Cas cs591 topics in internet security
Sponsored Links
This presentation is the property of its rightful owner.
1 / 23

CAS CS591 Topics in Internet Security PowerPoint PPT Presentation

  • Uploaded on
  • Presentation posted in: General

CAS CS591 Topics in Internet Security. Kingpin ([email protected]) [L-zero-P-H-T] Hardware and Embedded System Security Pitfalls. Introduction. The L0pht Origin Mission Members Who am I?. The L0pht - Origin. Banded together in 1992

Download Presentation

CAS CS591 Topics in Internet Security

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

CAS CS591 Topics in Internet Security

Kingpin ([email protected]) [L-zero-P-H-T]

Hardware and Embedded System Security Pitfalls


  • The L0pht

    • Origin

    • Mission

    • Members

    • Who am I?

The L0pht - Origin

  • Banded together in 1992

  • Originally set out as a simple communal storage area

  • Combination of everyone’s “junk” turned into gems

  • From networks to watchdogs

  • The security puzzle

The L0pht - Mission

  • Learn and explore

  • Provide an unbiased soap-box for our views and beliefs on technology

  • Give back to the network security community without playing favorites

  • Have the place self perpetuate (pay for itself)

The L0pht - Members


Weld Pond


John Tan

Brian Oblivion

Space Rogue




  • Involved w/ L0pht since inception, 1992

  • Electrical engineer, hardware hacker

  • Dial-up/telephone systems

  • Product design

Hardware and Embedded System Security Pitfalls

  • Security problems aren’t just limited to software

  • Consider all possibilities when interfacing with the outside world!

  • Any design can have fundamental flaws




Answering Machine

  • Users can access supervisory functions of various answering machines

“Secure” 3-digit password

max 10^3 or 1000

H/W jumpers determine password

2 * 2 * 4 = 16 combinations

(371, 372, …, 485, 486)

AT&T Model 1320

Consider easy user accessibility issues for other products?

Ethernet MAC Cloning

  • MAC Address stored in easily reprogrammable Serial EEPROM


  • Can often do in configuration software

PalmOS: BeamCrack

  • One-bit flag in each database determines whether it can be “beamed” or not

  • Designed for ease of application developer, not for practical security of applications


PalmOS: BeamCrack (cont.)

for (i=0; i < numDatabases; ++i)


dbID = DmGetDatabase (cardNo, i); // Retreive the database ID of a database by index

if (dbID) // If it exists...


// get the current attributes, turn on/off protection, and save them.

DmDatabaseInfo(cardNo, dbID, 0, &attributes, 0,0,0,0,0,0,0,0,0);

if (!(attributes & dmHdrAttrReadOnly)) // If database isn't read-only


if (dbProtect)

attributes = attributes | dmHdrAttrCopyPrevention; // Set the beam-lock bit


attributes = attributes & ~dmHdrAttrCopyPrevention; // Remove the beam-lock bit

DmSetDatabaseInfo(cardNo, dbID, 0, &attributes, 0,0,0,0,0,0,0,0,0);










Cisco Router

  • “Encrypted” password stored on router (can read on configuration screen)

  • Passwords of type 7 encoded by XOR’ing plaintext against constant value

= ab






Cisco Router (cont.)


Easy enough to calculate by hand!

Wireless Data

  • Unencrypted, easily receivable digital data streams





  • “Who would listen?” mentality

  • Encryption could be used to authenticate, not just obfuscate the information

  • Decrease risk of “phantom controller” and spoofing


  • Receive electromagnetic interference (EMI) from monitors, keyboards and recreate signal/data

  • Ways to prevent EMI: Shielding, proper circuit board design, Soft Tempest Fonts (Markus Kuhn,

Long story short...

TEMPEST (cont.)

Clinton Grand Jury Testimony

Encrypted from Point A to Point B

Two endpoints completely wide open!

How much better are these new technologies?

Smartcards, Biometrics, etc.

Newest buzzwords and “high-tech” gadgetry

Evaluate for yourself!

Dallas iButton

  • One-wire I/O interface

  • Unique technology

  • Authentication, encryption, many uses…

  • iButton Touch Memory Primer (2600 Magazine, Winter

    1998-1999, vol. 15 #4)

  • Emerging area, hope to investigate further

E-mail me for a copy

Time-based Tokens

  • Proprietary algorithm

  • Originally designed for non-promiscuous environments (i.e. phone lines)

  • Not designed with physical tampering in mind! Should self-destruct critical information?

  • Reverse-engineered device down to circuitry level

Time-based Tokens (cont.)

  • Placement of crystal allows us to:

    • Speed it up - view more iterations to look for repeated sequences

    • Slow it down - single-step, external measurement tools (logic analyzer)

  • Serial programming terminals!

    • Set or retrieve secret number for cloning

In Closing...

  • These examples not necessarily related to topics in the class, but the problems are widespread

  • Be careful, be proactive, peer review

  • Shortcomings in any technology - pick the one that best fits, “raise the bar”


Kingpin ([email protected]) [L-zero-P-H-T]

  • Login