Embedded device security is an issue of global importance, and one that has grown exponentially over the last few years. Because of their slow patch cycles and the increasing difficulty of exploiting other,more traditional platforms, they have quickly become a favorite target for researchers and attackers alike. While deeply fragmented, each country has its own unique “footprint” of these devices on the Internet, based largely on the embedded devices distributed by major ISPs. We will use our survey of Japanese devices as an example of how, by fingerprinting and examining popular devices on a given country's networks, it is possible for an attacker to very quickly go from zero knowledge to widespread remote code execution. During this talk, we provide an in-depth analysis of various routers and modems provided by popular Japanese ISPs, devices which we had never heard of on networks we had never used . We discuss how we approached surveying approximate market usage, reverse engineering obfuscated and encrypted firmware images, performing vulnerability analysis on the recovered binaries, and developing of proof-of-concept exploits for discovered vulnerabilities, all from the United States. In addition, we provide recommendations as to how ISPs and countries might begin to address the serious problems introduced by these small but important pieces of the Internet. All vulnerabilities discovered were promptly and responsibly disclosed to affected parties.
Fuzzing is a method of discovering software faults by providing unexpected input and monitoring for exceptions. There are two main types of fuzzers: mutation-based fuzzers which mutate valid samples, and generation-based fuzzers which require samples to be defined. Fuzzing discovers bugs by providing invalid input to any software, so it should always be considered as a testing method. A fuzzer contains an input generator, history of generated inputs, and a process monitor.
This document outlines how to remotely hack Windows 95 without any user interaction or needing zero-day exploits. It lists the prerequisites as having a default installation of Windows 95 with a writable C: share and network connectivity configured. It then provides links to resources on hacking Windows 95, including a 158-page manual and blog posts walking through exploiting vulnerabilities. The goal is to achieve remote code execution on the target system using existing hacking tools.
DEFCON 25 presentation. An overview of the basis for needing memory integrity validation (secure hash) checks of a running VM. Edit memory through python scripting. Enhance timeline assurances that you have not missed events with multiple complementary event sources.
This document discusses dynamic binary instrumentation and taint analysis techniques. It describes how frameworks like Intel PIN, Valgrind, and DynamoRIO can be used to inject instrumentation code into running binaries. It also explains how taint tracking can identify which parts of code are affected by tainted user input. Symbolic execution and constraint solving with Z3 are presented as methods to perform taint analysis and concolic execution on binaries. Open source tools like Triton, Angr, and BitBlaze TEMU are referenced for dynamic binary analysis.
A hacker likes computers for the same reason that a child likes legos: both allow the creation of something new. However the growing trend has been to 'close up' general purpose computing into devices that serve a narrow purpose. It's been happening with games consoles, routers, smartphones, smart TV's and more recently, smartwatches. A hacker will face this trend as an additional challenge and will be even more motivated to gain control over the device. This talk is a journey to the world of 'reverse engineering' of a device of the "Internet of Things", in this case a Tomtom Runner sports watch. The author has little previous experience in reverse engineering of embedded systems, so the talk aims to serve as an introduction to this topic, what motivations and what kind of approaches may be tried. Presented in September 2015 at "Confraria de Segurança da Informação" in Lisbon
The document discusses the challenges of protecting against malware on web browsers through client-side solutions alone. It describes how the author was able to bypass protections in various internet security suites and anti-malware products by creating malicious browser extensions. While some vendors were able to address the issues, the document argues that client-side only solutions are fundamentally limited. It suggests focusing on server-side protections instead of seeking a "client-side elixir" for fully preventing malware.
This document discusses how Python can be used for both ethical and unethical hacking purposes. It provides examples of how Python allows for easy learning, is cross-platform, and has many built-in tools and libraries that enable activities like dictionary attacks, brute force cracking, analyzing Skype databases, and using APIs to interact with systems like sockets in a similar way to C. The document also lists several Python security tools and frameworks like Scapy and recommends resources like books and tutorials that provide inspiration for writing hacking tools with Python.
This document discusses 7 common security sins for ATM protection against logical attacks. It summarizes techniques for bypassing kiosk mode, escalating privileges, bypassing application control software, exploiting vulnerabilities in the network layer, device management, booting process, and exploiting logical vulnerabilities in the operating system. Specific techniques discussed include using safe mode and hotkeys to bypass kiosk mode restrictions, exploiting zero-day vulnerabilities to escalate privileges and bypass application controls, manipulating firewall settings and disabling VPNs and TLS to exploit network vulnerabilities, and accessing devices through physical means or exploiting race conditions in security software.
