how reversing the combus protocol resulted in breaking
play

How reversing the COMBUS protocol resulted in breaking security - PowerPoint PPT Presentation

Dec 06, 2022 •406 likes •700 views

How reversing the COMBUS protocol resulted in breaking security Hacking COMBUS in a of a security system Paradox security system 16.11.2018. IT-SECX 2018, Austria Author Lead researcher at Possible Security, Latvia Hacking and

  1. How reversing the COMBUS protocol resulted in breaking security Hacking COMBUS in a of a security system Paradox security system 16.11.2018. IT-SECX 2018, Austria

  2. Author ● Lead researcher at Possible Security, Latvia ● Hacking and breaking things – Network fmow analysis – Reverse engineering – Social engineering – Legal dimension ● twitter / @KirilsSolovjovs

  3. INTRO

  4. Paradox security systems ● Canadian company, founded 1989 ● Modular security alarms – SPECTRA SP ● Expandable Security Systems – EVO ● High-Security & Access Systems – MAGELLAN ● Wireless Security Systems

  5. Prior research ● Work on interfacing with SP series via COMBUS – Martin Harizanov ● partially working code, moved on to SERIAL ● Work on interfacing with MG series via SERIAL – All over forums ● leaked docs – Gytis Ramanauskas ● code on github

  6. Responsible disclosure process ● At fjrst: – General claim that there’s a vulnerability met with doubt – Clearly no process in place ● In a few of months: – The information has been “dealt with” – For obvious security reasons, it is our policy to never discuss engineering matters outside of the company and thus we will not be commenting further on this issue ● Now doing public disclosure a couple years later ¯\_( ツ )_/¯

  7. Components ● zone interrupt devices ● PGM modules ● serial devices ● ancillaries

  8. Components ● combus slaves provide two-way communication – keypads – modules ● expansion ● printer ● listen-in ● etc.

  9. Components ● master heart on the system – “motherboard” – panel

  10. EVO192 RTC 3V battery voice dialer RS485 12 V ⎓ memkey battery 16.5 V ⏦ COMBUS

  11. REVERSE ENGINEERING

  12. Hardware tools ● Saleae Logic 8 ● Arduino UNO

  13. COMBUS

  14. Electrical layer ● combus – 4 wire bus ● resistance = 0 black = GROUND ⇒ (keypad) ● stable voltage red = POWER ⇒ ⎓ ● ... ?

  15. Signal layer ● yellow = CLOCK ● green = DATA ● 40ms between packet bursts ● 1 clock cycle = 1ms; signal = 1kHz

  16. Signal encoding ● CLOCK = low data!!! ☺ ⇒ ● ... we should have two-way comms something is missing ☹ 0 C 9 1 2 D 2 1 0 0 0 0 1 1 0 0 1 0 0 1 0 0 0 1 0 0 1 0 1 1 0 1 0 0 1 0 0 0 0 1

  17. Full signal encoding ● CLOCK = high – slave pulls down to send “1” ● CLOCK = low – master pulls up to send “1” -----M-M-M-M-M-M-M-MsMsMsMsMsMsMsMsMsMsMsMsMsMsMsMsMsMsMsMsMsMsMsMsM---

  18. Packet structure 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 master 40 03 92 02 01 EB 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C4 00 E2 14 10 0B 0F 37 05 00 01 5D 00 0C 13 38 1B slave 00 02 20 00 00 00 FF 5A 22 00 00 00 00 D5 23 79 E2 00 00 00 C8 B6 00 00 02 00 00 command checksum unused channel-request checksum – SUM mod 0x100, starts at command

  19. Commands: heartbeat / clock ● 0C AA 10 11 ● 0C NN DD/MM HH/SS – NN = xxxxxxxp = sequence number ● p==0 => 0C NN DD HH – DD = day of the month – HH = hour ● p==1 => 0C NN MM SS – MM = minutes – SS = seconds

  20. Commands: code entry ● 00 02 20 00 00 00 FF 12 34 00 00 00 00 D9 10 3A 99 12 34 00 00 00 00 21 00 ● 00 02 20 UT 00 00 CT CC CC 00 00 00 00 SS SS SS SS 00 00 00 00 =# 00 – UT = pxxxxxxx ● p = user type == 1 => programmer – CT = code type – CC CC = code (oh, check this out, it looks like a code) – SS SS SS SS = serial number of source device – =# = checksum

  21. Payloads ● No encryption used ● Text as fjxed length (often 16 chars) ASCII strings – 0x20 = fjller ● Numbers usually packed BCD – “0” is 0b1010 = 0xA – no encryption, but hey, at least we got obfuscation!

