28
Hacking Hacking Hardware Hardware Some materials adapted from Sam Bowne

Hacking Hardware Some materials adapted from Sam BowneSam Bowne

Embed Size (px)

Citation preview

Page 1: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

Hacking Hacking HardwareHardware

Some materials adapted from Sam Bowne

Page 2: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

Physical Physical accessaccess

Lock bumping: see next slides.Don't rely solely on locks: use two-factor authentication

– PIN keypad– Fingerprint– Security guard

Cloning access cards: not so easy. Magstripe vs RFID cards Open RFID reader, and a RFID hack reader and writer.

Page 3: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

Normal KeyNormal Key

Page 4: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

Bump KeyBump Key

Every key pin falls to its lowest pointThe key is hit with a screwdriver to

create mechanical shocksThe key pins move up and briefly pass

through the shear lineThe lock can be opened at the instant

the key pins align on the shear line

Page 5: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

Even Medeco locks used in the White House can be bumped

Page 6: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

Magstripe Magstripe CardsCards

ISO Standards specify three tracks of data

There are various standards, but usually no encryption is used

Page 7: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

Magstripe Card Magstripe Card Reader/WriterReader/Writer

USB connectorAbout $350

Page 8: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

Magnetic-Stripe Card Magnetic-Stripe Card ExplorerExplorer

Page 9: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

Hacking RFID Hacking RFID CardsCardsRFID cards use radio signals instead

of magnetismNow required in passportsData can be read at a distance, and

is usually unencryptedMifare is most widely deployed brand

of secure RFID chips (vulnerabilities).

Page 10: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

Cloning PassportsCloning Passports

$250 in equipment

Can steal passport data from a moving car

Page 11: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

Boston Subway Boston Subway HackHackThe Massachusetts

Bay Transportation Authority claims that they added proprietary encryption to make their MiFare Classic cards secure

But Ron Rivest's students from MIT hacked into it anyway

Page 12: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

ATA ATA HardrivesHardrives

Bypassing ATA password security

• Two kinds of ATA (AT Attachment ) interfaces are used

• PATA (Parallel ATA) – IDE is now called PATA

• SATA (Serial ATA) – Newer and faster than

PATA

Page 13: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

ATA ATA SecuritySecurity

Requires a password to access the hard disk Virtually every hard drive made since 2000

has this feature It is part of the ATA specification, and thus

not specific to any brand or device. Does not encrypt the disk, but prevents

access Countermeasures

• Don't trust ATA Security• Encrypt the drive with Bitlocker,

TrueCrypt, PGP, etc.

Page 14: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

ATA Password ATA Password VirusVirus

ATA Security is used on Microsoft Xbox hard drives and laptops

BUT desktop machines' BIOS is often unaware of ATA security

An attacker could turn on ATA security, and effectively destroy a hard drive, or hold it for ransom The machine won't boot, and no BIOS

command can help This is only a theoretical attack at the moment

Page 15: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

Bypassing ATA Bypassing ATA PasswordsPasswordsHot Swap

With an unlocked drive plugged in, enter the BIOS and navigate to the menu that allows you to set a HDD Password

Plug in the locked drive and reset the password

Use factory default master password Not easy to find Some examples given in 2600 magazine

volume 26 number 1

Page 16: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

Bypassing ATA Bypassing ATA PasswordsPasswords

Vogon Password Cracker POD Changes the password from a simple GUI Allows law enforcement to image the drive,

then restore the original password, so the owner never knows anything has happened

Works by accessing the drive service areaA special area on a disk used for firmware,

geometry information, etc.Inaccessible to the user

Page 17: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

USB drivesUSB drivesU3: Software on a Flash U3: Software on a Flash

DriveDriveCarry your data and your

applications in your pocket!It’s like a tiny laptop!

Page 18: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

U3 U3 LaunchpadLaunchpad

Just plug it in, and the Launchpad appears

Run your applications on anyone’s machine

Take all data away with you

18

Page 19: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

How U3 How U3 WorksWorks

The U3 drive appearsas two devices inMy Computer A “Removable Disk” A hidden CD drive named “U3”

The CD contains software that automatically runs on computers that have Autorun enabled For more details, see http://www.

everythingusb.com/u3.html

19

Page 20: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

Hacking Software On Hacking Software On The Disk PartitionThe Disk Partition

PocketKnife is a suite of powerful hacking tools that lives on the disk partition of the U3 drive

Just like any other applicationYou can create a custom file to be

executed when a U3 drive is plugged inOr replace the original CD part by a

hack.

20

Page 21: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

U3 U3 PocketKnifePocketKnife

Steal passwords

Product keysSteal filesKill antivirus

softwareTurn off the

FirewallAnd more…

Page 22: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

Military Bans USB Military Bans USB Thumb DrivesThumb Drives

22

Page 23: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

USB drives Risk USB drives Risk ReductionReductionTraditional

Block all USB devices in Group Policy Disable AutoRun Glue USB ports shut (?!?!)

Better Solution: IEEE 1667 Standard Protocol for Authentication in Host

Attachments of Transient Storage Devices USB devices can be signed and authenticated, so

only authorized devices are allowed in Windows 7, Linux.

23

Page 24: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

Default Default ConfigurationConfigurationExample: ASUS Eee PC Rooted Example: ASUS Eee PC Rooted Out of the BoxOut of the BoxThe Eee PC 701 shipped with Xandros

LinuxThe Samba file-sharing service was

on by defaultIt was a vulnerable version, easily

rooted by Metasploit

Easy to learn, Easy to work, Easy to root

Page 25: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

Default Default PasswordsPasswords

Many devices ship with default passwords that are often left unchanged Especially routers (seen before)

Page 26: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

ATM ATM PasswordsPasswords

In 2008, these men used default passwords to reprogram ATM machines to hand out $20 bills like they were $1 bills

Page 27: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

Bluetooth Bluetooth AttacksAttacks

Bluetooth supports encryption, but it's off by default, and the password is 0000 by default

Page 28: Hacking Hardware Some materials adapted from Sam BowneSam Bowne

Reverse Engineering Reverse Engineering HardwareHardware

Mostly an engineering endeavor Mapping the device Sniffing the bus data firmware reversing JTAG -- testing interface device for

printed circuit boards.

Read the book for more details.