Internet of Compromised Things Damien Cauquil Hack In Paris, June - - PowerPoint PPT Presentation

Internet of Compromised Things

Damien Cauquil Hack In Paris, June 22nd, 2017

2

Who am I ?

• R&D director and senior security researcher at CERT-UBIK
• Smart Things breaker and reverse-engineer
• Special interest in DFIR

3

Agenda

• IoT smart stuff : pirates’ heaven
• Mirai !
• How tech people investigated the Mirai botnet
• Why it is getting worse
• The role of a connected/smart device during an investigation
• Digital forensics in the Internet of Things era
• A complex technical environment
• Post-mortem analysis : tools and methodologies
• Live analysis of connected devices and operational issues
• Introducing the Hardware Forensic Database
• Traceability and accountability
• Not all devices are concerned
• Observed average security level of connected devices
• Logging and traceability
• Conclusion

Internet of super-duper dumb IPv4-enabled connected smart things that may make coffee and maybe more but that would be hacked in less than two minutes

5

IoT smart stuff : pirates’ heaven

6

IoT smart stuff : pirates’ heaven

7

IoT smart stuff : pirates’ heaven

8

IoT smart stuff : pirates’ heaven

• Mirai demonstrated how insecure our smart things are
• used to launch DDoS attacks aroung the globe

(KrebsOnSecurity, Dyn)

• source code quickly released to hide tracks ...
• ... a lot of clones were developed and launched
• uses telnet and ssh services to break into cameras, DVRs, etc.
• Why targeting connected devices rather than servers ?
• usually not up-to-date
• runs proprietary (unsecure) software
• difficult to monitor
• It’s getting worse !
• new botnets designed to fight against Mirai (Hajime,

BrickerBot)

• used to mine Bitcoin, DogeCoin and other crypto-currencies

9

IoT smart stuff : pirates’ heaven

What could possibly go wrong ?

10

IoT smart stuff : pirates’ heaven

• Smart devices are now wide-spread and used
• to secure our houses and flats : smartlocks
• to detect burglars and intruders : smart alarms, smart CCTV
• to make a patient’s life easier : smart insuline pumps, connected

glucose monitoring systems

• What happens if one of those fails ?
• Don’t worry, you are covered by your insurance policy !
• Are you sure ?
• Last but not least, you might be dead.

The role of a connected device during an investigation

12

The role of a connected device during an investigation

• Three major cases :
• the device was a victim/target of a crime
• the device has been used to commit a crime
• the device contains some information related to a crime

13

The role of a connected device during an investigation

Pacemakers, insulin pumps and a lot more devices may injure people or cause death

14

The role of a connected device during an investigation

• The victim device may contain
• information about how the attack was performed
• traces related to the origin of the attacker
• artefacts (exploits, malwares, backdoors, ...)
• Required to evaluate the damages and how bad the

situation is !

15

The role of a connected device during an investigation

TV5 Monde hack

• In April 2015, TV5 Monde is attacked and its broadcasting

infrastructure shut off.

• The French ANSSI (National IT Security Agency) handled the

incident

• They had a hard time figuring out how to forensically extract

information from some embedded systems

• They asked the vendors about their systems
• They had to determine how to extract and preserve the

evidences from these devices

• No standard procedure for this particular case

16

The role of a connected device during an investigation

Quadcopters as bomb droppers

17

• The device may contain
• Information that may reveal its owner’s identity : serial number,

email address, phone name or number, ...

• Geographical information : GPS coordinates, Take off location
• Photos, videos, records of previous activity

18

The role of a connected device during an investigation

Amazon’s Alexa device analyzed during an FBI investigation

19

• The device may contain
• Information about someone’s activity : GPS coordinates, date

and time of various events, information about surroundings active devices (WiFi access points), ...

• Photos, videos
• Logs

Digital forensics in the Internet of Things era

21

Digital forensics in the Internet of Things era

Extracting information from devices may seem an easy task

• Easy-peasy, its Linux-based with known filesystem !
• We just need to dump the Flash memory and extract

everything with Encase ! But wait ...

