Eclypsium presentations from Blackhat and DEF CON uploaded

Re: https://firmwaresecurity.com/2018/08/10/eclypsium-remotely-attacking-system-firmware/

https://github.com/HackingThings/Publications/blob/master/2018/DC26_UEFI_EXPLOITATION_MASSES_FINAL.pdf

https://github.com/eclypsium/Publications/blob/master/2018/BlackHat_USA_2018/BH2018_REMOTELY_ATACKING_SYSTEM_FIRMWARE_FINAL.pdf

USaBUSe

Jenny List has a story on Hackaday about the DEF CON 24 presentation on USB attacks by Dominic White and Rogan Dawes of Sensepost:

[…] Our subject today is a DEF CON talk courtesy of [Dominic White] and [Rogan Dawes] entitled “Universal Serial aBUSe“, and it details a USB attack in which they create an innocuous USB stick that emulates a keyboard and mouse which is shared across a WiFi network via a VNC server. This gives an attacker (who can gain momentary physical access to a USB port to install the device) a way into the machine that completely bypasses all network and other security measures. Their hardware features an AVR and an ESP8266, the former for USB and HID work and the latter to do the heavy lifting and provide WiFi. They started with a Cactus Micro Rev2, but graduated to their own compatible board to make the device more suitable to pose as a USB stick. Both hardware and software files can be found on their GitHub repository, with the software being a fork of esp-link. They go into significant detail of their development and debugging process, and their write-up should be an interesting read for anyone. Below the break you can find a video description of the attack. It’s not a shock to know that USB ports have such little defense, but it is a sobering moment to realize how far attacks like this one have come into the realm of what is possible. […]

Universal Serial Abuse
https://www.sensepost.com/blog/2016/universal-serial-abuse/
https://github.com/sensepost/USaBUSe

DEF CON 24

If DEF CON 24 is not cancelled this year, it will be this Summer in Las Vegas. There are multiple hardware/IoT-centric presentations and workshops. The Hardware Hacking Village and IoT Village are there.

I don’t see a lot of firmware-centric stuff, but there is a lot of hardware-centric stuff so far. Maybe they’ll be added later, or they’ll only be at Black Hat Briefings. Or all the firmware researchers are busy being employed by OEMs now, no time for new presentations showing how to exploit their current employers. 🙂

https://www.defcon.org/html/defcon-24/dc-24-workshops.html
https://www.defcon.org/html/defcon-24/dc-24-speakers.html

==========

A few of the workshops that sound interesting to me:

Embedded system design: from electronics to microkernel development
Rodrigo Maximiano Antunes de Almeida Professor, Federal University of Itajubá
The workshop consists of a introduction on the embedded systems design. We’ll start building a simple electronic embedded system design. This will be used as the target platform. Later I pretend to talk about the low level side of C language as bit fields arrays and bitwise operations, pointers to fixed memory addresses/registers, how to access the microcontroler peripherals etc. These will be the base to develop a full embedded microkernel using ISO-C without the standard libraries. They will have a better understanding on the electronics-programming relationship and how these questions can impact on the kernel development. Aside they`ll get a deep knowledge in the kernel basic functions (processes scheduling, i/o drivers controller etc).

Applied Physical Attacks on Embedded Systems, Introductory Version
Joe FitzPatrick Instructor & Researcher, SecuringHardware
This workshop introduces several different relatively accessible interfaces on embedded systems. Attendees will get hands-on experience with UART, SPI, and JTAG interfaces on a MIPS-based wifi router. After a brief architectural overview of each interface, hands-on labs will guide through the process understanding, observing, interacting with, and exploiting the interface to potentially access a root shell on the target.

Car Hacking Workshop
Robert Leale President, CanBusHack
KC Johnson Security Researcher
Introduction to connecting to Vehicle Networks. In the workshop we’ll connect and send data to vehicle simulators and use scripts to fuzz messages. We will learn about vehicle systems and how they are connected.

