1 / 38

Physical (In)security: It’s not all about Cyber…

Physical (In)security: It’s not all about Cyber…. Inbar Raz Malware & Security Research Manager Check Point Software Technologies. Background. Who am I? I like to reverse things – software, hardware, ideas, rules. I like to find problems and have them fixed (by others…) What do I do?

rio
Download Presentation

Physical (In)security: It’s not all about Cyber…

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Physical (In)security:It’s not all about Cyber… Inbar RazMalware & Security Research ManagerCheck Point Software Technologies

  2. Background • Who am I? • I like to reverse things – software, hardware, ideas, rules. • I like to find problems and have them fixed (by others…) • What do I do? • Run Malware & Security Research at Check Point • Create Responsible Disclosures • Concentrate on “little to no-skills needed” • Easier to demonstrate and convince

  3. Example #1: Movie Ticket Kiosk • On-site Kiosk • Touch Screen • Credit CardReader • Ticket Printer • No peripherals,No interfaces

  4. The Attack • Improper interface settingsallow the opening of menuoptions. • Menus can be used tobrowse for a new printer.

  5. The Attack • A limited Windows Exploreris not restricted enough. • A right-click can be used… • To open a full, unrestrictedWindows Explorer.

  6. The Attack • Browsing through thefile system revealsinteresting directory names… • And even more interestingfile names.

  7. The Attack • Bingo: Credit Card Data(Unencrypted!)Tools of the trade: Notepad • We can use the ticketprinter to take it home 

  8. The Attack • But that’s not all:RSA Keys and Certificatesare also found on the drive! • Which we can print, takehome and then use afree OCR software to read…

  9. The Attack • The result:RSA Keys used tobill credit cards.

  10. Example #1: Summary • Device purpose: Print purchased Movie Tickets • Data on device: Credit Card data and Encryption Keys • Method used to hack: 1 finger

  11. Example #2: Point-of-Sale Device • Point-Of-Sale devicesare all around you.

  12. The Attack • PoS Device located outside business during the day • At the end of the day, it is locked inside the business

  13. The Attack • But one thing is left outside, in the street:

  14. The Attack • In the past – play hacker/script kiddie with BackTrack. • Today: Fire up wireshark, discover IPs of live machines.

  15. The Attack • In the past – play hacker/script kiddie with BackTrack. • Today: Fire up wireshark, discover IPs of live machines. • Detected IP addresses: • 192.168.0.1 • 192.168.0.2 • 192.168.0.4 • 192.168.0.250 • 192.168.0.254 • Confirm by ping (individual and broadcast)

  16. The Attack • Evidence of SMB (plus prior knowledge) leads to the next step: • And the response:

  17. Things to do with an open share • #1: Look around • Establish possible attack vectors [Restricted] ONLY for designated groups and individuals

  18. Things to do with an open share • #1: Look around • Establish possible attack vectors • #2: Create a file list • Not like stealing data, but very helpful [Restricted] ONLY for designated groups and individuals

  19. The mystery of 192.168.0.250 • Answers a ping, but no SMB. • First guess: the ADSL Modem. • Try to access the Web-UI: [Restricted] ONLY for designated groups and individuals

  20. The mystery of 192.168.0.250 • Use the full URL: [Restricted] ONLY for designated groups and individuals

  21. Going for the ADSL router • Reminder: We actually had this information. [Restricted] ONLY for designated groups and individuals

  22. Going for the ADSL router • Naturally, there is access control: • Want to guess? [Restricted] ONLY for designated groups and individuals

  23. Example #2: Summary • Device purpose: Cash Register and Local Server • Data on device: Credit Card data, Customer Database • Method used to hack: MacBook Pro, Free Software [Restricted] ONLY for designated groups and individuals

  24. Other opportunities • A Medical Clinic in Tel-Aviv • Complete disregard forattendance systems [Restricted] ONLY for designated groups and individuals

  25. Other opportunities • A Hospital in Tel-Aviv [Restricted] ONLY for designated groups and individuals

  26. Other opportunities • An ATM at a shopping mall [Restricted] ONLY for designated groups and individuals

  27. Example #3: Hospital Smart TV • Features • Watch TV • Listen to music • VOD • Browse the Internet • Peripherals: • Touch Screen • Credit Card Reader • Earphones And… • USB…

  28. The Attack • Start with a USB Keyboard • Numlock works • Nothing else does • Power off, Power on, F11 [Restricted] ONLY for designated groups and individuals

  29. Our options are opening up. • Let’s boot something else • BackTrack (kali):Never leave homewithout it [Restricted] ONLY for designated groups and individuals

  30. But I’m facing a problem • Even though I’m set to DHCP, I have no IP address. • An examination of the config files reveals the problem: # The loopback interface, this is the default configuration:auto loifacelo inetloopbackpre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autonegoffpre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autonegoff# The first network interface.# In this case we want to receive an IP-address through DHCP:auto eth0ifaceeth0 inetdhcp# In this case we have a wired network:wpa-driver wired# Tell the system we want to use WPA-Supplicant # with our configuration file:wpa-conf/etc/wpa_supplicant.confpre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autoneg off [Restricted] ONLY for designated groups and individuals

  31. But I’m facing a problem • Even though I’m set to DHCP, I have no IP address. • An examination of the config files reveals the problem. • But this is linux, everything is in text files  network={key_mgmt=IEEE8021Xeap=TTLS MD5identity="a*****c“anonymous_identity="a*****c“password=“*****“phase1="auth=MD5“phase2="auth=PAP password=*****“eapol_flags=0} [Restricted] ONLY for designated groups and individuals

  32. But I’m facing a problem • Even though I’m set to DHCP, I have no IP address. • An examination of the config files reveals the problem. • But this is linux, everything is in text files  • I copy the files, and try again. [Restricted] ONLY for designated groups and individuals

  33. What next? • Find out where we are (external IP) • Proof-of-Concept: Open reverse shell [Restricted] ONLY for designated groups and individuals

  34. But it’s not enough… • Further analysis of files reveals a lead:http://192.168.0.250/client/ • This is the actual User Interface: [Restricted] ONLY for designated groups and individuals

  35. So the next logical step is… [Restricted] ONLY for designated groups and individuals

  36. So what’s next? • We lost access to the devices • At least easy access • Complete the report and go for disclosure However… • Turns out other hospitals have the same device • So now we wait for someone to get sick… [Restricted] ONLY for designated groups and individuals

  37. Example #3: Summary • Device purpose: Smart TV for Hospital Patients • Data on device: Network Encryption Keys,Possible access to other networks • Method used to hack: USB Drive, Free Software, Keyboard, Mouse [Restricted] ONLY for designated groups and individuals

  38. Questions? [Restricted] ONLY for designated groups and individuals

More Related