Who am I ?
• Julien Moinard - Electronic engineer @opale-security (French company) - Security consultant, Hardware & SoDware pentester - Team project leader of Hardsploit - DIY enthusiast
16/03/2016 2
Internet of Things & Privacy concern ?
• AnyIoTobjectcouldrevealinforma@onaboutindividuals
• WearableTechnology:clothes,watches,contactlenseswithsensors,microphoneswithcamerasembeddedandsoon• Quan@fiedSelf:pedometers,sleepmonitors,andsoon• HomeAutoma@on:connectedhouseholdsusingsmartfridges,smartligh<ngandsmartsecuritysystems,andsoon• …
16/03/2016 4
Internet of Things & Privacy concern ?
• Lastnews:(youcanupdatethisslideeveryweekL)
Firmwarecanbereadwithoutanyproblem(SPImemory)
VTechwashackedinNovember,exposingmillionsofaccounts.Inresponse,thefirmtooksomeessen<alservicesoffline,meaningproductscouldnotberegisteredonChristmasDay.
16/03/2016 5
Iot Eco-system (20000 feet view)
• PrivacyRisklevel:Where?
HFcommunica<on(ISMBand)+Wifi+3G-5G,Bluetooth,Sigfox,Loraetc..
Classicalwiredconnec<ons
Centralservers,UserInterface,API,Backofficeetc.
IoTdevices
16/03/2016 6
SOFTWARETosecureit:• Securityproducts(Firewall,An<virus,IDS,…)• Securityservices(Pentest,Audit,…)• Tools(Uncountablenumberofthem)
HARDWARETosecureit:• Feworunimplementedsolu<ons(Encryp<onwithkeyinasecurearea,an<-replaymechanisms,readoutprotec<on,…)
Security speaking, hardware is the new soDware ?
16/03/2016 7
• 1/Openit• 2/Fingerprintallthecomponentifyoucanelseautoma@cbruteforcing• 3/Usethosethatmaycontaindata(Online/Offlineanalysis?)• 4/Performread|writeopera@ononthem• 5/Reverseengineering,findvulnerabili<esandexploitthem
Hardsploit & hardware hacking basic procedure
16/03/2016 8
Why ?
• Becausechipscontaininteres<ng/privatedata• Passwords• Filesystems• Firmware• …
16/03/2016 10
How ?
• Ahardwarepentesterneedtoknowelectronicbusesandheneedtobeabletointeractwiththem
1-Wire
JTAG/SWDUART
CAN
PARALLEL
Custom16/03/2016 11
Hardsploit framework
Samehardwarebutasofwareupdateisneededtoaddanewprotocols
Hardsploit
IoTtarget
Input/Output
database Module(SWD,SMBus,I2C,SPI,etc..)
16/03/2016 12
Hardsploit bus indenSficaSon & scanner (in progress, not published yet)
Hardsploit
IoTtarget
Input/Output
Databaseofpagerns
Databaseofcomponents Module(I2C,SPI,etc..)
IOhardwaremixer
Scanner
16/03/2016 13
Tool of trade
FUNCTIONALITIES BUSPIRATE JTAGULATOR GOODFET HARDSPLOIT
UART Busiden<fica<on
SPI
PARALLEL
I2C
JTAG/SWD Busiden<fica<on
MODULARITY Microcontroller Microcontroller Microcontroller uC/FPGA
EASEOFUSE Cmdline+datasheet Commandline Commandline OfficialGUI/API/DB
I/ONUMBER <10 24 <14 64(pluspower)
WIRING TEXT(butMOSI=SDAJ) TEXT/AUTOMATICiden<fica<on
TEXT LED/TEXT/AUTOMATICiden<fica<on
16/03/2016 14
The board – Final version
• 64I/Ochannels• ESDProtec<on• Targetvoltage:3.3&5V• UseaCycloneIIFPGA• USB2.0• 20cmx9cm
16/03/2016 20
Wiring helper
Datasheetrepresenta<on
HardsploitWiringmodulerepresenta<on
GUI<–>Boardinterac<on
16/03/2016 23
What are available on github (Open) ?
• Microcontroller(c)• API(ruby)• GUI(ruby)• CreateyourownHardsploitmodule:VHDL&API(ruby)
16/03/2016 26
Already available (github) Parallelnonmul<plexedmemorydump• 32bitsforaddress• 8/16bitsfordata
HelpingwiringI2C100Khz400Khzand1Mhz• Addressesscan• Read,write,automa<cfullandpar<aldump
SPImode0,1,2,3upto25Mhz• Read,write,automa<cfullandpar<aldump
SWDinterface(likeJTAGbutforARMcore)• DumpandwritefirmwareofmostARMCPU
GPIOinteract/bitbanging(APIonlyforthemoment)• Lowspeed<500Hzread&writeopera<onson64bits
16/03/2016 27
More to come (see online roadmap)… • Automa<cbusinden<fica<on&Scanner(@30%)• Component&commandssharingplatorm(@90%)• TTLUARTModulewithautoma<cdetec<onspeed(@80%)• Parallelcommunica<onwithmul<plexedmemory• I2Csniffing(shotof4000bytesupto1Mhz)• SPIsniffing(shotof8000/4000bytehalf/fullupto25Mhz)• RFWirelesstransmissiontrainingplateform(NordicNRF24,433Mhz,868Mhztranscievers)• Metasploitintegra<on(module)??• JTAG• 1Wire• CanBUS(withhardwareleveladapter)• …
16/03/2016 28
Concrete case
• Anelectroniclocksystem• 4characterspincodeA–B–C–D
• Goodcombinaison–Dooropens,greenL.E.Dturnon• Wrongcombinaison–Doorcloses,redL.E.Dturnon
16/03/2016 29
Concrete case: hardsploit scenario
1. OpenHardsploittocreatethecomponent(ifnotexist)2. ConnectthecomponenttoHardsploit(wiringhelping)3. Enterandsavethecomponentseungs(ifnotexist)4. Dumpthecontentofthememories(1click)5. Changethedoorpasswordbyusingcommands(fewclicks)6. Trythenewpasswordonthelocksystem(enjoy)
16/03/2016 33
Conclusion
• IoTDeviceare(also)pronetovulnerabili<eshelpyoutofindthem• Securitypolicyneedtobeadpated,nowadays,itisnotsodifficultto
extractdataonIoT• Designersneedtodesignwithsecurityinmind• SkillsrelatedtopentestahardwaredeviceismandatoryforSecurity
Experts(buttrainingexist)• Industryneedtotakecareaboutdevicesecurity
16/03/2016 39
Thank you ! Hardsploitboardisavailableatshop-hardsploit.com(250€/277USD/370CADexcludingVAT)
TolearnmoreaboutHardsploitandfollowthedevelopment
Hardsploit.io&Opale-Security.com• YannALLAIN(CEO)• [email protected]• +33645453381 Hardware&Sofware,Pentest,Audit,Training
• JulienMOINARD(ProjectleaderofHardsploit)• [email protected]• +33972438707
16/03/2016 40