Hacking with Physics - BSides Ahmedabad 2021

Yo. What's up, everybody? So, uh before I can start my talk, I just wanted to know how many of you guys hated physics in your class in your engineering? Wow, that's a lot of people. So, this is Yeah, even I failed in physics. No issues. So, but I'm presenting the talk here. So, uh today I'm going to tell you guys how you will be able to use physics in order in your daily life which is used in your daily lives and how you can use hardware in the physics to hack into devices and do some cool stuff with it. So, let's start the talk. So, my name is Rishikesh Somchatwar. Uh my interest lies in IoT, automotive

hardware, and radio security. Uh I'm a I'm also in love with GNU Radio Companion and doing projects with it. I've been a speaker at HackFest in 2021 which was held in Canada. It was a remote conference. Uh I've been a speaker at Car Hacking Village at BSides Delhi in 2019 and Def Camp Romania as well in 2019. And I've presented at various other scientific conferences. So, much more into uh IEEE and ACM stuff as well. Um I am the OWASP Nagpur chapter lead. So, um if you guys want to attend some OWASP Nagpur meetups, then you guys are welcome to we we actually conduct security meetups every month or so. My Twitter handle is Storytelling Hacker.

Actually, it's S Story T L N Hacker. So, it's like when you pronounce it, it comes it out as Storytelling Hacker. And I have a podcast named as The Storytelling Hacker which is available on Spotify, Apple Podcast, and Google Podcast as well. You guys can listen to my podcast. I review research papers there, tell some stories, and a lot of stuff there. But, it's explicit content, so make sure that you guys hear it alone. Uh so, first and foremost thing, what do we mean by hacking with physics? Any guesses? Anybody can shout out from your place and tell any guess. That's cool. So, any guesses? So, sensors, lights, electronics all use the principles of physics. That's why

hacking with physics. So, let's talk about sensors first. Get our basic Let's get our basics clear. Let's understand these concepts first and then we'll be able to understand how we will be able to use these techniques to hack into these signals. So, a sensor is an electrical device which measures the physical properties of the surrounding, takes the input from the surrounding, and gives out the output. As simple as that. Just it takes the input from the takes the input from the surrounding and gives out the output. As simple as that. So, there are different types of sensors. Electric sensors, mechanical sensors, optical sensors, temperature sensors, chemical sensors, and so on and so forth. So, the electric sensors takes

the electrical stimuli uh and the signal goes to the sensor and then it gives out the electrical signal. The magnetic sensor does the same and everything it happens the same, so on and so forth. Uh So, there are two types of sensors. One is the active sensor, second is the passive sensor. Guys, get these basics very clear. It's just one or two slides. Just pay attention and then you guys are going to love the applications of it. So, classification. This is how the sensors are being classified. Passive infra infrared motion sensor is an example of a passive sensor. Magneto magnetometer is an example of a passive sensor. Gyroscope and accelerometer is an example of a passive

sensor. Infrared rain sensor is an example of an active sensor. Radars, everybody knows about radars here. So, radar is an example of an active sensor. Sonar is also an example of a active sensor. Yeah, active sensor. So, where are these sensors used? These sensors are used in industrial control systems, ICS and SCADA systems. And these are basically installed these sensors are basically installed into the RTUs, the remote terminal units of the industrial control systems. IoT devices even use sensors in it. You guys have seen smart devices having uh sensors installed in it. Automotive, these days radio these days electric vehicles are pretty much common these days, so sensors are being used there as well. Drones is an example where

sensors are being used. And healthcare devices, so for example of a medical infusion pump, that is also a great example of healthcare devices where sensors are being used. So, sensors do the actuation stuff. Decision making on the sensor data, that is the meaning simple meaning clear cut meaning of actuation. So, like I said, the sensor takes the input from the surrounding, from the environment, processes it, and then gives out the gives out the output to the controller, and then the actuation happens. So, sensors are new attack vector like I said. So, guys, one important thing, it's not just the hardware which is not secure, it's not just the software which is not secure, it's not even just the embedded