Hunting Malware at Scale with osquery
Sereyvathana Ty Detection Infrastructure Team, Facebook
Nick Anderson Security Engineer, Facebook
Javier Marcos de Prado Security Engineer, Facebook
Teddy Reed Security Engineer, Facebook
Matt Moran Security Engineer Facebook
This workshop is an introduction to osquery, an open source SQL-powered operating system for instrumentation and analytics. osquery is developed and used by Facebook to proactively hunt for abnormalities. Since osquery allows us to easily ask questions about our infrastructure, it provides powerful capabilities, such as finding malware persistence techniques and scanning IOCs across our fleets of machines. This workshop is a very hands-on training and we expect participants to be comfortable with CLI.t to get familiar with how osquery works under the hood. Who should attend? This workshop is designed for information security professionals who defend small to large scale enterprise networks.

You CAN haz fun with with cars!
Javier Vazquez Vidal Product Security Engine Code White GmbH
Ferdinand Noelscher Security Researcher
So you already know that you can hack cars and do nasty remote stuff, right? But what about all the underlying data transfers that are going on in it? Do you want to learn how a target is approached, what info can you get out of each ECU, or what Security measures are in place to prevent you from doing so on a protocol level? We want to show you how all this stuff works, and what can you do about it! And for this, we will have the help of the CANBadger. Come and learn about protocols used over CAN, and use a CANBadger connected to real ECUs to learn what you can do with it. Oh, and you can assemble your own CANBadger board too!

PCB Design Crash Course: A primer to designing your own hacking tools
Seth Wahle Electronics Engineer & Hardware Hacker
Have you ever seen a system that knew you could hack, if you could only find a way to connect to its ridiculously exotic interface? What about that idea for an awesome hacking tool you imagined but didn’t know how to build? If the massive learning curve to hardware design is holding back your plans to hack the world, then this is the workshop for you! In this workshop, you will design your own basic LAN tap (based on the throwing star LAN tap from Great Scott Gadgets). We will go from the very basics all the way to a full set of design documentation that you could use to get your hardware design mass produced.

Physical Security for Computing Systems, a Look at Design, Attacks and Defenses
Steve Weingart Security Researcher
Physical security for computing systems is a topic that usually gets left to FIPS 140 and tamper labels, but it is a much broader and more interesting subject. As the value of data on computing systems increases and operating systems become more secure, physical attacks on computing systems to steal or modify assets become more likely. At the low end are locks and tamper labels, at the high end are complex mechanisms to detect and respond to tampering and intrusion from the box level all the way down to the chip level. All of this technology requires constant review and improvement, just as other competitive technologies need review to stay at the leading edge. The bar is ever rising. Physical security is an interdisciplinary field. The materials and chemistry are as important as the electronics, circuits and physics. A tamper label can be defeated by application of the right solvent. A cover switch can be defeated by piping super glue in through an air vent or a slightly bent cover. Hard epoxies can be removed with drain cleaner and a tamper detection circuit can be defeated by setting the supply voltage to a critical value or a microprocessor’s start up tests bypassed by manipulating the width of the reset pulse. This training session will show many of the known attack and defense methods from the basic to the exotic. It will include easy and low tech ways of performing high tech attacks, as well as descriptions of the highest tech methods. Design examples will be shown with examples of the tools, devices, circuits and materials used to implement both attack and defense systems. Demonstrations will be included.

Brainwashing Embedded Systems
Craig Young Security Researcher, Tripwire
Learning the secret incantations to make embedded systems carry out your will is not as hard as one might think. In the world of IoT, the hardened system is rare and most times a firmware image is more than enough to find and exploit weakness. This session explains in detail a process for going from zero-knowledge to zero-day on real-world devices without breaking a sweat. Attendees to this tutorial session will learn the ropes of firmware dissection, app decompilation, and manual fuzz testing in a hands-on hack lab. Participants will be provided with a customized Kali Linux virtual appliance and given access to several consumer devices for analysis. These techniques have been successfully employed by the author to identify over 100 CVEs on embedded/IoT devices as well as to win the 0-day and CTF tracks in the DEF CON 22 SOHOpelessly Broken router hacking competition.

