from hardware to 0 day
play

FROM HARDWARE TO 0-DAY Or how to buy a security camera and never use - PowerPoint PPT Presentation

Jun 12, 2023 •489 likes •795 views

FROM HARDWARE TO 0-DAY Or how to buy a security camera and never use it for its intended purpose PIETRO OLIVA WHOAMI Name: Pietro Oliva Twitter: @0xsysenter Current role: Security researcher (R3) Previous roles: Security

  1. FROM HARDWARE TO 0-DAY Or how to buy a security camera and never use it for its intended purpose PIETRO OLIVA

  2. WHOAMI • Name: Pietro Oliva • Twitter: @0xsysenter • Current role: Security researcher (R3) • Previous roles: • Security Researcher (Sony) • Red Team Operator (JP Morgan) • Penetration Tester / Security Auditor (NCC GROUP, PWC, GMV)

  3. AGENDA Why perform security research on a camera Information gathering on previous work The challenge The path to success Lessons learned Future work Conclusions Q & A

  4. WHY PERFORM SECURITY RESEARCH ON A CAMERA? Many people say “IoT I wanted to verify these I was looking for a challenge devices are not secure” claims and learning opportunity

  5. PREVIOUS WORK ON TP-LINK NC200/NC220 • This was already patched on later firmware versions • Is there really only one vulnerability affecting this camera?

  6. THE CHALLENGE Hack the latest and greatest firmware • Starting from hardware analysis and firmware dumping • By performing firmware reverse engineering (deliberately excluding fuzzing) • On an architecture I was unfamiliar with (MIPS) • Using a reverse engineering tool that: • Is free and open source • I can use Everywhere (including on a mobile phone) • That tool exists and is called radare2!

  7. HARDWARE ANALYSIS AND FLASH DUMPING Identified the board components via pictures and FCC ID Downloaded datasheets Performed flash dumping

  8. SPI FLASH DUMPING – TOOLS • Bus pirate as SPI reader/writer • Flashrom to perform dump via bus pirate • THE 8 MB SPI flash contained the main firmware!

  9. FIRMWARE EXTRACTION AND ANALYSIS Binwalk + Jefferson for filesystem extraction Radare2 as the main reverse engineering tool Main reverse engineering target: a binary called “ ipcamera ”

  11. BUGS, BUGS, BUGS… CVE-2020-10231 - TP-LINK Cloud Cameras NCXXX Remote NULL Pointer Dereference

  12. THE PAIN OF RESPONSIBLE DISCLOSURE CVE-2020-10231 - TP-LINK Cloud Cameras NCXXX Remote NULL Pointer Dereference Stage 1 (4 th December 2019): The camera is “not supported anymore” Stage 2 (February 2020): Let’s see if other cameras are affected Stage 3 (24 th February 2020): Warn the vendor all NC cameras are affected Stage 4 (29 th March 2020): Drop a zero day Stage 6 (8 th April 2020): Vulnerability gets fixed Stage 5 (multiple dates): Next reports and deadlines are taken seriously Stage 7 (7 th May 2020): Promised I won’t report any more issues

  13. BUGS, BUGS, BUGS… CVE-2020-13224 - TP-LINK Cloud Cameras NCXXX DelMultiUser Stack Overflow The PoC: Usernames=,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

  14. BUGS, BUGS, BUGS… CVE-2020-12110 - TP-LINK Cloud Cameras NCXXX Hardcoded Encryption Key (1)

  15. BUGS, BUGS, BUGS… CVE-2020-12110 - TP-LINK Cloud Cameras NCXXX Hardcoded Encryption Key (2) This looks straightforward, but we have a problem to solve We know the algorithm is DES ECB and the encryption key Found a tool that would correctly encrypt/decrypt backup files But I would get random data with standard DES implementations I thought I was doing something wrong, until I realized that…

  16. BUGS, BUGS, BUGS…

  17. BUGS, BUGS, BUGS… CVE-2020-12110 - TP-LINK Cloud Cameras NCXXX Hardcoded Encryption Key (3) After checking all the code, there was only one thing left to check… Standard des Random tool on the internet that somehow works