which is not secure, but it is also the sensors which are not secure these days. So, before I can even get into sensor hacking and these techniques, let me talk about let me talk about some of the basics first. Guys, get your basics clear. Only one to two slides. Pay full concentration and attention on it and then we'll we guys are going to see the demos out of it. So, some basic terminologies. EMI, electromagnetic interference. So, I'm going to read out the definitions first. I know this sounds boring, but can't help it. So, electromagnetic interference is also called radio frequency interference. When in the radio frequency spectrum is a disturbance generated by an external source that affects an electrical

electrical circuit by electromagnetic induction, electrostatic coupling, or conduction. In simple language, guys, unwanted unwanted noise happening in an unwanted circuit, electromagnetic interference. As simple as that. ADC, analog-to-digital converter. So, an ADC um microphone is a great example of an ADC. So, for instance, I'm talking with you guys and my voice is getting transmitted my voice my microphone is receiving those signals, my voice signals, through the ADC. Uh and as a mic can be an example of an ADC. So, it takes an analog values and converts it into digital values. ADC, that's it. And DAC, micro uh microphone was an example of an ADC. Even though microcontrollers microphones has an ADC installed in it, but I just wanted to give a

explain you guys in layman's terms. And DAC DAC uh DAC is basically digital-to-analog converter. So, what you guys basically do is um whatever the digital information which is being stored in your to your laptop, that gets converted into analog signals through the speakers. So, a speaker is a great example of a DAC. Uh ADC and DAC are just like reverse to each other. So, I need answers from you. What do you guys see? It's a Wi-Fi router. How are you guys going to hack it? Shout it from your place. Doesn't matter. Come on. Come on, I need answers from you. Come on guys. Okay, at a web applications level, you guys all are well web experts, so I

don't have to explain you that thing. At a net at a wireless level, what actually you can do is use Aircrack-ng Wi-Fi de-auth functions and tools like that to uh use to do Wi-Fi hacking and de-authentication stuffs and things like that. What about electronics? Anybody aware about IoT hacking stuff here? Yeah, one guy. Yeah, yeah, UART JTAG. Yeah, that that's a great exam that's a great answer. UART JTAG could be a great example of it. Or hacking that opening up the device, dumping up the firmware, and then getting those hardcoded credentials credential values, and then doing some hacking with it can be a great example of it. A Any errors from the product designers level?

Okay, no issues. So, any other attack vectors? Any other attack vec Frequencies, yeah, great great answer great answer. One more, I need just one more answer. Firmware related stuff, yes. So, you guys you guys have given great answers to me. No no issues with that. But, let's think out of the box today. Let's think in a different perspective in a in a bit more different manner the today. So, today we are going to use light in order to hack into these devices. That's how we are going to hack the device. We are going to use light today. So, here's the problem. Stay with me. Stay with me till the demo. You will understand everything. For now, just pay attention.

So, routers and switches have LEDs installed in them which blink at a very fast speed and are not visible by the human eye. The blinking LEDs have information which is modulated in it. These LEDs are connected to the silic lines on the CPU of the device which leads them to blink at a very fast speed. So, all you have to do So, there's a device there's a Wi-Fi device over here. And it has lights in it. All you have to do is just to capture those light signals and get the information. But, the information there is modulated. So, how are you guys going to do it? So, here's the another So, here's the answer to it.

So, there's a uh tool by Joe Grand, one of the most famous hardware hackers out there, Optic Spy. So, it's going to convert So, it's going to search for optical covert channels and covert channels that may exist within the device. So, it's like any information No, it's not a side channel. I'll explain that. It can be a can be an example of it, but uh yeah, I mean you are just close close enough to the answer. Yeah. So, Um, it will it will search for optical covert channel. So, it's like uh it's going to check for information leakage which is happening onto the lights and that's how it's going to tell the information. So, first let me explain what what does uh

an optic spy literally means and what are the things which are actually installed in a in an optic spy. So, photodiode is an example of an photodiode the optic spy has photodiode in it. Then along with that it has the amplifiers and the threshold detector and the serial to USB connector. So, this is how it looks like. There's a photodiode. Then there's a gain adjust. Then there's threshold adjust threshold voltage adjust. Then there's polarity selection for checking out the polarities and then there is USB for converting of those signals into uh packet form and then doing it in the like looking at the looking at that in an information looking at those information. And the

So, what is a photodiode most important thing. So, photodiode is a device that converts light into current. It's an optical sensor like I said we are talking about sensors here. And he used a Vishay semiconductor here which is BPW R in the optic spy. So, this is just a like it is just a part number. So, let me show you guys a demo so that you guys will have a better understanding of it. There's no video there's no audio in it. So, this is the Wi-Fi router.