==========

Some of the Presentations that caught my eye:

A Monitor Darkly: Reversing and Exploiting Ubiquitous On-Screen-Display Controllers in Modern Monitors
Ang Cui PHD, CEO & Chief Scientist, Red Balloon Security
Jatin Kataria Principal Research Scientist, Red Balloon Security
Francois Charbonneau Research Scientist, Red Balloon Security
There are multiple x86 processors in your monitor! OSD, or on-screen-display controllers are ubiquitous components in nearly all modern monitors. OSDs are typically used to generate simple menus on the monitor, allowing the user to change settings like brightness, contrast and input source. However, OSDs are effectively independent general-purpose computers that can: read the content of the screen, change arbitrary pixel values, and execute arbitrary code supplied through numerous control channels. We demonstrate multiple methods of loading and executing arbitrary code in a modern monitor and discuss the security implication of this novel attack vector. We also present a thorough analysis of an OSD system used in common Dell monitors and discuss attack scenarios ranging from active screen content manipulation and screen content snooping to active data exfiltration using Funtenna-like techniques. We demonstrate a multi-stage monitor implant capable of loading arbitrary code and data encoded in specially crafted images and documents through active monitor snooping. This code infiltration technique can be implemented through a single pixel, or through subtle variations of a large number of pixels. We discuss a step-by-step walk-through of our hardware and software reverse-analysis process of the Dell monitor. We present three demonstrations of monitoring exploitation to show active screen snooping, active screen content manipulation and covert data exfiltration using Funtenna. Lastly, we discuss realistic attack delivery mechanisms, show a prototype implementation of our attack using the USB Armory and outline potential attack mitigation options. We will release sample code related to this attack prior to the presentation date.

Universal Serial aBUSe: Remote Physical Access Attacks
Rogan Dawes Researcher, Sensepost
Dominic White CTO, SensePost
In this talk, we’ll cover some novel USB-level attacks, that can provide stealthy remote access to a machine’s console, and release a toolset using freely available hardware. In 2000, Microsoft published its 10 Immutable laws of security. One of which was ‘if a bad guy has unrestricted access to your computer, it’s not your computer anymore.’ This has been robustly demonstrated over the years. Examples include numerous DMA-access attacks against interfaces such as firewire, PCMCIA and thunderbolt as well as USB-based attacks including simple in-line keyloggers, ‘evil maid‘ attacks and malicious firmware. Despite these warnings, groups such as the NSA were still able to use physical access to bypass software controls with toolsets such as COTTONMOUTH. […]
CANSPY: a Framework for Auditing CAN Devices
Jonathan-Christofer Demay Airbus Defence and Space
Arnaud Lebrun Airbus Defence and Space
In the past few years, several tools have been released allowing hobbyists to connect to CAN buses found in cars. This is welcomed as the CAN protocol is becoming the backbone for embedded computers found in smartcars. Its use is now even spreading outside the car through the OBD-II connector: usage-based policies from insurance companies, air-pollution control from law enforcement or engine diagnostics from smartphones for instance. Nonetheless, these tools will do no more than what professional tools from automobile manufacturers can do. In fact, they will do less as they do not have knowledge of upper-layer protocols. Security auditors are used to deal with this kind of situation: they reverse-engineer protocols before implementing them on top of their tool of choice. However, to be efficient at this, they need more than just being able to listen to or interact with what they are auditing. Precisely, they need to be able to intercept communications and block them, forward them or modify them on the fly. This is why, for example, a framework such as Burp Suite is popular when it comes to auditing web applications. In this paper, we present CANSPY, a framework giving security auditors such capabilities when auditing CAN devices. Not only can it block, forward or modify CAN frames on the fly, it can do so autonomously with a set of rules or interactively using Ethernet and a packet manipulation framework such as Scapy. It is also worth noting that it was designed to be cheap and easy to build as it is mostly made of inexpensive COTS. Last but not least, we demonstrate its versatility by turning around a security issue usually considered when it comes to cars: instead of auditing an electronic control unit (ECU) through the OBD-II connector, we are going to partially emulate ECUs in order to audit a device that connects to this very connector.

