physical in security it s not all about cyber n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Physical (In)security: It’s not all about Cyber… PowerPoint Presentation
Download Presentation
Physical (In)security: It’s not all about Cyber…

Loading in 2 Seconds...

play fullscreen
1 / 38

Physical (In)security: It’s not all about Cyber… - PowerPoint PPT Presentation


  • 144 Views
  • Uploaded on

Physical (In)security: It’s not all about Cyber…. Inbar Raz Malware & Security Research Manager Check Point Software Technologies. Background. Who am I? I like to reverse things – software, hardware, ideas, rules. I like to find problems and have them fixed (by others…) What do I do?

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Physical (In)security: It’s not all about Cyber…' - rio


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
physical in security it s not all about cyber

Physical (In)security:It’s not all about Cyber…

Inbar RazMalware & Security Research ManagerCheck Point Software Technologies

background
Background
  • Who am I?
    • I like to reverse things – software, hardware, ideas, rules.
    • I like to find problems and have them fixed (by others…)
  • What do I do?
    • Run Malware & Security Research at Check Point
    • Create Responsible Disclosures
    • Concentrate on “little to no-skills needed”
      • Easier to demonstrate and convince
example 1 movie ticket kiosk
Example #1: Movie Ticket Kiosk
  • On-site Kiosk
  • Touch Screen
  • Credit CardReader
  • Ticket Printer
  • No peripherals,No interfaces
the attack
The Attack
  • Improper interface settingsallow the opening of menuoptions.
  • Menus can be used tobrowse for a new printer.
the attack1
The Attack
  • A limited Windows Exploreris not restricted enough.
  • A right-click can be used…
  • To open a full, unrestrictedWindows Explorer.
the attack2
The Attack
  • Browsing through thefile system revealsinteresting directory names…
  • And even more interestingfile names.
the attack3
The Attack
  • Bingo: Credit Card Data(Unencrypted!)Tools of the trade: Notepad
  • We can use the ticketprinter to take it home 
the attack4
The Attack
  • But that’s not all:RSA Keys and Certificatesare also found on the drive!
  • Which we can print, takehome and then use afree OCR software to read…
the attack5
The Attack
  • The result:RSA Keys used tobill credit cards.
example 1 summary
Example #1: Summary
  • Device purpose: Print purchased Movie Tickets
  • Data on device: Credit Card data and Encryption Keys
  • Method used to hack: 1 finger
example 2 point of sale device
Example #2: Point-of-Sale Device
  • Point-Of-Sale devicesare all around you.
the attack6
The Attack
  • PoS Device located outside business during the day
  • At the end of the day, it is locked inside the business
the attack7
The Attack
  • But one thing is left outside, in the street:
the attack8
The Attack
  • In the past – play hacker/script kiddie with BackTrack.
  • Today: Fire up wireshark, discover IPs of live machines.
the attack9
The Attack
  • In the past – play hacker/script kiddie with BackTrack.
  • Today: Fire up wireshark, discover IPs of live machines.
  • Detected IP addresses:
    • 192.168.0.1
    • 192.168.0.2
    • 192.168.0.4
    • 192.168.0.250
    • 192.168.0.254
  • Confirm by ping (individual and broadcast)
the attack10
The Attack
  • Evidence of SMB (plus prior knowledge) leads to the next step:
  • And the response:
things to do with an open share
Things to do with an open share
  • #1: Look around
    • Establish possible attack vectors

[Restricted] ONLY for designated groups and individuals

things to do with an open share1
Things to do with an open share
  • #1: Look around
    • Establish possible attack vectors
  • #2: Create a file list
    • Not like stealing data, but very helpful

[Restricted] ONLY for designated groups and individuals

the mystery of 192 168 0 250
The mystery of 192.168.0.250
  • Answers a ping, but no SMB.
  • First guess: the ADSL Modem.
  • Try to access the Web-UI:

[Restricted] ONLY for designated groups and individuals

the mystery of 192 168 0 2501
The mystery of 192.168.0.250
  • Use the full URL:

[Restricted] ONLY for designated groups and individuals

going for the adsl router
Going for the ADSL router
  • Reminder: We actually had this information.