There's a light on the Wi-Fi router. This is the optic spy.

And there's a photodiode so you are capturing those light signals through your optic spy.

And the information is getting demodulated and that's how you are going to see the information which is being transmitted through lights. And we are going to watch the video at 8x speed.

Yep.

Information leakage, right guys? So, So, let's get back to sensors now. So, it was interesting, right? It was not Yeah. So, sensors a new attack vector like I said it's not just the software, it's not just the hardware, it's not just the embedded, but it's also the sensors which are not secure. So, this single paper is enough to give you dopamine checks. The detection of EMI electromagnetic interference attacks on sensor based system. Take snapshot of it if you want to. So, this is an amazing paper, guys. So, So, this is the actual diagram of how sensing and actuation actually happens. So, let me explain this diagram to you guys. This is the real world. The sensor takes the sensing from the

real world. Is there Yeah, you guys can see the arrow. So, the sensor takes the sensor from the real world signals. Then the signal goes to the ADC the like I said from the basics the analog to digital converter. Then it gets converted then it goes to the processor the processor processes it. And then it goes to the actuator and then the actual actuation happens. A clear example of it could be a gyroscope. So, a gyroscope is basically a sensor which takes the input signals from the surroundings gives it to the ADC takes the input from the surrounding gives it to the ADC the ADC converts gives it to the processor and then the processor takes

it to gives it to the actuator and that's how the flight of the drone is rotating and that's how the drone works. And the one more example is car. So, whenever you are taking a reverse of a car there's a sensor installed in it which beeps every time beep beep beep and then it actually tells you that if there is any object which is which is obstructing the reversal of a car. So, it does the same thing and that's how at the actuation actuators level it avoids the crash. So, So, the thing here is that the there is no authentication happening at sensor level. This means that anybody can use his own sensor into the system and input his own

his own signals in it. So, that makes a system vulnerable to sensor spoofing attack. In a microcontroller, the microcontroller has no choice but to trust the measurements and the attacker can use EMI to inject the signals easily using radio equipment or change the sensor regardless of the sensor output what is happening inside the sensor. So, there's a demo I'm going to show you guys one more demo. There are three to five demos actually in this video. This is the second one. So, enjoy. This is the example of how you should not do the attack but your concepts will be clear if you watch this video properly. A second attacker machine demo of this particular demo.

Welcome to the demo. So, what I've done is show the screen. So, what I've done is I've used up the attacker code into this Arduino which is connected to the ultrasonic sensor. And what I'm doing right now is using the INVH application to see the measurements of this particular ultrasonic sound waves. So, you guys can see that this there is a movement seen onto the signals into the graph by just by listening to my voice. I'm turning off the fan. Now, you guys can see that there is no voice happening apart from my apart from my voice. So, this is the ultrasonic sensor. Ultrasonic sensor has sound waves in it. Ultrasonic sensor has sound wave in it

like I said just making it a bit And So, the microphone the phone's microphone is literally taking the ultrasonic sound waves from the sensor and the output is shown onto the phone. So, this is the graph which you guys can observe. You guys can observe the graph. There's a difference. phone's microphone in front of the ultrasonic sensor.

Even though the graph is turned upside down but I just wanted to show you guys the graph. And this is a perfect example of the attack how that attack should be done. I'll play it with VLC.