  22. DEMO TIME Before connecting a module to the combus, remove AC and battery power from the control panel.

  23. Exploitation scenarios 3998 3111 9309 1400 8248 4584 9450 5617 6550 8245 6979 9878 6101 4971 1294 9576 5005 2789 7113 3627 7113 6856 5132 4920 5076 7500 7065 0643 9302 1744 3725 8432 1275 1128 1497 8657 9264

  24. SUMMARY

  25. Results ● Hardware built, decoding software written ● Protocol partially transcribed

  26. Solutions ● Encryption at command layer – TLS – CA in trust-store in all components ● Mutual slave-master authentication – client certifjcates ● Sensitive payload encryption – with unique per-panel key (synchronized at install time)

  27. Further research ● Anti-collision protocol research ● DoS attacks ● Emulating a slave ● COMBUS over radio ● RF attacks ● Firmware reverse engineering

  28. Resources ● Slides available – http://kirils.org/ ● Tools available on 18 th November – https://github.com/0ki/paradox

  29. How reversing the COMBUS protocol resulted in breaking security Hacking COMBUS in a of a security system Paradox security system 16.11.2018. IT-SECX 2018, Austria http://kirils.org/ @KirilsSolovjovs

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Uncovering SAP vulnerabilities: Reversing and breaking the Diag protocol Martin Gallo Core

Uncovering SAP vulnerabilities: Reversing and breaking the Diag protocol Martin Gallo Core

Uncovering SAP vulnerabilities: Reversing and breaking the Diag protocol Martin Gallo Core Security Defcon 20 July 2012 P A G E Agenda Introduction Motivation and related work SAP Netweaver architecture and protocols layout

785 views • 41 slides
Horror on Horr Horr Horror on or on the b or on the b the bus the bus Hacking COMBUS in a

Horror on Horr Horr Horror on or on the b or on the b the bus the bus Hacking COMBUS in a

Horror on Horr Horr Horror on or on the b or on the b the bus the bus Hacking COMBUS in a Hacking combus in a Paradox security system Paradox security system Hackfest Decade Quebec, Canada Author Lead researcher at Possible

517 views • 36 slides
V2 MESSAGE TRANSPORT PROTOCOL V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin

V2 MESSAGE TRANSPORT PROTOCOL V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin

BIP324 Jonas Schnelli / dev@jonasschnelli.ch / Breaking Bitcoin 8th June 2019 PGP: CA1A2908DCE2F13074C62CDE1EB776BB03C7922D V2 MESSAGE TRANSPORT PROTOCOL V2 MESSAGE TRANSPORT PROTOCOL Jonas Schnelli - Breaking Bitcoin 2019 Goals of the v2

620 views • 43 slides
Key Reinstallation Attacks: Breaking the WPA2 Protocol Mathy Vanhoef @vanhoefm Black Hat

Key Reinstallation Attacks: Breaking the WPA2 Protocol Mathy Vanhoef @vanhoefm Black Hat

Key Reinstallation Attacks: Breaking the WPA2 Protocol Mathy Vanhoef @vanhoefm Black Hat Europe, 7 December 2017 Introduction PhD Defense, July 2016: You recommend WPA2 with AES, but are you sure thats secure? Seems so! No

857 views • 56 slides
10th U.S. Na+onal Combus+on Mee+ng: Valida&on and uncertainty quan&fica&on analysis

10th U.S. Na+onal Combus+on Mee+ng: Valida&on and uncertainty quan&fica&on analysis

