+ All Categories
Home > Documents > Hack Hardware

Hack Hardware

Date post: 22-Jun-2015
Category:
Upload: ritcher-hardy
View: 48 times
Download: 0 times
Share this document with a friend
Description:
hrdware hacking
Popular Tags:
28
Hacking Hacking Hardware Hardware Some materials adapted from Sam Bowne
Transcript
Page 1: Hack Hardware

Hacking Hacking HardwareHardware

Some materials adapted from Sam Bowne

Page 2: Hack Hardware

Physical Physical accessaccess

Lock bumping: see next slides.Don't rely solely on locks: use two-factor authentication

– PIN keypad– Fingerprint– Security guard

Cloning access cards: not so easy. Magstripe vs RFID cards Open RFID reader, and a RFID hack reader and writer.

Page 3: Hack Hardware

Normal KeyNormal Key

Page 4: Hack Hardware

Bump KeyBump Key

Every key pin falls to its lowest pointThe key is hit with a screwdriver to

create mechanical shocksThe key pins move up and briefly pass

through the shear lineThe lock can be opened at the instant

the key pins align on the shear line

Page 5: Hack Hardware

Even Medeco locks used in the White House can be bumped

Page 6: Hack Hardware

Magstripe Magstripe CardsCards

ISO Standards specify three tracks of data

There are various standards, but usually no encryption is used

Page 7: Hack Hardware

Magstripe Card Magstripe Card Reader/WriterReader/Writer

USB connectorAbout $350

Page 8: Hack Hardware

Magnetic-Stripe Card Magnetic-Stripe Card ExplorerExplorer

Page 9: Hack Hardware

Hacking RFID Hacking RFID CardsCardsRFID cards use radio signals instead

of magnetismNow required in passportsData can be read at a distance, and

is usually unencryptedMifare is most widely deployed brand

of secure RFID chips (vulnerabilities).

Page 10: Hack Hardware

Cloning PassportsCloning Passports

$250 in equipment

Can steal passport data from a moving car

Page 11: Hack Hardware

Boston Subway Boston Subway HackHackThe Massachusetts

Bay Transportation Authority claims that they added proprietary encryption to make their MiFare Classic cards secure

But Ron Rivest's students from MIT hacked into it anyway

Page 12: Hack Hardware

ATA ATA HardrivesHardrives

Bypassing ATA password security

• Two kinds of ATA (AT Attachment ) interfaces are used

• PATA (Parallel ATA) – IDE is now called PATA

• SATA (Serial ATA) – Newer and faster than

PATA

Page 13: Hack Hardware

ATA ATA SecuritySecurity

Requires a password to access the hard disk Virtually every hard drive made since 2000

has this feature It is part of the ATA specification, and thus

not specific to any brand or device. Does not encrypt the disk, but prevents

access Countermeasures

• Don't trust ATA Security• Encrypt the drive with Bitlocker,

TrueCrypt, PGP, etc.

Page 14: Hack Hardware

ATA Password ATA Password VirusVirus

ATA Security is used on Microsoft Xbox hard drives and laptops

BUT desktop machines' BIOS is often unaware of ATA security

An attacker could turn on ATA security, and effectively destroy a hard drive, or hold it for ransom The machine won't boot, and no BIOS

command can help This is only a theoretical attack at the moment

Page 15: Hack Hardware

Bypassing ATA Bypassing ATA PasswordsPasswordsHot Swap

With an unlocked drive plugged in, enter the BIOS and navigate to the menu that allows you to set a HDD Password

Plug in the locked drive and reset the password

Use factory default master password Not easy to find Some examples given in 2600 magazine

volume 26 number 1

Page 16: Hack Hardware

Bypassing ATA Bypassing ATA PasswordsPasswords

Vogon Password Cracker POD Changes the password from a simple GUI Allows law enforcement to image the drive,

then restore the original password, so the owner never knows anything has happened

Works by accessing the drive service areaA special area on a disk used for firmware,

geometry information, etc.Inaccessible to the user

Page 17: Hack Hardware

USB drivesUSB drivesU3: Software on a Flash U3: Software on a Flash

DriveDriveCarry your data and your

applications in your pocket!It’s like a tiny laptop!

Page 18: Hack Hardware

U3 U3 LaunchpadLaunchpad

Just plug it in, and the Launchpad appears

Run your applications on anyone’s machine

Take all data away with you

18

Page 19: Hack Hardware

How U3 How U3 WorksWorks

The U3 drive appearsas two devices inMy Computer A “Removable Disk” A hidden CD drive named “U3”

The CD contains software that automatically runs on computers that have Autorun enabled For more details, see http://www.

everythingusb.com/u3.html

19

Page 20: Hack Hardware

Hacking Software On Hacking Software On The Disk PartitionThe Disk Partition

PocketKnife is a suite of powerful hacking tools that lives on the disk partition of the U3 drive

Just like any other applicationYou can create a custom file to be

executed when a U3 drive is plugged inOr replace the original CD part by a

hack.

20

Page 21: Hack Hardware

U3 U3 PocketKnifePocketKnife

Steal passwords

Product keysSteal filesKill antivirus

softwareTurn off the

FirewallAnd more…

Page 22: Hack Hardware

Military Bans USB Military Bans USB Thumb DrivesThumb Drives

22

Page 23: Hack Hardware

USB drives Risk USB drives Risk ReductionReductionTraditional

Block all USB devices in Group Policy Disable AutoRun Glue USB ports shut (?!?!)

Better Solution: IEEE 1667 Standard Protocol for Authentication in Host

Attachments of Transient Storage Devices USB devices can be signed and authenticated, so

only authorized devices are allowed in Windows 7, Linux.

23

Page 24: Hack Hardware

Default Default ConfigurationConfigurationExample: ASUS Eee PC Rooted Example: ASUS Eee PC Rooted Out of the BoxOut of the BoxThe Eee PC 701 shipped with Xandros

LinuxThe Samba file-sharing service was

on by defaultIt was a vulnerable version, easily

rooted by Metasploit

Easy to learn, Easy to work, Easy to root

Page 25: Hack Hardware

Default Default PasswordsPasswords

Many devices ship with default passwords that are often left unchanged Especially routers (seen before)

Page 26: Hack Hardware

ATM ATM PasswordsPasswords

In 2008, these men used default passwords to reprogram ATM machines to hand out $20 bills like they were $1 bills

Page 27: Hack Hardware

Bluetooth Bluetooth AttacksAttacks

Bluetooth supports encryption, but it's off by default, and the password is 0000 by default

Page 28: Hack Hardware

Reverse Engineering Reverse Engineering HardwareHardware

Mostly an engineering endeavor Mapping the device Sniffing the bus data firmware reversing JTAG -- testing interface device for

printed circuit boards.

Read the book for more details.


Recommended