Hello everybody. Welcome to the presentation of the of the demo of the transaction attack. Now, So, this is known as the transaction attack. What I've done is one of the toughest attack which is seen because at a conceptual level this is a very tough attack. I'm not sure how I've flashed the do it practically. A sensor system's code into this particular Arduino which is connected to the wall. Uh this is acting like a wall as an object. And what I'm doing right now is I am looking at the code is already being flashed. I'm looking at the serial monitor and you guys can see that the difference between this particular sensor to the wall is

coming as 31 cm. Now, I have another system which I showed you in the second video. Now, I've flashed the attacker code into this system and it is being flashed and it it it has an attacker code in it and it has been connected to the power bank. Now, I am just going to use as an interference and look at the screen. That's how the electromagnetic interference at the this thing. Now, you guys can see that the interference is getting created and the values are getting manipulated. That's how you manipulate the values. So, that's it, guys. So, So, that's how you do the transaction attack. Um like I said this is the normal system which is

taking input from the surroundings and then giving out the output. And this is the attacker sensor. That's how you do the spoof attack on a 30° angle sometimes. Not mandatory to have the 30° angle but just an example. And this is the code. And this is my code. The attacker sensor's code. And this is how the readings can be manipulated and the sensors are tricked. And So, here the attacker's main objective is to add malicious signal to the sensor output and manipulate its readings. So, like this is how the sensors are being tricked. Now, since we have looked at the sensor based attacks, we we can move forward and look at the attacks which are

actually happening at the ADC. Which makes me like ADC. So, So, this is the standard diagram of how it looks like. The sensor take the there's a sensor there's a microcontroller. The sensor gives out gives the signal to the ADC's microcontroller microcontroller's ADC and that's how the values are getting manipulated. And then what we do is we use a different attacking signal here. And that's how we manipulate the ADC. Now, guys I have explained this particular complete research paper and my work as well in the podcast as well. But this is a much more in-depth and descriptive manner and the videos are shown here as well. So and so here the uh So at in this particular case, what we

are doing is we are actually abusing the ADC. So here the ADC is abused to work as a demodulator for that attacking signal and by injecting a signal with a frequency that exceeds the sampling rate of the ADC. Which makes me think like guys, we are actually attacking at an ADC's level of a hardware. Now this is cool. Like I've never seen this uh amazing things done by the the researchers over there. So which makes me think that this is good stuff. Right? So here's another example of the air conditioner. An air conditioner an AC adjust the temperature of the air according to the room temperature. The attacker can remotely send the attacking signal to hold the sensor input and the

sensor can be deceived to give hot air. Now imagine this attack like if we are talking about this attack at a very personal level like an air conditioning or the things which are happening on our home. But imagine this attack can be used in a power plant or a nuclear reactor or pitch of fly of the fly wire helicopter. Like if I'm talking about helicopters let's talk about drones. So let's talk about the attack vectors of drone. These are very crazy attack vectors I would say. Physical attack vectors you can just use your gun to you know attack the drones. Second is the radio communication. You can attack the drone at by at a Wi-Fi level at a Zigbee's or at a radio

frequencies level by using radio stuff. And by doing software hacks, everybody loves Sami Kamkar here, right? The skyjacking attack by Sami Kamkar. So software hacking. Positioning. So what you guys are doing you guys are basically using tools like HackRF to spoof the GPS signals and then do some positioning base attacks and sensors. So I want you guys to see how you can hack drones with sound. Now this is the user controller. There's a flight controller. The flight controller is basically the brain of the drone. Sense sensors basically are taking doing the its sensing work. Rotors are working as the actuator. I've explained this before in the previous slide. So what it actually does is the user controller

takes the input via radio frequency. Like there's a transmitter there and there's a receiver there. The transmitter transmit the radio signals via the receiver and then that's how the flight controller works. And the flight controller gives the output to the it takes the input from the sensors and then that's how it gives the output to the sensors and that's how the rotor the this thing the what do we say? The drone works. Now here's a great example of mechanical resonance. It's not possible to play this video. It's just a funny video. What what happens in this video is the guy actually shouts at a very high high pitched voice and that's what and that's how the glass gets broken and that is an

example of mechanical resonance. So drones have MEMS which is microelectromechanical services systems as the gyroscope installed in them and due to sound noise the accuracy of the gyroscope gets affected. So this is the science behind it. Now I'm going to show you guys how it actually happens.

And then it again gets affected. These are the sensor readings of the gyroscope outputs and things like that. Yeah. So Now let's talk about some mitigations first. Let's talk about mitigations. But before that the tip of the the like one of the most important thing which I wanted to discuss with you guys that the reason I came to this conference. Let's explain let me explain you guys the thought experiment. You guys are with me, right? Cool. So is it possible to dim the lights from the back side? Is it possible? Okay, that's fine. So I want you guys to close your eyes first. Close your eyes. Be on your place and close your eyes. Now imagine keep your eyes closed guys.