pin2pwn: How to Root an Embedded Linux Box with a Sewing Needle
Brad Dixon, Hacker
Security assessments of embedded and IoT devices often begin with testing how an attacker could recover firmware from the device. When developers have done their job well you’ll find JTAG locked-up, non-responsive serial ports, locked-down uboot, and perhaps even a home brewed secure-boot solution. In this session you’ll learn details of a useful hardware/software penetration technique to attempt when you’ve run out of easier options. We’ve used this technique on two commercial device security assessments successfully and have refined the technique on a series of test devices in the lab. This session will cover the prerequisites for successful application of the technique and give you helpful hints to help your hack! Best of all this technique, while a bit risky to the hardware, is easy to try and doesn’t require specialized equipment or hardware modification. We are going to take pieces of metal and stab them at the heart of the hardware and see what happens. For the hardware/firmware developer you’ll get a checklist that you can use to reduce your vulnerability to this sort of attack.

Stumping the Mobile Chipset
Adam Donenfeld Senior Security Researcher, Check Point
Following recent security issues discovered in Android, Google made a number of changes to tighten security across its fragmented landscape. However, Google is not alone in the struggle to keep Android safe. Qualcomm, a supplier of 80% of the chipsets in the Android ecosystem, has almost as much effect on Android’s security as Google. With this in mind, we decided to examine Qualcomm’s code in Android devices. During our research, we found multiple privilege escalation vulnerabilities in multiple subsystems introduced by Qualcomm to all its Android devices in multiple different subsystems. In this presentation we will review not only the privilege escalation vulnerabilities we found, but also demonstrate and present a detailed exploitation, overcoming all the existing mitigations in Android’s Linux kernel to run kernel-code, elevating privileges and thus gaining root privileges and completely bypassing SELinux.

I Fight For The Users, Episode I – Attacks Against Top Consumer Products
Zack Fasel Managing Partner, Urbane
Erin Jacobs Managing Partner, Urbane
This is not just another “I found a problem in a single IOT device” talk. Focusing on attacking three major consumer product lines that have grown rapidly in the past years, Zack and Erin will review flaws they’ve discovered and weaponized against home Windows installs, DIY security solutions, personal fitness tracking devices, and digital notification devices. We’ll review the security of these popular products and services in a ‘consumer reports’ style walkthrough, the attack methods against the 21 devices reviewed, release some tools for the lulz, and highlight the threats facing similar products. It’s time to Fight for the Users. END OF LINE.

101 Ways to Brick your Hardware
Joe FitzPatrick SecuringHardware.com
Joe Grand (Kingpin) Grand Idea Studio
Spend some time hacking hardware and you’ll eventually render a piece of equipment unusable either by accident or intentionally. Between us, we’ve got decades of bricking experience that we’d like to share. We’ll document the most common ways of temporarily or permanently damaging your hardware and ways to recover, if possible. We’ll also talk about tips on how to avoid bricking your projects in the first place. If you’re getting into hardware hacking and worried about messing something up, our stories will hopefully prevent you from experiencing the same horrors we did. If you’re worried about an uprising of intelligent machines, the techniques discussed will help you disable their functionality and keep them down.