This document discusses using Python for penetration testing and security tasks. It notes that Python has a simple learning curve, extensive libraries, and is multiplatform, making it useful for quick prototyping and easier automation. Python can be used for exploit development, networking, debugging, encryption/decryption, reverse engineering, fuzzing, web applications, forensics, and malware analysis. Popular Python security tools include TMSET, TMCore Impact, TMW3AF, TMSqlmap, TMImmunityDebugger, TMImpacket, and TMIronWASP. The document provides examples of using Python for port scanning, creating a one-line web server, and exploit development. It also lists useful Python
This is a guide on how setup DarkComet RAT the free and popular Remote Administration Tool. This software is an efficient type of software, especially created to remote control any Microsoft Windows machine.
We analyze the generation and management of WPA2 group keys. These keys protect broadcast and multicast Wi-Fi traffic. We discovered several issues and illustrate their importance by decrypting all group (and unicast) traffic of a typical Wi-Fi network. First we show that the 802.11 random number generator is flawed by design, and provides an insufficient amount of entropy. This is confirmed by predicting randomly generated group keys on several platforms. We then examine whether group keys are securely transmitted to clients. Here we discover a downgrade attack that forces usage of RC4 to encrypt the group key when transmitted in the 4-way handshake. The per-message RC4 key is the concatenation of a public 16-byte initialization vector with a secret 16-byte key, and the first 256 keystream bytes are dropped. We study this peculiar usage of RC4, and find that capturing 2 billion handshakes can be sufficient to recover (i.e., decrypt) a 128-bit group key. We also examine whether group traffic is properly isolated from unicast traffic. We find that this is not the case, and show that the group key can be used to inject and decrypt unicast traffic. Finally, we propose and study a new random number generator tailored for 802.11 platforms.
This talk has been presented at Microsoft BlueHat IL 2019 security conference, by Niek Timmers, Albert Spruyt and Cristofaro Mune. Secure boot is the fundamental building block of the security implemented in a large variety of devices. From mobile phones, to Internet of Things (IoT) or Electronic Control Units (ECUs) found in modern cars. In this talk we focus on software and hardware attacks that may be carried on against Secure Boot implementations. We leverage our decade long experience in reviewing and attacking secure boot on embedded devices from different industries After a brief introduction, an overview of common attack patterns is provided, by discussing real vulnerabilities, exploits and attacks as case studies. We then discuss two new attacks, not discussed or demonstrated before, with the purpose of bringing new insights. The first one, takes place before CPU is even started, showing that a larger attack surface than usually explored is available. This also shows that FI can affect pure HW implementations, with no SW involved. The second one is an Encrypted Secure Boot bypass, yielding direct code execution. It is performed by using Fault Injection only and with a single glitch. Contrary to common beliefs, we show that FI-only attacks are possible against an Encrypted Secure Boot implementation, without requiring any encryption key. This shows that the need of reconsidering FI attacks impact and that encrypting boot stages alone is not a sufficient FI countermeasure. We also discuss countermeasures and possible mitigations throughout the whole presentation. With this talk, we hope to bring innovative and fresh material to a topic, which is a cornerstone of modern Product Security. The presentation at BlueHat IL 2019 featured the live demo of an Encrypted Secure Boot bypass attack.
An overview of all things that can go wrong when developers attempt to implement a Chain of Trust also called "secure boot". Starting from design mistakes, we look at crypto problems, logical and debug problems and move towards Side Channel Attacks and Fault Injection. Focused on Automotive, Pay-TV, Gaming and mobile devices.
Second presentation of my research into reverse engineering a TomTom Runner GPS watch. In this I explain how I got running code inside an unfamiliar device and proceeded to bypass its security measures and extract firmware keys and code from the device. More details on my personal blog, at http://grangeia.io Presented in October 2015 at "Confraria de Segurança da Informação" in Lisbon
The document discusses breaking and attacking antivirus software. It begins by introducing common features of antivirus engines like being written in C/C++ and supporting various file formats. It then discusses how installing antivirus software increases a system's attack surface and how antivirus engines can contain vulnerabilities. Specific examples of vulnerabilities found in antivirus products from Panda, ClamAV, and others are then presented, including multiple local privilege escalation issues found in Panda Global Protection 2013. Exploitation techniques for antivirus engines are also covered.