10th U.S. Na+onal Combus+on Mee+ng: Valida&on and uncertainty quan&fica&on analysis (VUQ) of a char oxida&on model Oscar Diaz-Ibarra , Jennifer Spin&, Philip Smith Ins&tute for Clean and Secure Energy, University of Utah,

532 views • 16 slides
Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida

Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida

Cross-platform reversing with Frida Ole Andr Vadla Ravns Cross-platform reversing with Frida Motivation Existing tools often not a good fit for the task at hand Creating a new tool usually takes too much effort Short feedback

1.17k views • 37 slides
Reversing a firmware uploader & Others NFC stories 1

Reversing a firmware uploader & Others NFC stories 1

7/1/2019 Reversing a Firmware uploader & others NFC stories Reversing a firmware uploader & Others NFC stories 1 file:///D:/projects/pts2019/dist/index.html 1/41 7/1/2019 Reversing a Firmware uploader & others NFC stories

920 views • 41 slides
What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i

What is i i KP KP? ? i KP i KP: : i i - -Key Key- -Protocol Protocol What is i -Key-Protocol, i = 1, 2, 3, Family of protocols Secure electronic payment Based on credit card payments Christopher Hsu Can be extended

407 views • 4 slides
Analysis of BTI TK Crotte de bof S` arl 1 / 5 What is the BTI protocol? Recently introduced

Analysis of BTI TK Crotte de bof S` arl 1 / 5 What is the BTI protocol? Recently introduced

Analysis of BTI TK Crotte de bof S` arl 1 / 5 What is the BTI protocol? Recently introduced by BTI TM Relying on unbreakable ultra-modern crypto super-technology 2 / 5 Breaking BTI Uncover people behind STI Discover link to GMP-ECM Inc.

388 views • 5 slides
Combus ombustion ion Modeling odeling for or Indus ndustrial ial Systems ems Niveditha

Combus ombustion ion Modeling odeling for or Indus ndustrial ial Systems ems Niveditha

Combus ombustion ion Modeling odeling for or Indus ndustrial ial Systems ems Niveditha Krishnamoorthy CD-adapco niveditha.krishnamoorthy@cd-adapco.com Out Outline line Combustion capabilities of STAR-CCM+ Modeling of process

341 views • 17 slides
On instabilities of the Bitcoin protocol Ricardo P erez-Marco @rperezmarco CNRS, IMJ-PRG,

On instabilities of the Bitcoin protocol Ricardo P erez-Marco @rperezmarco CNRS, IMJ-PRG,

Dynamical instability Perdurance of the Bitcoin protocol. Hard forks Double spend attacks Catch-up mining instability On instabilities of the Bitcoin protocol Ricardo P erez-Marco @rperezmarco CNRS, IMJ-PRG, Univ. Paris 7 Breaking

1.23k views • 85 slides
Reversing early retirement in Reversing early retirement in OECD countries Bernhard Ebbinghaus

Reversing early retirement in Reversing early retirement in OECD countries Bernhard Ebbinghaus

Reversing early retirement in Reversing early retirement in OECD countries Bernhard Ebbinghaus Mannheim Centre for European Social Research (MZES) University of Mannheim www.mzes.uni-mannheim.de www.mzes.uni mannheim.de Overcoming early exit

380 views • 9 slides
Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Breaking out of the box Understanding rela5onships between learning and assessment Breaking

Dr Nick Saville Breaking out of the box Understanding rela5onships between learning and assessment Breaking out of the box - a metaphor for thinking about rela5onships and interpreta5ons breaking out breaking out of the box of the

895 views • 68 slides
Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD

Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD

Reversing Java (Malware) with Radare Adam Pridgen April 2014 About me Rice SecLab, a PhD Student Independent InfoSec Consultant/Contractor Overview Typical Java Reversing Talk o Decompile Code o Make Changes o Recompile and Win?