Direct Memory Attack the Kernel
Ulf Frisk Penetration Tester
Inexpensive universal DMA attacking is the new reality of today! In this talk I will explore and demonstrate how it is possible to take total control of operating system kernels by DMA code injection. Once control of the kernel has been gained I will execute code and dump gigabytes of memory in seconds. Full disk encryption will be defeated, authentication will be bypassed and shells will be spawned. This will all be made possible using a $100 piece of hardware together with the easy to use modular PCILeech toolkit – which will be published as open source after this talk.

Hacker-Machine Interface – State of the Union for SCADA HMI Vulnerabilities
Brian Gorenc Senior Manager, Trend Micro Zero Day Initiative
Fritz Sands Security Researcher, Trend Micro Zero Day Initiative
Over the last year, synchronized and coordinated attacks against critical infrastructure have taken center stage. Remote cyber intrusions at three Ukrainian regional electric power distribution companies in December 2015 left approximately 225,000 customers without power. Malware, like BlackEnergy, is being specially developed to target supervisory control and data acquisition (SCADA) systems. Specifically, adversaries are focusing their efforts on obtaining access to the human-machine interface (HMI) solutions that act as the main hub for managing the operation of the control system. Vulnerabilities in these SCADA HMI solutions are, and will continue to be, highly valuable as we usher in this new era of software exploitation. This talk covers an in-depth analysis performed on a corpus of 200+ confirmed SCADA HMI vulnerabilities. It details out the popular vulnerability types discovered in HMI solutions developed by the biggest SCADA vendors, including Schneider Electric, Siemens, General Electric, and Advantech. It studies the weaknesses in the technologies used to develop HMI solutions and describes how critical vulnerabilities manifest in the underlying code. The talk will compare the time-to-patch performance of various SCADA vendors along with a comparison of the SCADA industry to the rest of the software industry. Finally, using the data presented, additional guidance will be provided to SCADA researchers along with a prediction on what we expect next in attacks that leverage SCADA HMI vulnerabilities.

BSODomizer HD: A Mischievous FPGA and HDMI Platform for the (M)asses
Joe Grand (Kingpin) Grand Idea Studio
Zoz Hacker
At DEF CON 16 in 2008, we released the original BSODomizer (www.bsodomizer.com), an open source VGA pranking tool and introductory hacking platform for the multicore Propeller micro-controller. Hours of productivity were replaced with rage and frustration as unwitting computer users were confronted with fake Blue Screens of Death and revolting ASCII art. But, the world has changed. The machines have risen in capability. HDMI is the graphical transmission protocol of choice and hacking with micro-controllers is standard issue. The as-seen-on-HDTV duo of Joe Grand and Zoz return with the next generation of mischievous hardware, a device that supplants or captures any inline HDMI signal in a discreet, pentest-worthy package. BSODomizer HD is an FPGA-based system that not only improves on the graphics interception and triggering features of its predecessor, but can now capture screenshots of a target system and also provides a fully open design that you can use for your own experiments into the mystical world of massive, customizable arrays of digital logic. We’ll guide you through the process of going from lamer zero to hacker hero with FPGAs, while savagely fucking with a few unfortunate friends along the way!

==========

quiz: define ‘firmworm’

The pre-conference preview videos are coming out… 🙂 One firmware one that caught my attention:

Thunderstrike 2 “firmworm” for MacBooks Preview Video

Joe Fitzpatrick joins Xipiter

I didn’t know about this company until today. It looks like Joe Fitzpatrick of SecuringHardware is or soon will be joining them:

https://twitter.com/XipiterSec/status/616275086652235776

It appears Xipiter does security training, including Intel- and ARM-based hardware-level courses, including at upcoming DEF CON. They appear to have an upcoming Android course in the works, related to the Wiley Android Hacker’s Handbook, which has a nice chapter on ARM firmware hacking. They have other services besides training, and some hardware products as well.

http://www.xipiter.com/
http://www.xipiter.com/team.html
http://www.xipiter.com/training.html

http://securinghardware.com/