• What if the device uses a secure boot with military-grade

encryption ?

• What if the device has no filesystem at all ?
• What if the device offers no way to access its system to

extract live information ?

22

Digital forensics in the Internet of Things era

• It uses various electronic chips to store information
• eMMC
• SPI Flash
• F-RAM
• Internal flash memory (System on Chip)
• Internal EEPROM
• It stores information at specific unknown locations
• It may use proprietary encryption or obfuscation
• It offers no easy way to access the information

Post-mortem analysis of a smart device

24

Post-mortem analysis of a smart device

We need moar tools !

• Tools to desolder and clean electronic memory chips
• Tools to access memory devices and forensically extract

information

• Tools to reverse-engineer firmwares and find where and how

the information is stored

• Tools to bypass memory protections and other anti-dump

techniques and tools (i.e. exploits !)

25

Post-mortem analysis of a smart device

We need a specific methodology !

• Maximum of information, minimum effort
• allowing investigators to quickly extract valuable information
• reducing risk of loss of information (when possible) and

ensuring evidences integrity

26

Post-mortem analysis of a smart device

• Determine if the device has an operating system
• Identify the main component
• Check the datasheet and development kit
• Determine if it usually runs an operating system
• Locate external flash memory chips (SPI Flash, NAND,

eMMC)

• Find the corresponding datasheet
• Determine how to communicate with the memory chip : SPI,

Parallel Flash, Proprietary protocol

• Use the correct adapter/tool to extract the information
• Desolder the memory chip if necessary
• Use classic forensic tools on SD cards
• Create a bit-stream image of the memory chips
• Compute SHA512 and MD5 hashes for each image
• Analyze the images
• Look for filesystems if an operating system is used
• Look for chip-specific information (depending on the datasheet

and the associated memory map)

• Keyword search !

27

Post-mortem analysis of a smart device

Case Study : TheQuickLock padlock

28

Post-mortem analysis of a smart device

• 1. Open the smartlock

29

Post-mortem analysis of a smart device

30

Post-mortem analysis of a smart device

• 2. Get your hands on the PCB

31

Post-mortem analysis of a smart device

• Main component : Texas Instruments CC2541
• Does it run an OS : NO
• No external memory chip : data is stored in the CC2541 SoC
• Memory access : We need a CC Debugger to dump the flash

32

Post-mortem analysis of a smart device

• 3. Access the memory and dump

33

Post-mortem analysis of a smart device

• Where is the interesting information stored ?
• No OS, information is stored in Flash
• We need to find where the interesting information is stored
• It is not a trivial task, but requires some time to figure out

34

Post-mortem analysis of a smart device

• 4. Extract the PIN code from Flash

35

Post-mortem analysis of a smart device

• 5. Extract the event log

Live analysis of compromised devices

37

Live analysis of compromised devices

• Analysis is often difficult
• no easy way to communicate with the device
• no system access while the system is active (if we want to keep

it active)

• no standard procedure, it’s not a computer !
• Lack of proper tools
• We have to deal with U(S)ART or BLE interfaces
• Standard DFIR toolkits provide no way to interact with these

protocols

38

Live analysis of compromised devices

• If it’s on, keep it on !
• Powering off the device may destroy evidence
• The device may provide an easy way to extract valuable

information

• Identify the best way to extract information from the

device

• Find a working communication channel
• Ensure it offers access to valuable information
• Use this communication channel to gather as much

information as possible

• Available information depends on the device
• The device MUST provide a feature to get valuable information

(error codes, logs, ...)