  18. BUGS, BUGS, BUGS… CVE-2020-12110 - TP-LINK Cloud Cameras NCXXX Hardcoded Encryption Key (4)

  19. BUGS, BUGS, BUGS… CVE-2020-12110 - TP-LINK Cloud Cameras NCXXX Hardcoded Encryption Key (5)

  20. BUGS, BUGS, BUGS… CVE-2020-12110 - TP-LINK Cloud Cameras NCXXX Hardcoded Encryption Key (6) DEMO

  21. BUGS, BUGS, BUGS… CVE-2020-12111 - TP-LINK Cloud Cameras NCXXX SetEncryptKey Command Injection This vulnerability only affected NC260 and NC450 cameras

  22. BUGS, BUGS, BUGS… CVE-2020-12109 - TP-LINK Cloud Cameras NCXXX Bonjour Command Injection (1) swBonjourStartHTTP

  23. BUGS, BUGS, BUGS… CVE-2020-12109 - TP-LINK Cloud Cameras NCXXX Bonjour Command Injection (2) swSystemSetProductAliasCheck

  24. BUGS, BUGS, BUGS… CVE-2020-12109 - TP-LINK Cloud Cameras NCXXX Bonjour Command Injection (3)

  25. BUGS, BUGS, BUGS… CVE-2020-12109 - TP-LINK Cloud Cameras NCXXX Bonjour Command Injection (4) One bug to rule them all

  26. BUGS, BUGS, BUGS… CVE-2020-12109 - TP-LINK Cloud Cameras NCXXX Bonjour Command Injection (5) DEMO

  27. LESSONS LEARNED • Code reuse = same vulnerabilities across different devices • Dropping a zero-day after fix deadline has passed can get the vendor to fix issues and take your reports seriously • Reverse engineering can reveal bugs that cannot be found via fuzzing/black box testing

  28. FUTURE WORK If you are interested, I have some ideas to get you started 01 02 03 04 Look for Look for Look for Look for vulnerabilities that vulnerabilities in vulnerabilities in baseband (Wi-Fi) can be exploited the browser plugin the mobile app vulnerabilities from TP-Link Cloud

  29. CONCLUSIONS • There was more than just one vulnerability on NC cameras ☺ • You don’t need expensive tools to find those issues • It is possible to find issues with a mobile phone on a plane • Reversing is necessary to complement fuzzing/black box testing • It was a good idea to never connect my camera to the cloud • I can now say from experience that some IoT devices are indeed insecure • Security researchers and vendors have a shared responsibility at making things more secure

  30. THANK YOU FOR LISTENING

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

VC. VC. Hardware Startup The Hardware Revolu/on The Hardware Revolution Removing Barriers to

VC. VC. Hardware Startup The Hardware Revolu/on The Hardware Revolution Removing Barriers to

The Business of Making Strategies for Success from Startup to Exit Hardware and Robotic Startup Accelerator what hardware used to be . VC. VC. Hardware Startup The Hardware Revolu/on The Hardware Revolution Removing Barriers to Entry Open

604 views • 32 slides
Sec Secure ure Hardware Hardware and Hardware and Hardware- En Enabled abled Security

Sec Secure ure Hardware Hardware and Hardware and Hardware- En Enabled abled Security

SP SPACE ACE 201 2016 Sec Secure ure Hardware Hardware and Hardware and Hardware- En Enabled abled Security Security: : New Front New Frontiers iers Swarup Bhunia Professor Electrical & Computer Engineering SPACE | Dec 2016 1

607 views • 29 slides
CSE 120 Hardware How hardware works Operating Systems Layer What the kernel does API

CSE 120 Hardware How hardware works Operating Systems Layer What the kernel does API

Overview CSE 120 Hardware How hardware works Operating Systems Layer What the kernel does API What the programmer does July 27, 2006 Day 8 Input/Output Instructor: Neil Rhodes 2 Hardware Hardware Kinds Bus : a set of wires

613 views • 6 slides
software and hardware for the Internet of Things. Choose hardware Design hardware Design

software and hardware for the Internet of Things. Choose hardware Design hardware Design

Zeidman Technologies has created a fundamentally new way to develop embedded software and hardware for the Internet of Things. Choose hardware Design hardware Design software Initial hardware choices determine Integrate functionality and

185 views • 15 slides
HOST Hardware Trojans I ECE 525 Hardware Trojans (HT) What is a hardware Trojan? A deliberate

HOST Hardware Trojans I ECE 525 Hardware Trojans (HT) What is a hardware Trojan? A deliberate

HOST Hardware Trojans I ECE 525 Hardware Trojans (HT) What is a hardware Trojan? A deliberate and malicious change to an IC that adds or removes functionality or reduces reliability The modifications may be designed to leak sensitive

394 views • 23 slides
Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded

Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded

Extending the GC hardware Rob Reilink Extending the GC hardware Why? GC can be an embedded computer Home automation Cinema set Car Infotainment system ... But: Essential hardware lacks: Data storage (harddisk and/or flash)

221 views • 9 slides
Hardware FUNDAMENTALS Getting started with Do It Yourself circuits and Raspberry Pi Hardware?

