hacking cell phone embedded systems
play

Hacking Cell Phone Embedded Systems Keegan Ryan RECON 2017 The - PowerPoint PPT Presentation

Jul 26, 2023 •224 likes •682 views

Hacking Cell Phone Embedded Systems Keegan Ryan RECON 2017 The Target The Target brendangates The Target Meriac (2010), Churchill Legacy ICLASS Introduced in 2007 Broken in 2010 Master key on every reader Security

  1. Hacking Cell Phone Embedded Systems Keegan Ryan – RECON 2017

  2. The Target

  3. The Target brendangates

  4. The Target Meriac (2010), Churchill

  5. Legacy ICLASS • Introduced in 2007 • Broken in 2010 • Master key on every reader • Security of card reader broken • Protocol reverse engineered • New version of iCLASS released, but many still use Legacy iCLASS • Uses ISO15693 Meriac (2010), Inside Contactless (2004)

  6. Nexus S • Introduced in 2010 • One of earliest to support NFC, including ISO15693 • Android source code available • Cheap

  7. Nexus S • Try Android app first Android • Transceive raw bytes Application • CRC added automatically, but we don’t want a CRC • Not added by libraries libnfc Library • Not added by kernel • Must be added by NFC controller chip Kernel Driver NFC Controller

  8. PN544 • Separate from Nexus S CPU • Powered by host or external field • Supports ISO 15693, Mifare, FeliCa • Supports firmware upgrades • Uses 80C51MX Processor DATA CODE NXP (2010), Wharton (1980)

  9. Investigating the PN544

  10. Firmware Recovery • PHDNLD_CMD_READ • Pull from update file • Code signing • Protected with SHA1 and RSA-1024 • Introduced after first devices shipped • Need a device never updated past Gingerbread Libnfc-nxp

  11. PATCH_TABLE EEPROM/CFG FW_CODE PATCH_CODE

  12. Reverse Engineering • There aren’t any. Look for strings. • They don’t exist. Look for CRC constants. • Look for usage of the XOR instruction. No help. • Just start reversing until we find something useful.

  13. PATCH_TABLE EEPROM/CFG FW_CODE PATCH_CODE

  14. Reverse Engineering • Reverse commonly called functions • Find switch function • Find command switching • Trace known command IDs through code

  15. Reverse Engineering Libnfc-nxp

  16. Problem: PATCH_TABLE EEPROM/CFG FW_CODE PATCH_CODE

  17. Problem: Missing Code PATCH_TABLE EEPROM/CFG FW_CODE ??? PATCH_CODE

  18. Problem: Missing Code PATCH_TABLE EEPROM/CFG FW_CODE KERNEL_CODE PATCH_CODE

  19. Kernel Recovery • We understand and can modify FW_CODE • FW_CODE doesn’t have access to kernel • We can modify PATCH_CODE • Don’t know how to trigger PATCH_CODE • Want to maximize chances of executing our code

  20. Kernel Recovery PATCH_CODE

  21. Kernel Recovery PATCH_CODE

  22. Kernel Recovery

  23. Problem: Missing Code PATCH_TABLE EEPROM/CFG FW_CODE KERNEL_CODE PATCH_CODE

  24. Problem: Missing Code PATCH_TABLE EEPROM/CFG FW_CODE KERNEL_CODE PATCH_CODE

  25. Reverse Engineering Kernel Reverse Engineering • Still aren’t any. Look for strings. • Still don’t exist. Look for CRC constants. • Look for usage of the XOR instruction. No help. • CRC creation is done by hardware • Still not impossible, but we need a new approach

  26. Wireless Protocols

  27. SDR Setup Signal Source Antenna Radio Upconverter

  28. SDR Setup <s> 10 01 10 00 01 00 00 00…

  29. Transfer Speed • ISO15693 has two modes: • Slow (1.65 kbps) • Fast (26.48 kbps) • Nexus S uses slow mode • ICLASS only uses fast mode Inside Contactless (2004)

  30. Problem: Transfer Speed • Capability probably exists, but is unused. • Find transmission code • Loads settings from EEPROM/CFG • Only uses one set of values • Swap around values in EEPROM/CFG • Fast mode!