The document discusses techniques for modifying USB flash drive firmware to add custom functionality or bypass security features. It describes the boot process and firmware update process for USB drives. The authors demonstrate creating custom firmware that implements a hidden storage partition and bypasses password protection. They provide source code and tools to allow others to modify USB drive firmware for research purposes.
American Fuzzy Lop (AFL) is a security-oriented fuzz testing tool. In this talk, I demonstrate how dead-simple AFL is to use. I show how I used it to fuzz a Python library, discovering a subtle bug in the process.
I was asked to talk in front of Computer science students at the Bar-Ilan university about "what happens" when you don't care about writing "secured" or "safe" code. A perfect example for that, in my opinion, was the world of embedded computing AKA the IoT. I talked about the history of consumer embedded devices and showed a live demo of an 0day I found in one of the most popular routers in the country.
This document provides an overview of reverse engineering through analyzing the Stuxnet computer worm. It describes how Stuxnet spread using Windows vulnerabilities and infected systems running Siemens industrial software. It then manipulated programmable logic controllers to potentially sabotage nuclear centrifuges in Iran. However, the document notes that while theories point to state-sponsored attacks, its true target and author remain unknown due to lack of evidence. Speculation about Stuxnet's origins and purpose are presented to demonstrate how its analysis generated many unproven narratives.
Bryan McCoid discusses using eBPF, XDP, and io_uring for high performance networking. XDP allows programs to process packets in the kernel without loading modules. AF_XDP sockets use eBPF to route packets between kernel and userspace via ring buffers. McCoid is building a Rust runtime called Glommio to interface with these techniques. The runtime integrates with io_uring and allows multiple design patterns for receiving packets from AF_XDP sockets.
The document provides an overview of ethical hacking techniques such as advanced scanning with NMAP to identify open ports and operating systems on remote systems. It discusses how tools like Nmap and Angry IP Scanner can be used to scan locally and remotely, and how information gathered can be used to potentially exploit systems. Example exploits discussed include using Netcat to create remote shells and payloads embedded in files like JPEG and MP3 files. The document emphasizes that while the information is presented, actually hacking systems without permission would be illegal.
This document provides an overview of advanced scanning and exploitation techniques for security testing. It discusses using Nmap to scan for open ports and operating systems. The importance of local IP sweeping to find vulnerable systems on a local network is explained. Netcat is demonstrated as a simple way to create a remote shell on another system. Brief examples of shellcode and exploits that can be delivered through media files like JPGs and MP3s are also provided. The conclusion emphasizes that while this information is shown for educational purposes, actually exploiting systems without permission would be illegal.
This paper attempts to look behind the wheels of android and keeping special focus on custom rom’s and basically check for security misconfiguration’s which could yield to device compromise, which may result in malware infection or data theft.
This document discusses security issues with custom Android ROMs. It begins by introducing custom ROMs and why they warrant security reviews. It then analyzes several practices in custom ROMs that could compromise security, such as enabling USB debugging, running ADB in root mode, loose permissions on the system partition, and allowing installation from unknown sources. The document demonstrates a proof-of-concept data theft tool and recommends users be wary of development processes and ask questions when using custom ROMs. It concludes with contact information for the author.
Web application security and why you should review yours, is a whole stack look skydive without a parachute, let's try not to die as we explore what is an attack surface, Arcronym hell, Vulnerability naming, Detection or provention is there a place for both or none, emerging oss technologies which can help you, a firehose review of compromises 2014 through 2018, and finally a live compromise demo covering everything we've discussed as being 'bad' ... or as often happens the backup video.
Tim Noise - Ruxmon 31/07/15 calyptech fixed wirelress terminal exploit source code: https://github.com/dnoiz1/ifwt-remote-root/blob/master/pwrtropic.py
These are the slides from the presentation by Ian Kluft at the ISC² Silicon Valley Chapter meeting on February 11, 2020 in Santa Clara, California on "Securing a Raspberry Pi and other DIY IoT devices". It introduces the Raspberry Pi computer and security issues relevant to projects on similar Internet of Things (IoT) devices. Also, for hobby projects there's advice how to prioritize security issues to avoid being overwhelmed. It covers analysis of the project's attack surface and online security resources. The presentation was made for a group who have or are working on cybersecurity certifications. But the slides should also be understandable by a wider technical audience.