Hardware FUNDAMENTALS Getting started with Do It Yourself circuits and Raspberry Pi Hardware?

Hardware FUNDAMENTALS Getting started with Do It Yourself circuits and Raspberry Pi Hardware? Three main types of hardware (in this course) Commercial, off-the-shelf devices/appliances Do It Yourself solutions The central gateway

500 views • 33 slides
BIOINSPIRED HARDWARE Erki Suurjaak Overview bioinspired hardware NASAs exploration

BIOINSPIRED HARDWARE Erki Suurjaak Overview bioinspired hardware NASAs exploration

BIOINSPIRED HARDWARE Erki Suurjaak Overview bioinspired hardware NASAs exploration systems robots Ariel and RHex future? Bioinspired Hardware studies processes and seeks alternative mechanisms in nature hardware

155 views • 12 slides
Lecture 3 Hardware and Software 3. Hardware and Softw are 4. High Level Languages 5.

Lecture 3 Hardware and Software 3. Hardware and Softw are 4. High Level Languages 5.

1. Introduction 2. Binary Representation Lecture 3 Hardware and Software 3. Hardware and Softw are 4. High Level Languages 5. Standard input and output Hardware has been defined as 6. Operators, expression and statem ents the

238 views • 3 slides
HW/SW Codesign Data Flow Hardware Implementation ECE 522 Mapping DFGs to Hardware As indicated

HW/SW Codesign Data Flow Hardware Implementation ECE 522 Mapping DFGs to Hardware As indicated

HW/SW Codesign Data Flow Hardware Implementation ECE 522 Mapping DFGs to Hardware As indicated in previous lectures, SDF graphs are particularly well-suited for map- ping directly into hardware For SDFs with single-rate schedules, all actors

109 views • 7 slides
Computer Hardware Computer - hardware and software Like piano and music In this

Computer Hardware Computer - hardware and software Like piano and music In this

Computer Hardware Computer - hardware and software Like piano and music In this section: hardware The computer is an amazingly useful general-purpose technology, to the point that now cameras, phones, thermostats .. these are all now

390 views • 17 slides
Computer Hardware Hardware components are the physical parts of the computer Main Hardware

Computer Hardware Hardware components are the physical parts of the computer Main Hardware

Computer Hardware Hardware components are the physical parts of the computer Main Hardware Components are: CPU Also known as processor. Brains of the computer Responsible for fetching instructions from memory and executing

1.6k views • 136 slides
PyNN and the FACETS Hardware Daniel Brderle Heidelberg FACETS Hardware: Recap

PyNN and the FACETS Hardware Daniel Brderle Heidelberg FACETS Hardware: Recap

PyNN and the FACETS Hardware Daniel Brderle Heidelberg FACETS Hardware: Recap Neuromorphic Hardware: A physical model, not a simulation Intrinsically parallel, scalable, fast, ... Not an arbitrarily flexible substrate

512 views • 17 slides
Hardware evaluation and procurement Hardware: competition, evolution, Evaluation of CPU nodes

Hardware evaluation and procurement Hardware: competition, evolution, Evaluation of CPU nodes

Hardware evaluation and procurement Yannick Perret Hardware evaluation and procurement Hardware: competition, evolution, Evaluation of CPU nodes manufactur- ers. . . for procurement purposes at CC-IN2P3 Hardware: CPU Manufacturers

394 views • 21 slides
Hardware Design for Cryptographers P . Schaumont Bradley Department of Electrical and Computer

Hardware Design for Cryptographers P . Schaumont Bradley Department of Electrical and Computer

Hardware-oriented Specification Hardware Circuits Hardware Description in C Hardware Design for Cryptographers P . Schaumont Bradley Department of Electrical and Computer Engineering Virginia Tech Blacksburg, VA Design and Security of

1.01k views • 63 slides
Hardware Description Languages (HDLs) Introduction Two main hardware description languages

Hardware Description Languages (HDLs) Introduction Two main hardware description languages