  31. Mifare Libnfc-nxp

  32. Problem: Checksum Generation Find differences here Android Apply difference here FW_CODE Command Handler MIFARE Setup MIFARE Setup ISO15693 Setup (CRC) (No CRC) (CRC) RF Transmit

  33. Patching the Kernel PATCH_TABLE EEPROM/CFG FW_CODE KERNEL_CODE PATCH_CODE

  34. Exploitation

  35. Patching Checksum Generation PATCH_TABLE EEPROM/CFG FW_CODE KERNEL_CODE PATCH_CODE

  37. Putting It All Together PATCH_TABLE EEPROM/CFG FW_CODE KERNEL_CODE PATCH_CODE

  38. Demo

  39. Demo

  40. Future Research What can be done with a hacked NFC controller? • Surreptitiously read a badge • Information storage • Information exfiltration

  41. Future Research • What other embedded systems do we carry everywhere? • Bluetooth • USB controller • Baseband radio • Camera • Fingerprint reader • What could you make these systems do?

  42. The End Keegan Ryan Keegan.Ryan@nccgroup.trust @inf_0_

  43. Bypassing Firmware Signing? if (*flag == 0xa55a) doInsecureDownload(); else doSecureDownload();

  44. Bibliography Brendangates . “Badge reader.” Licensed under a Creative Commons Attribution 2.0 Generic (CC BY-NC-ND 2.0). Accessed 11 June 2017. https://www.flickr.com/photos/brendangates/2384518688. Churchill, Sam. “ nfc.phone .” Licensed under a Creative Commons Attribution 2.0 Generic (CC BY 2.0). Accessed 11 June 2017. https://www.flickr.com/photos/samchurchill/5181496553 Inside Contactless. "Datasheet PicoPass 2KS." Rapport technique (2004). Libnfc-nxp Library. Accessed June 11, 2017. https://android.googlesource.com/platform/external/libnfc-nxp. Meriac, Milosch. "Heart of darkness-exploring the uncharted backwaters of hid iclass (TM) security." In 27th Chaos Communication Congress . 2010. NXP. “NXP NFC controller PN544 for mobile phones and portable equipment." On Line: http://www.nxp.com/documents/leaflet/75016890.pdf (2010). Wharton, John. "An Introduction to the Intel-MCS-51 Single-Chip Microcomputer Family." Intel Corporation (1980).

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Building Tools for Hacking Deeply Embedded Systems Travis Goodspeed Recon, Montral -- 11 July,

Building Tools for Hacking Deeply Embedded Systems Travis Goodspeed Recon, Montral -- 11 July,

Building Tools for Hacking Deeply Embedded Systems Travis Goodspeed Recon, Montral -- 11 July, 2010 Sunday, July 25, 2010 Brief Introduction 8, 16-bit Embedded Systems No operating system, no symbol table, etc. Very different

902 views • 74 slides
Real-Time Embedded Computing Systems Giorgio Buttazzo Scuola Superiore SantAnna, Pisa

Real-Time Embedded Computing Systems Giorgio Buttazzo Scuola Superiore SantAnna, Pisa

Real-Time Embedded Computing Systems Giorgio Buttazzo Scuola Superiore SantAnna, Pisa Computers everywhere Today, 98% of all processors in the planet are embedded in other objects: Increasing complexity # functions in a cell phone 200

728 views • 59 slides
Sign In Directions Please take out cell phone If you do not have a cell phone, there is a

Sign In Directions Please take out cell phone If you do not have a cell phone, there is a

Sign In Directions Please take out cell phone If you do not have a cell phone, there is a sign up sheet in the back. Send text message to: 37607 Type in message area: Joemac30 Wait for the brief response Type in your

891 views • 68 slides
HW/SW Codesign w/ FPGAs Embedded Systems ECE 495/595 Overview (Slides from Embedded Systems

HW/SW Codesign w/ FPGAs Embedded Systems ECE 495/595 Overview (Slides from Embedded Systems

HW/SW Codesign w/ FPGAs Embedded Systems ECE 495/595 Overview (Slides from Embedded Systems Design, F. Vahid and T. Givargis) Embedded computing systems definition: Computing systems embedded within electronic devices. Hard to define

396 views • 26 slides
1 Production Cell Set-up Pervasive Systems Robotics and Mechatronics Bio-inspired wireless

1 Production Cell Set-up Pervasive Systems Robotics and Mechatronics Bio-inspired wireless

Programme Today Master programme Embedded Systems Bert Molenkamp (programme mentor) Demo 4TU MASTER EMBEDDED SYSTEMS Gerwin Hoogsteen (ZI 5078); smart grid Masoud Abbasi Alaei (ZI 5098); wireless communication Tour

413 views • 4 slides
Embedded systems and the role of programmable logic devices in embedded systems Embedded system :

