Date post: | 12-Nov-2014 |
Category: |
Technology |
Upload: | defconrussia |
View: | 656 times |
Download: | 0 times |
©2013 Check Point Software Technologies Ltd.
Physical (In)security
Inbar RazMalware & Security ManagerCheck Point Software Technologies
2©2013 Check Point Software Technologies Ltd.
Types of Vulnerability Disclosures
Responsible Disclosure:– Contact the vendor only and inform them of the vulnerability– If asked, work with the vendor– After 3-6 months, proceed to Full Disclosure
Full Disclosure:– Publish all information, including POC– Sometimes – only a video of POC
3©2013 Check Point Software Technologies Ltd.
Disclosure #1
Vendor: An Online Movie Ticket Service
Field: Online shopping and entertainment
Affected Product: On-site Ticket Kiosk
Vulnerability: Multiple vulnerabilities cause the compromise of both customer and company data
4©2013 Check Point Software Technologies Ltd.
Disclosure Details
On-site Kiosk
Touch Screen
Credit CardReader
Ticket Printer
No peripherals,No interfaces
And the journey begins…
5©2013 Check Point Software Technologies Ltd.
Disclosure Details
Improper interface settingsallow the opening of menuoptions.
Menus can be used tobrowse for a new printer.
6©2013 Check Point Software Technologies Ltd.
Disclosure Details
A limited browser is notrestricted enough.
A right-click can be used…
To open a full, unlimitedWindows Explorer.
Now the sky is the limit…
7©2013 Check Point Software Technologies Ltd.
Disclosure Details
Browsing through thefile system revealsindicative directory names…
And even more indicativefile names.
8©2013 Check Point Software Technologies Ltd.
Disclosure Details
Bingo: Credit Card Data(Unencrypted!)
Tools of the trade: Notepad
We can use the ticketprinter to take it home
9©2013 Check Point Software Technologies Ltd.
Disclosure Details
But that’s not all:RSA Keys and Certificatesare also found on the drive!
Which we can print, takehome and then use afree OCR software to read…
10©2013 Check Point Software Technologies Ltd.
Disclosure Details
The result:
RSA Keys used tobill credit cards.
11©2013 Check Point Software Technologies Ltd.
Disclosure #2
Vendor: Point-of-Sale Manufacturer and Users
Field: Network Security
Vulnerability: Improper physical security allows access to insecure PoS devices during afterhours.
12©2013 Check Point Software Technologies Ltd.
Disclosure Details
Point-Of-Sale devicesare all around you.
13©2013 Check Point Software Technologies Ltd.
Disclosure Details
Location: A bar in Tel-Aviv
During working hours – tables, chair and PoS outside
During afterhours – everything is locked inside the facility
But the Ethernet port remains hot– In public space…
14©2013 Check Point Software Technologies Ltd.
Attack Vector
In the past – play hacker/script kiddie with BackTrack.
Today: Fire up wireshark, discover IPs of live machines.
15©2013 Check Point Software Technologies Ltd.
Attack Vector
In the past – play hacker/script kiddie with BackTrack.
Today: Fire up wireshark, discover IPs of live machines.
Detected IP addresses:– 192.168.0.1– 192.168.0.2– 192.168.0.4– 192.168.0.250– 192.168.0.254
Confirm by ping (individual and broadcast)
16©2013 Check Point Software Technologies Ltd.
Attack Vector
Evidence of SMB (plus prior knowledge) lead to the next step:
And the response:
17©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Things to do with an open share
#1: Look around
18©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Things to do with an open share
#1: Look around
#2: Create a file list
19©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
The mystery of 192.168.0.250
Answers a ping, but no SMB.
First guess: the ADSL Modem.
Try to access the Web-UI:
20©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
The mystery of 192.168.0.250
Use the full URL:
21©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Reminder: We actually had this information.
Going for the ADSL router
22©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Going for the ADSL router
Naturally, there is access control:
Want to guess?
23©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Unlocked Achievements
Best for me, worst for them: Credit card data.
Database files (yet to be analyzed).
The program files of the billing system.
Potential attack through the internet.
24©2013 Check Point Software Technologies Ltd.
Next Steps
Create a Responsible Disclose document for the PoS manufacturer
Send an Advisory to businesses
25©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
IMPORTANT NOTICE
The bar operation was with full cooperation and consent.
DOING THIS ON YOUR OWN IS ILLEGAL.