Keep your eyes closed. You are sitting in your house. It's 1:00 p.m. in the afternoon. You are sitting in your house and it is 1:00 p.m. in the afternoon. It's pretty warm outside. So you decide to turn on the AC. It's pretty warm so you decide to turn on the AC. You observe that the AC sensors the room temperature and gives out cold air. You observe that the AC sensors the room temperature and gives out cold air. Now you observe that the AC sensor of the AC can be tricked into injecting your own malicious signals. Keep your eyes closed guys. Keep your eyes closed. Even though if you're not able to imagine, that's fine. Keep your

eyes closed. You observe that the AC sensors the room temperature and gives out cold air. Now you observe that the AC sensor of the AC can be tricked into injecting your own malicious signal and you do that. The AC gives out hot air. It's getting warmer and warmer again. It's getting warmer and warmer again. So mission completed. You guys can open your eyes now. Please turn on the lights now. You guys can you guys would have taken the video as the reference point to observe like to imagine these things. And ladies and gentlemen, you just did a thought experiment. It was a small one but you did that. So imagine like that's the power of

thought experiments, right? You guys can literally imagine what are the hacks which are which can be done into our daily world and that's the power of our mind. I have seen people crying that not exactly crying but whining about the fact that there is not much work done like they don't have enough resources and hardware and things like that to do it. But my point is if you have the way and you have your own thoughts with your with yourself, then you can literally imagine these attacks and do it on your own. So you just did a thought experiment. Pat yourself on your back. So last point, turning off the sensors mitigations like I said, turning off the sensors sensory

readings by using a passive sensor is a good idea as a mitigation. Using the ADC which can take the sampling rates of the system is also good idea. And this the last idea has been implemented by the company. So using a microcontroller which can determine the fake signals is also good idea. So like I said, it's not just the hardware, it's not just the software. It's not just the embedded but it's also the sensors which are very important and can be hacked. And I just wanted to say that keep thinking out of the box. There's a reason why all of the hackers are have become great hackers and like like I said like I say that we all

we all are sitting on someone else's shoulder and will expect someone else to sit on our shoulders too someday. So that make that makes us a better community. That makes us the power of hacking. Like that's that's what makes us hackers. And one more thing like do more thought experiments. And here these are the papers for reference. You guys can read these papers. One of them is by Joe Grand and other one is XL ED this and this this one of this is my favorite detection of EMI attacks on sensor systems. Every paper is great to be honest. And here's the reference. So that's it for me, guys. Thank you. Do you have any questions?

Hi. It's Prathmesh this side. Yeah, Prathmesh. When when I was saying that the you you are giving the examples of cars and everything, what if two cars are doing coming just in reverse, right? And they Sorry? The two cars Yeah, yeah, yeah. are on the opposite side are coming coming in reverse and they're coming close to each other. Does the the same kind of issues issue happen with them as well? And because they both are in the both Same kind of issue happens with? The interference and all and all of that. So obviously it's it's kind of a bigger issue with lot of cars manufacturer, right? Because two cars are coming together and they're interfering the signals and everything.

So is it is it happen in real time because I have not seen that? Well well any everybody knows about Tesla, right here? Yeah, yeah. So Tesla cars were hacked using one of these techniques. I have not mentioned it because I was focusing on the like rather than the impact I was focusing on the main concepts. You guys can do replicate this this particular attack by using your own microcontrollers into your own systems. Okay. So but I won't be responsible for it. So it can be I mean if there's a this there's a huge issue in the is this a issue or is is it is it still is an issue. This is an issue.

there. Yeah, it is still there. But at the mitigations I have discussed that some of there are some microcontrollers which are specifically designed to determine the fake signals. So, that can be one of the one of the mitigations to prevent these attacks. Could you name name one of the example of So, it's like it depending it depends upon the firmware. You cannot name a particular microcontroller. It's like the way the firmware has been coded according to that you make the changes and then you flash it to your device and that's how the microcontrollers work. Thank you. Thank you guys.