Embedded systems and the role of programmable logic devices in embedded systems Embedded system :

Embedded systems and the role of programmable logic devices in embedded systems Embedded system : a combination of computer hardware and software, and perhaps additional mechanical or other parts, designed to perform a dedicated function. In some

414 views • 20 slides
Location Models and Their Cell Phone Applications May 31st, 2005 Seminar: Distributed Systems

Location Models and Their Cell Phone Applications May 31st, 2005 Seminar: Distributed Systems

Location Models and Their Cell Phone Applications May 31st, 2005 Seminar: Distributed Systems Gabor Cselle gabor@student.ethz.ch Advisor: Christian Frank Overview 1. An introduction to location models 2. Automatic identification of

415 views • 29 slides
4TU MASTER EMBEDDED SYSTEMS Bert Molenkamp 19/03/2020 Master Embedded Systems 1 Table of

4TU MASTER EMBEDDED SYSTEMS Bert Molenkamp 19/03/2020 Master Embedded Systems 1 Table of

4TU MASTER EMBEDDED SYSTEMS Bert Molenkamp 19/03/2020 Master Embedded Systems 1 Table of contents What is an embedded system Examples of research topics Admission Overview of the programme Success rates Master Embedded

814 views • 31 slides
Contents 1. Introduction 2. How do Cell Phone Towers work? 3. What is the radiation produced by

Contents 1. Introduction 2. How do Cell Phone Towers work? 3. What is the radiation produced by

Contents 1. Introduction 2. How do Cell Phone Towers work? 3. What is the radiation produced by a cell phone? 4. How are people exposed to the energy from cellular phone towers? 5. Do cellular phone towers cause cancer? 6. what CAN we do? 7.

570 views • 14 slides
Embedded Systems (ESII) Prof. Dr. J. Henkel, Dr. M. Shafique CES - Chair for Embedded Systems

Embedded Systems (ESII) Prof. Dr. J. Henkel, Dr. M. Shafique CES - Chair for Embedded Systems

1 ESII: ASIPs_ISEs Design and Architectures for Embedded Systems (ESII) Prof. Dr. J. Henkel, Dr. M. Shafique CES - Chair for Embedded Systems Karlsruhe Institute of Technology, Germany Today: Embedded Processor Platforms ASIPs and Extensible

1.5k views • 89 slides
Software Engineering for Embedded Systems Software Engineering for Embedded Systems Dr.-Ing.

Software Engineering for Embedded Systems Software Engineering for Embedded Systems Dr.-Ing.

Software Engineering for Embedded Systems Software Engineering for Embedded Systems Dr.-Ing. Mohammad. Abdullah Al Faruque Dipl.-Inform. Sebastian Kobbe CES - C hair for E mbedded S ystems (Prof. Dr. Jrg Henkel) Department of Computer Science

847 views • 72 slides
Hacking on the Fairphone 2 About Fairphone Mission to create and improve the mobile phone

Hacking on the Fairphone 2 About Fairphone Mission to create and improve the mobile phone

Hacking on the Fairphone 2 About Fairphone Mission to create and improve the mobile phone industry one step at the time. About Fairphone If you cant open it, you dont own it Fairphone 2 hardware overview Samsung 32 GB eMMC NAND

601 views • 32 slides
ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
Embedded Systems Programming Trends of Embedded Systems (Module 2) Yann-Hang Lee Arizona State

Embedded Systems Programming Trends of Embedded Systems (Module 2) Yann-Hang Lee Arizona State

Embedded Systems Programming Trends of Embedded Systems (Module 2) Yann-Hang Lee Arizona State University yhlee@asu.edu (480) 727-7507 Summer 2014 Real-time Systems Lab, Computer Science and Engineering, ASU Trends of RT Embedded Systems

332 views • 10 slides
Networked Embedded Systems Ezio Bartocci Overview Networked Embedded Systems (182.717): 6 weeks

Networked Embedded Systems Ezio Bartocci Overview Networked Embedded Systems (182.717): 6 weeks

Networked Embedded Systems Ezio Bartocci Overview Networked Embedded Systems (182.717): 6 weeks for semester ECTS: 6.0 Web: http://ti.tuwien.ac.at/rts/teaching/courses/networked-embedded-systems Type: Lessons (VU Vorlesung) with

700 views • 20 slides
Supporting National Hydrogen and Fuel Cell Innovation Systems: Germany and the UK Compared Nick

Supporting National Hydrogen and Fuel Cell Innovation Systems: Germany and the UK Compared Nick

