users medical data you can also modify all the users medical data or delete the users medical data and you know similar to the last story we had you know a nice moment of hey that's cool but surprising you know it's such a well-known vulnerability and you know people know how to mitigate this
and this is a new system it shouldn't really have these kind of vulnerabilities if they just had a bit of framework bla bla bla but we again realized that you know with our more more bit hats on that if someone's actually testing themselves because they have a genuine medical need to they're uploading their results to share with their doctor and meanwhile some not so nice person he's performing SQL injection and removing those results that person may never seek that medical attention that they need because their doctor will never see it so you know that's that's obviously not very good and you know the reason why I'm talking about this one is just to really drive
home that point of it's the whole solution that matters and even kind of more boring parts or parts you think could be you know tried and tested and stuff like that you know can really matter when it comes to to assessing you know the whole solution so we've gone over our our examples at the moment and now I want to take a bit of a bit of a step back and look at why this why this matters so you know I think I've demonstrated pretty clearly that you know the security of IOT solutions can you know impact lives and and you know information and all of those kind of things so I think you know that's that's a
but you know there's also more to it as I see it so this is a an article again from Forbes discussing a start-up in Israel that basically got a nice bit of funding with no other purpose other than to hack i OT devices for governments so you know like it or not i OT you know pretty much is but you know is going to be a target going forward and needs to have some level of security and there are other companies as well like this that are basically set up to you know do lab research on IOT devices but effectively to help people hack them another point that I wanted to raise is this Bain & Company article basically
makes it quite clear that they at least to their belief that if IT security would actually improve enterprises and businesses would actually start to adopt it a lot more and they claim it's that you know the key to actually unlocking these IOT solutions and having them come out into the enterprise and I really think that's where that's where we come in so you know educating decision makers and solution designers with the issues at hand you know providing our expert guidance and advice and I hope some of you can take some of these even there's low-level lessons that if you have this black box of hardware it could actually be quite dangerous or could undo a whole
solution and it's not just to be considered that's just a black box it's fine and obviously pentesting IT solutions of course you know maybe I'm biased but I think that's also a really critical step to knowing if they're secure or not and given that I've talked about you know basically analyzing right at that chip layer all the way back to that cloud back-end you know web apps mobile apps all of that I actually you know decided to steal a very kind of hipster term from developers and I found that no one else was using this online at least of my very rudimentary googling of it so I'm going to coin the term now full-stack pentesters which some of you
may have vomited a little bit in your mouth and when I said that because it is a buzz word don't get me wrong but I do think it actually somewhat correctly encompasses the fact that you know going forward being able to actually go right from that chip you know the communications on the board through to the mobile app through to the wireless communications through to the servers and the cloud backends is going to be really important so on that you know lovely note of full stack pentesters let's start to wrap up so I wanted to have some some parting thoughts so you know I think like it or not IOT is is coming I think if you're procuring or
delivering these devices you need to be considering these kinds of risks and these security issues if you're a product decision maker I think you're gonna want to get these solutions tested because you could be putting something out in the market that you know could cause serious issues for for real people and you know as one of my last parting thoughts you know I think I've shown that you know during a traditional pen test timeframe you can you can actually successfully find and exploit you know serious vulnerabilities in an IOT solution you know using hardware hacking techniques but what we need is more skills in this area and this is somewhere where if you want to be that
that hardware hacker up there on the screen you know we need to be skilling up as an industry so in my experience you know living and working in Europe seeing some of the u.s. trainers as well I feel like Australia is lagging behind a little bit when it comes to hardware hacking skills don't get me wrong there's people with skills there's interest a lot of it's there but I just don't see it to the same level as what I did overseas and to give you an example in the Netherlands is actually a security conference called Hardware i/o it's been running for about four years and it has about five or six training courses associated with it well and it's
just a complete conference dedicated to hardware security and I just don't see that here here in Australia last year's technical keynote for those of you who are here and remember Joe Fitzpatrick he's an amazing Hardware hacker he actually is part of a company called hardware security training who provide very high quality high-end hardware hacking training all around Europe and the US but again not here in Australia but you know as I said the interest is here you know all is not lost we have actually people like Silvio who has well I described as an intro to hardware hacking course I think Sylvia calls it interfacing with IOT devices you know so there is actually ways to to get those
skills here so what I really want to kind of leave you with is you know if this has piqued your interest you know I recommend you know go to the hardware hacking village talk to people who've done this kind of thing take Silvio's class what YouTube video is and actually learn how to do these techniques um because they are within reach and you know let's let's skill up and let's help improve the security of IT solutions together thank you
you
Related talks
43:48
23:15
56:44
56:17
40:07
56:06