code blue 2014 : physical [in]security: it’s not all about cyber by inbar raz

©2014 Check Point Software Technologies Ltd.

Physical (In)Security:

It’s not all about Cyber

Inbar Raz Malware & Security Research Manager Check Point Software Technologies

2 ©2014 Check Point Software Technologies Ltd.

Vulnerability Disclosure

!  Responsible Disclosure: – Contact the vendor only and inform them of the vulnerability – Offer to work with the vendor – After a grace period, proceed to Full Disclosure

– Web vulnerability: 1-4 weeks –  Software: 1-3 months –  Firmware: 3-6 months –  But: no actual standard, players make the rules

!  Full Disclosure: – Publish all information, including POC – Sometimes – only a video of POC


Example #1: Movie Ticket Kiosk

!  On-site Kiosk

!  Touch Screen

!  Credit Card Reader

!  Ticket Printer

!  No peripherals, No interfaces


The Attack

!  Improper interface settings allow the opening of menu options.

!  Menus can be used to browse for a new printer.


!  A limited Windows Explorer is not restricted enough.

!  A right-click can be used…

!  To open a full, unrestricted Windows Explorer.

The Attack


The Attack

!  Browsing through the file system reveals interesting directory names…

!  And even more interesting file names.


The Attack

!  Bingo: Credit Card Data (Unencrypted!)

Tools of the trade: Notepad

! We can use the ticket printer to take it home ☺


The Attack

!  But that’s not all: RSA Keys and Certificates are also found on the drive!

! Which we can print, take home and then use a free OCR software to read…


The Attack

!  The result:

RSA Keys used to bill credit cards.


Example #1: Summary

!  Device purpose: Print purchased Movie Tickets

!  Data on device: Credit Card data and Encryption Keys

!  Method used to hack: 1 finger


Example #2: Point-of-Sale Device

!  Point-Of-Sale devices are all around you.


The Attack

!  PoS Device located outside business during the day

!  At the end of the day, it is locked inside


The Attack

!  But one thing is left outside, on the street:


The Attack

!  Intelligence Gathering: Listen to the network, discover who’s talking, what language they’re speaking, and what they’re saying in that language


The Attack

!  Intelligence Gathering: Listen to the network, discover who’s talking, what language they’re speaking, and what they’re saying in that language

!  Detected IP addresses: – 192.168.0.1 – 192.168.0.2 – 192.168.0.4 – 192.168.0.250 – 192.168.0.254


The Attack

!  Evidence of SMB (plus prior knowledge) leads to the next step:

!  And the response:


Things to do with an open share

!  #1: Look around – Establish possible attack vectors



!  #1: Look around – Establish possible attack vectors

!  #2: Create a file list – Not like stealing data, but very helpful – Go home, analyze, come back later


!  Answers a ping, but no SMB.

!  First guess: Switch/Router/ADSL Modem.

!  Try to access the Web-UI:

The mystery of 192.168.0.250


The mystery of 192.168.0.250

!  Use the full URL:


!  Reminder: We actually had this information.

Going for the ADSL Modem/Router


Going for the ADSL Modem/Router

!  Naturally, there is access control:

! Want to guess?


Example #2: Summary

!  Device purpose: Cash Register and Local Server

!  Data on device: Credit Card data, Customer Database

!  Method used to hack: MacBook Pro, Free Software


Other opportunities

!  A Medical Clinic in Tel-Aviv – Complete disregard for

attendance systems


Other opportunities

!  A Hospital in Tel-Aviv


Other opportunities

!  An ATM at a shopping mall


Example #3: Hospital Smart TV

!  Features – Watch TV – Listen to music – VOD – Browse the Internet

!  Peripherals: – Touch Screen – Credit Card Reader – Earphones

And…

– USB…


The Attack

!  Start with a USB Keyboard – Num-Lock works – Nothing else does

!  Power off, Power on, F11


Our options are opening up

!  Let’s boot something else

!  BackTrack (kali): Never leave home without it


!  Even though I’m set to DHCP, I have no IP address.

!  An examination of the config files reveals the problem:

But I’m facing a problem

# The loopback interface, this is the default configuration: auto lo iface lo inet loopback

pre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autoneg off pre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autoneg off

# The first network interface. # In this case we want to receive an IP-address through DHCP: auto eth0 iface eth0 inet dhcp

# In this case we have a wired network: wpa-driver wired

# Tell the system we want to use WPA-Supplicant # with our configuration file: wpa-conf /etc/wpa_supplicant.conf pre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autoneg off



!  An examination of the config files reveals the problem.

!  But this is linux, everything is in text files ☺


network={ key_mgmt=IEEE8021X eap=TTLS MD5 identity="a*****c“ anonymous_identity="a*****c“ password=“*****“ phase1="auth=MD5“ phase2="auth=PAP password=*****“ eapol_flags=0 }



!  An examination of the config files reveals the problem.

!  But this is linux, everything is in text files ☺

!  I copy the files, and try again.



What next?

!  Find out where we are (external IP)

!  Proof-of-Concept: Open reverse shell


!  Further analysis of files reveals a lead:

http://192.168.0.250/client/

!  This is the actual User Interface:

But it’s not enough…


So the next logical step is…


So what’s next?

! We lost access to the devices – At least easy access

!  Complete the report and go for disclosure

However…

!  Turns out other hospitals have the same device – So now we wait for someone to get sick…


Example #3: Summary

!  Device purpose: Smart TV for Hospital Patients

!  Data on device: Network Encryption Keys, Possible access to other networks

!  Method used to hack: USB Drive, Free Software, Keyboard, Mouse


Example #4: Airport Entertainment


Escaping the Box


Collecting Valuable Information


Example #4: Summary

!  Device purpose: Airport Entertainment and Shopping

!  Data on device: VNC Encryption Keys, Possible access to other networks, Potential Botnet

!  Method used to hack: USB Keyboard and Drive


Conclusion

!  Local Networks are rarely as monitored and as protected as the Internet Gateway.

!  Many devices that are publicly accessible do not get hardened against unauthorized access.

!  Compromising a device on an internal network can easily be leveraged in a network proliferation operation.

!  Best practice: Ask yourself: “Would I trust Inbar here?”

!  It’s not all about Cyber.


Thank You!

code blue 2014 : physical [in]security: it’s not all about cyber by inbar raz

Technology