Robert Betz: 97 Department of Electrical and Computer Engineering Hardware Description Languages (HDLs) Introduction Two main hardware description languages will be treated in this course: Altera Hardware Description Language (AHDL), and

1.38k views • 112 slides
Securing Industrial IoT Device Attestation, Software Updates, and Data Protection Mauro Conti ,

Securing Industrial IoT Device Attestation, Software Updates, and Data Protection Mauro Conti ,

Securing Industrial IoT Device Attestation, Software Updates, and Data Protection Mauro Conti , University of Padua Slides prepared with the support of Daniele Lain and Moreno Ambrosin SCy-Phy Systems Week 2017 Panel IV: Defences June 6, 2017,

794 views • 25 slides
and Applications in MicroTCA Sven Stubbe with support from Jan Marjanovic and Aaron Gornott

and Applications in MicroTCA Sven Stubbe with support from Jan Marjanovic and Aaron Gornott

Implementation of GigE Vision Standard and Applications in MicroTCA Sven Stubbe with support from Jan Marjanovic and Aaron Gornott Hamburg, 06.12.2018 Implementation of GigE Vision Standard and Applications in MicroTCA Sven Stubbe, 06.12.2018

308 views • 11 slides
Highlights of TI2-LHC Synchronization Test with Beam M. Lamont and S. Redaelli on behalf of the

Highlights of TI2-LHC Synchronization Test with Beam M. Lamont and S. Redaelli on behalf of the

CMS Commissioning Meeting August 15 th , 2008 CERN - Geneva (CH) Highlights of TI2-LHC Synchronization Test with Beam M. Lamont and S. Redaelli on behalf of the OP team Outline Introduction: goals / layouts Beam and magnet availability

766 views • 24 slides
BONE ANATOMY Daniel D Bikle, MD, PhD Professor of Medicine, UCSF 1 7/11/2019 Origin of Bone

BONE ANATOMY Daniel D Bikle, MD, PhD Professor of Medicine, UCSF 1 7/11/2019 Origin of Bone

7/11/2019 Basics of Bone Biology BONE ANATOMY Daniel D Bikle, MD, PhD Professor of Medicine, UCSF 1 7/11/2019 Origin of Bone Cells Bone Remodeling Proliferation M-CSF & Differentiation C-Fms Resting Phase Activation Osteoclast

116 views • 8 slides
On-hardware debugging of IP cores with free tools Anton Kuzmin 2020-02-02 1 / 12 Intro Why

On-hardware debugging of IP cores with free tools Anton Kuzmin 2020-02-02 1 / 12 Intro Why

Intro Why FPGA (and what the FPGA is all about) Software approach simulation first Going to the hardware Whats next Contact info On-hardware debugging of IP cores with free tools Anton Kuzmin 2020-02-02 1 / 12 Intro Why FPGA (and

770 views • 12 slides
SoC Design SoC Design g L Lecture Lecture 6: IP Cores 6 IP C : IP Cores IP C Shaahin

SoC Design SoC Design g L Lecture Lecture 6: IP Cores 6 IP C : IP Cores IP C Shaahin

SoC Design SoC Design g L Lecture Lecture 6: IP Cores 6 IP C : IP Cores IP C Shaahin Hessabi Shaahin Hessabi Department of Computer Engineering Department of Computer Engineering Sharif University of Technology Sharif University of

328 views • 28 slides
Machine Learning on a Heterogeneous Cluster NaifTarafdar , Giuseppe Di Guglielmo, Philip C

Machine Learning on a Heterogeneous Cluster NaifTarafdar , Giuseppe Di Guglielmo, Philip C

AIgean: An Open Framework for Machine Learning on a Heterogeneous Cluster NaifTarafdar , Giuseppe Di Guglielmo, Philip C Harris, Jeffrey D Krupa, Vladimir Loncar , Dylan S Rankin, Nhan Tran , Zhenbin Wu , Qianfeng Shen and

712 views • 47 slides
Integrating OmpSs@FPGA within Eclipse Presentation for EclipseCon 2019 Ruben Cano-Daz and

Integrating OmpSs@FPGA within Eclipse Presentation for EclipseCon 2019 Ruben Cano-Daz and

Integrating OmpSs@FPGA within Eclipse Presentation for EclipseCon 2019 Ruben Cano-Daz and Xavier Martorell Barcelona Supercomputing Center The LEGaTO project has received funding from the European Union's Horizon 2020 research and innovation

665 views • 20 slides

More recommend