868 views • 66 slides
Active Reversing Andrew Schaffer Greg Hoglund The goal Solve reverse engineering problems as

Active Reversing Andrew Schaffer Greg Hoglund The goal Solve reverse engineering problems as

Active Reversing Andrew Schaffer Greg Hoglund The goal Solve reverse engineering problems as quickly as possible without having to read disassembled code Advantages Active Reversing reveals contextual relationships between user actions,

1.41k views • 91 slides
Reversing Land Degrada.on in Landlocked Countries

Reversing Land Degrada.on in Landlocked Countries

Reversing Land Degrada.on in Landlocked Countries Magda Lovei Prac&ce Manager for Environment and Natural Resources, World Bank I. Present

461 views • 18 slides
Statically Calculating Secondary Thread Statically Calculating Secondary Thread Performance in

Statically Calculating Secondary Thread Statically Calculating Secondary Thread Performance in

Statically Calculating Secondary Thread Statically Calculating Secondary Thread Performance in ASTI Systems Performance in ASTI Systems Siddhartha Shivshankar, Sunil Vangara and Alex Guimares Dean alex_dean@ncsu.edu Center for Embedded

441 views • 32 slides
TDDC17 Computer systems Robotic architectures Robotics/Perception II Navigation:

TDDC17 Computer systems Robotic architectures Robotics/Perception II Navigation:

Outline Sensors - summary TDDC17 Computer systems Robotic architectures Robotics/Perception II Navigation: Mapping and Localization Mariusz Wzorek Motion planning IDA/AIICS Motion control 1 2 TDDC17

442 views • 21 slides
Linear Slides(Lead screws) MOONS Linear Slides are designed to meet the needs of customers'

Linear Slides(Lead screws) MOONS Linear Slides are designed to meet the needs of customers'

L Series Linear Step Motors & Slides Linear Slides(Lead screws) MOONS Linear Slides are designed to meet the needs of customers' compact structure. These products offer many advantages such as high integration, small size, quieter

214 views • 19 slides
Source level debugging Handel-C Debug the FPGA, Herman Roebbers 07-Sep-2008 Introduction

Source level debugging Handel-C Debug the FPGA, Herman Roebbers 07-Sep-2008 Introduction

Source level debugging Handel-C Debug the FPGA, Herman Roebbers 07-Sep-2008 Introduction TASS and Handel-C history The problem Solution Approaches Screen shots Conclusions Future work July 11, 2011 2 TASS and

362 views • 15 slides
Weather Station PHYSICS PROJECT WITH A RESEACH BASIS 5c Frida Bfverfeldt Supervisor: Volker

Weather Station PHYSICS PROJECT WITH A RESEACH BASIS 5c Frida Bfverfeldt Supervisor: Volker

Weather Station PHYSICS PROJECT WITH A RESEACH BASIS 5c Frida Bfverfeldt Supervisor: Volker Ziemann Introduction Why does FREIA need a weather station? - Weather effects measurements (pressure vessels etc) Why am I the one building

371 views • 11 slides
Performance Bounds in a Switched Aircraft Cabin Emanuel Heidinger Supervision TUM: Prof. Carle

Performance Bounds in a Switched Aircraft Cabin Emanuel Heidinger Supervision TUM: Prof. Carle

Chair for Network Architectures and Services Prof. Carle Department of Computer Science TU Mnchen Performance Bounds in a Switched Aircraft Cabin Emanuel Heidinger Supervision TUM: Prof. Carle Supervision EADS: Stefan Schneele 1

935 views • 65 slides
A new cluster mass proxy and galaxy evolution studies in clusters from the Dark Energy Survey

A new cluster mass proxy and galaxy evolution studies in clusters from the Dark Energy Survey

A new cluster mass proxy and galaxy evolution studies in clusters from the Dark Energy Survey Huan Lin, Antonella Palmese DPF Meeting, Fermilab - 31 July 2017 Brian Welch (UChicago), Marcelle Soares-Santos (Fermilab), James Annis (Fermilab),

576 views • 13 slides
Search for New Physics at the the Tevatron Simona Rolli Tufts University (on behalf of the CDF

Search for New Physics at the the Tevatron Simona Rolli Tufts University (on behalf of the CDF

Simona Rolli - Tufts University Search for New Physics at the the Tevatron Simona Rolli Tufts University (on behalf of the CDF and D0 Collaborations) Outline of the talk Simona Rolli - Tufts University s n o r t c e l E Muons

643 views • 39 slides

More recommend