[Restricted] ONLY for designated groups and individuals

going for the adsl router1
Going for the ADSL router
  • Naturally, there is access control:
  • Want to guess?

[Restricted] ONLY for designated groups and individuals

example 2 summary
Example #2: Summary
  • Device purpose: Cash Register and Local Server
  • Data on device: Credit Card data, Customer Database
  • Method used to hack: MacBook Pro, Free Software

[Restricted] ONLY for designated groups and individuals

other opportunities
Other opportunities
  • A Medical Clinic in Tel-Aviv
    • Complete disregard forattendance systems

[Restricted] ONLY for designated groups and individuals

other opportunities1
Other opportunities
  • A Hospital in Tel-Aviv

[Restricted] ONLY for designated groups and individuals

other opportunities2
Other opportunities
  • An ATM at a shopping mall

[Restricted] ONLY for designated groups and individuals

example 3 hospital smart tv
Example #3: Hospital Smart TV
  • Features
    • Watch TV
    • Listen to music
    • VOD
    • Browse the Internet
  • Peripherals:
    • Touch Screen
    • Credit Card Reader
    • Earphones

And…

    • USB…
the attack11
The Attack
  • Start with a USB Keyboard
    • Numlock works
    • Nothing else does
  • Power off, Power on, F11

[Restricted] ONLY for designated groups and individuals

our options are opening up
Our options are opening up.
  • Let’s boot something else
  • BackTrack (kali):Never leave homewithout it

[Restricted] ONLY for designated groups and individuals

but i m facing a problem
But I’m facing a problem
  • Even though I’m set to DHCP, I have no IP address.
  • An examination of the config files reveals the problem:

# The loopback interface, this is the default configuration:auto loifacelo inetloopbackpre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autonegoffpre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autonegoff# The first network interface.# In this case we want to receive an IP-address through DHCP:auto eth0ifaceeth0 inetdhcp# In this case we have a wired network:wpa-driver wired# Tell the system we want to use WPA-Supplicant # with our configuration file:wpa-conf/etc/wpa_supplicant.confpre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autoneg off

[Restricted] ONLY for designated groups and individuals

but i m facing a problem1
But I’m facing a problem
  • Even though I’m set to DHCP, I have no IP address.
  • An examination of the config files reveals the problem.
  • But this is linux, everything is in text files 

network={key_mgmt=IEEE8021Xeap=TTLS MD5identity="a*****c“anonymous_identity="a*****c“password=“*****“phase1="auth=MD5“phase2="auth=PAP password=*****“eapol_flags=0}

[Restricted] ONLY for designated groups and individuals

but i m facing a problem2
But I’m facing a problem
  • Even though I’m set to DHCP, I have no IP address.
  • An examination of the config files reveals the problem.
  • But this is linux, everything is in text files 
  • I copy the files, and try again.

[Restricted] ONLY for designated groups and individuals

what next
What next?
  • Find out where we are (external IP)
  • Proof-of-Concept: Open reverse shell

[Restricted] ONLY for designated groups and individuals

but it s not enough
But it’s not enough…
  • Further analysis of files reveals a lead:http://192.168.0.250/client/
  • This is the actual User Interface:

[Restricted] ONLY for designated groups and individuals

so the next logical step is
So the next logical step is…

[Restricted] ONLY for designated groups and individuals

so what s next
So what’s next?
  • We lost access to the devices
    • At least easy access
  • Complete the report and go for disclosure

However…

  • Turns out other hospitals have the same device
    • So now we wait for someone to get sick…

[Restricted] ONLY for designated groups and individuals

example 3 summary
Example #3: Summary
  • Device purpose: Smart TV for Hospital Patients
  • Data on device: Network Encryption Keys,Possible access to other networks
  • Method used to hack: USB Drive, Free Software, Keyboard, Mouse

[Restricted] ONLY for designated groups and individuals

slide38

Questions?

[Restricted] ONLY for designated groups and individuals