Supporting National Hydrogen and Fuel Cell Innovation Systems: Germany and the UK Compared Nick Hacking &amp; Prof. Malcolm Eames Low Carbon Research Institute (LCRI), WSA, Cardiff University SUPERGEN Delivery of Sustainable Hydrogen (DoSH 2 )

713 views • 20 slides
17-11-14 Todays Goals/Invitations Collaboration - Explore/play with the

17-11-14 Todays Goals/Invitations Collaboration - Explore/play with the

17-11-14 Todays Goals/Invitations Collaboration - Explore/play with the kits in partners or in small groups! Hands-On Literacy Kits Idea Generation - Share an idea/kit you've seen from other sources (i.e.

441 views • 7 slides
AMERICAS ANDROID ALPHABET SOUP Darryn Campbell Senior Software Architect Developer Session

AMERICAS ANDROID ALPHABET SOUP Darryn Campbell Senior Software Architect Developer Session

AMERICAS ANDROID ALPHABET SOUP Darryn Campbell Senior Software Architect Developer Session Agenda Android Alphabet Soup How the enterprise got here Where were going Android Marshmallow &amp; demos Android Nougat

337 views • 29 slides
PromCon closing talk Sleep is optional and for the weak Richard Hartmann, RichiH@ {

PromCon closing talk Sleep is optional and for the weak Richard Hartmann, RichiH@ {

Intro Behind the scenes Thank you Goodbye PromCon closing talk Sleep is optional and for the weak Richard Hartmann, RichiH@ { freenode,OFTC,IRCnet } , richih@ { fosdem,debian,richih } .org, @TwitchiH 2018-08-10 Richard Hartmann, RichiH@ {

429 views • 16 slides
Introduc)on*to*Android* Mobile*and*Ubiquitous*Compu)ng* MEIC/MERC*2015/16* * Nuno*Santos*

Introduc)on*to*Android* Mobile*and*Ubiquitous*Compu)ng* MEIC/MERC*2015/16* * Nuno*Santos*

Introduc)on*to*Android* Mobile*and*Ubiquitous*Compu)ng* MEIC/MERC*2015/16* * Nuno*Santos* 1.#SOME#CONTEXT# Mobile*and*Ubiquitous*Compu)ng*2015/16* What*Is*Android?* Android*delivers*a*complete*set*of*soIware*for*

598 views • 24 slides
Imperfect competition and intra- industry trade Giovanni Marin Department of Economics, Society,

Imperfect competition and intra- industry trade Giovanni Marin Department of Economics, Society,

Imperfect competition and intra- industry trade Giovanni Marin Department of Economics, Society, Politics Universit degli Studi di Urbino Carlo Bo References for this lecture BBGV Chapter 4, paragraphs 4.1, 4.2, 4.3, 4.4, 4.5,

538 views • 52 slides
Lab 1 Introduction to Android &amp; Hello World Example KUAN-TING LAI 2018/9/10 Android

Lab 1 Introduction to Android &amp; Hello World Example KUAN-TING LAI 2018/9/10 Android

Lab 1 Introduction to Android &amp; Hello World Example KUAN-TING LAI 2018/9/10 Android History Code Version Linux kernel Initial release API version [1] name number date level (No codename) [2] 1.0 ? September 23, 2008 1 Petit

1.4k views • 40 slides
AVT 691 Erin Jacobs Wed. 4:30-7:10 Rm L004 Wednesday, August 28, 13 WISH TREES AVT 691 Erin

AVT 691 Erin Jacobs Wed. 4:30-7:10 Rm L004 Wednesday, August 28, 13 WISH TREES AVT 691 Erin

AVT 691 Erin Jacobs Wed. 4:30-7:10 Rm L004 Wednesday, August 28, 13 WISH TREES AVT 691 Erin Jacobs Wed. 4:30-7:10 Rm L004 Wednesday, August 28, 13 AVT 691 Erin Jacobs Wed. 4:30-7:10 Rm L004 IMAGINED PETS Wednesday, August 28, 13 AVT

270 views • 14 slides
im watch the first Android Smartwatch Nicola La Gloria, Ph.D. Field Application Engineer

im watch the first Android Smartwatch Nicola La Gloria, Ph.D. Field Application Engineer

Software &amp; Systems Design im watch the first Android Smartwatch Nicola La Gloria, Ph.D. Field Application Engineer Agenda Introduction Hardware Design OS firmware design Enterprise (quick introduction) Q&amp;A

465 views • 30 slides

More recommend