1 / 42

Breaking the security of physical devices

Dr Silvio Cesare Qualys. Breaking the security of physical devices. Introduction. Lots of electronic systems Converging with computing IT security techniques can be used. Outline. Eavesdropping analog baby monitors Disabling RF-based home alarm systems Hardware tampering a home alarm

camper
Download Presentation

Breaking the security of physical devices

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Dr SilvioCesare Qualys Breaking the security of physical devices

  2. Introduction • Lots of electronic systems • Converging with computing • IT security techniques can be used

  3. Outline • Eavesdropping analog baby monitors • Disabling RF-based home alarm systems • Hardware tampering a home alarm • Defeating the keyless entry of a 2000-2005 Car

  4. Eavesdropping analog baby monitors

  5. Analog Baby monitors? • Buy new off Ebay and other places.

  6. Using Software defined radio dongles • RTL-SDR ($15) • Funcube • Antennas

  7. Using upconvertors • Lower frequencies not processed by SDR. • Upconvert frequencies. • Ham it up convertor shown:

  8. Finding the signal using spectrum analysis • High-end hardware is expensive (below left). • Cheaper hw is available (RF Explorer below). • 40MHz is pretty normal.

  9. Demodulating the signal • Use software spectrum analysis tools. • Try AM, FM demodulation. • Gqrx (Linux) • HDSDR (Windows)

  10. Mitigation • Use DECT • Yes.. I know DECT has been broken also.

  11. Disabling rf-based home alarm systems

  12. What home alarms use RF-remotes? • Heaps.. Almost everything at Big-W, K-Mart, Bunnings etc

  13. Replay attacks • Real remote sends a “fixed code” to disable system. • Attacker captures code and replays it with USRP etc. • Works on almost all home alarms. • Alarm keyfobs generally use 315 MHz and 433.92 MHz RF.

  14. The Hardware • USRP B200 right: • Antennas.

  15. Replay attacks with GNURadio • Capture: • Source is USRP, Sink is File. • Replay: • Source is File, Sink is USRP.

  16. What is in the RF signal? • Generally modulated by AM and PWM. • If we demodulate the RF signal, we can see if the remote code is fixed or rolling. • GNURadio and custom software.

  17. Amplitude (am) Modulation

  18. Pulse width modulation (pwm) • Square waves generated by am demodulation.

  19. Using cluster analysis to determine pulse widths • pycluster • Group similar widths together • Find mean in each cluster • Mean of means is the threshold.

  20. Building a $50 arduino-based hacking box • Wireless AM rx/tx pair

  21. mitigation • Use rolling codes, or challenge-response. • Buy commercial alarm systems. • Avoid K-Mart, Big-W et al.

  22. Hardware tampering an alarm system

  23. A shop at Bunnings

  24. Interfacing with the microcontroller • Disassembly reveals labelled IC (PIC) and test ports. • Solder header pins. • Attach PIC device programmer.

  25. Reading secret passcodes • Device programmer software. • Firmware protected. • Data is readable. • Reveals passcode.

  26. Potential attacks to read the firmware • Glitching? • Decapping the IC and changing the security fuse with UV light?

  27. Mitigation • Don’t label ICs. • Assume hardware hacking. • Hard to stop a well resourced attacker.

  28. Defeating the keyless entry of a 2000-2005 Car

  29. Building a dataset of button pushes

  30. Phase space analysis of the rolling codes • Used 10 years ago against TCP initial sequence numbers.

  31. Predicting prng (rolling) codes • Capture 3 codes from real remote. • Existing software to predict PRNG. • Tx with USRP.

  32. Increasing TX range • Use an amplifier.

  33. Testing codes • Capture and Replay codes. • How to stop the car receiving codes? • Use a Faraday cage: • Aluminium Foil lined Freezer bag!

  34. Defeating the keyless entry

  35. Analysing the rolling code • Format • Preamble based on remote ID. • Followed by unlock/lock/panic/trunk code. • Then 16-17 bits for security in rolling code. • Bits • 3 states per bit. • 1, 0, or a gap. • Gaps are important. • Timing • 1 is twice the pulse width as a 0. • An implicit gap after every 1 or 0. • A gap is the width of a 0. 1x1x1x1x1x1x11100x11... 1x1x1x1x1x1x11101x10... 1x1x1x1x1x1x11101x00...

  36. Analysing more • The entire rolling code sequence is of a fixed time • all the ones, zeros, and gaps sum to a fixed number. • There are fewer x’s than 1’s and 0’s. • An x never follows an x.

  37. Bruteforce? • Capture 1 transmission. • Use preamble of capture and then bruteforce rolling code part. • Generate all numbers in range. • Exclude numbers not meeting constraints. • Fewer than 1 million possibilities.

  38. Does it work? • Unlocks generally in under 2 hours.

  39. Hmm.. What’s this – a Backdoor? • Some codes in bruteforce list ALWAYS unlock the car. • Once known, unlocking car takes seconds not hours. • Appears to be a manufacturer backdoor. • TODO: How to generate from 1 capture without bruteforcing.

  40. Mitigation • Hard to mitigate without a recall. • Recall is never going to happen. • Install an aftermarket keyless entry or just upgrade your car. • For car makers: • Don’t use an algorithm to generate the rolling codes. • Don’t put in backdoors.

  41. Future work • Silicon analysis • Firmware recovery

  42. Conclusion • Hardware hacking is fun. • Lots of real-world devices vulnerable. • PRNG attacks against rolling codes have been mostly uninvestigated.

More Related