39

Live analysis of compromised devices

• Use available tools to access the device
• Linux’ GATT client to communicate through BLE
• screen or minicom to communicate through U(S)ART
• Collect every valuable piece of information, following the

Order of Volatility

• Active memory
• Processes list
• Active connections
• IP Addresses
• BD Addresses
• Files (or assimilated)
• Serial numbers

40

Live analysis of compromised devices

Case Study : Fora Glucose Monitoring System

41

Live analysis of compromised devices

• The device relies on its own protocol over Bluetooth LE
• Old serial protocol ported to BLE
• Offers a lot of features
• May be used to extract information

42

Live analysis of compromised devices

43

Live analysis of compromised devices

• We can then collect
• All records stored in the device
• Firmware information
• Serial Number
• Dedicated tool available in the HFDB
• Collect all the measures stored on a device
• Features in development : serial number and firmware info

44

Live analysis of compromised devices

$ node diamondmini.js -t XX:XX:XX:XX:XX:XX Number of records: 1 Newest record index is: 0

• -- Records ----

16/8/16 16:43 - 147 mg/dL

45

Live analysis of compromised devices

Other tools you may need

Introducing the Hardware Forensic Database

47

Introducing the Hardware Forensic Database

• Origins
• We needed a central place to report the tools/methodologies

required to extract information from various devices

• We wanted it to be collaborative as other CERTs may want to

add more information about other devices

• What does it contain ?
• Detailed information about various devices (electronics,

available interfaces)

• Curated methodologies to investigate each device
• Forensically-sound open-source tools to collect information
• Known vulnerabilities that may be used to bypass protections

and access information

48

Introducing the Hardware Forensic Database

• Goals
• To allow a quick and efficient incident response
• To provide all the required materials to investigate a device
• To provide the right methodology when handling a device

In short, to speed up investigations !

49

Introducing the Hardware Forensic Database

HFDB home page

50

Introducing the Hardware Forensic Database

Forensic Summaries

51

Introducing the Hardware Forensic Database

Detailed methodology for each device

52

Introducing the Hardware Forensic Database

Opensource forensic tools

53

Introducing the Hardware Forensic Database

54

Introducing the Hardware Forensic Database

• Only 4 devices listed at this time in this database
• We are working with vendors/organisms to publicly disclose

forensic tools related to some other devices (get rid of NDAs)

• Other devices are currently investigated, but it takes time !
• The HFDB is still in development
• We regularly add content to this database
• We hope other CERTs and security researchers will jump in the

band wagon !

55

Introducing the Hardware Forensic Database

http://hfdb.io/

Traceability & Accountability

57

Traceability & Accountability

• Traceability & Accountability are important
• Who did what and when
• Imputability / Non-repudiation
• Not always mandatory at object level
• It depends on how the connected/smart thing is used / was

designed

• optional for non-critical devices : smart hairbrushes, smart

toothbrushes

• mandatory for access control devices and healthcare devices

58

Traceability & Accountability

• Observed average security level of connected devices
• Level is low !
• Lots of attacks in the news : teddy bears, thermostats,

smartlocks, ...

• Difficult to secure the whole chain : servers, communication

protocols and connected objects

59

Traceability & Accountability

• IoT investigation is currently difficult
• Many devices simply do not keep logs (not enough memory,

time consuming)

• No information on where to find valuable information :

reverse-engineering is mandatory !

• We still have to exploit vulnerabilities to retrieve critical

information

• TV5 Monde hack : The French ANSSI investigated the

attack

• They had an hard time figuring out how to forensically collect

and analyze data from multiple embedded systems

• They had to ask the vendor about the procedure they should

use to extract the filesystem

• No standard procedure, vendor did not take into account the

fact its device may be hacked ...

60

Traceability & Accountability

Summary

• Lack of logging and documentation
• Unlike computers, embedded systems do not have a standard

way to log and keep tracks

• Every vendor does it his way, we have to figure out every one
• f them
• Security vs. Forensic investigations
• Vendors harden their systems to avoid IP theft or hacking
• Since they do not provide a way to securely extract valuable

information, we too need to hack into these systems !

• Still some efforts to do !
• Why not use SD cards to log information (if any) ?
• Vendors may document their logging mechanisms or
• provide tools and features to extract information

Questions ?

62

Contact

Websote : www.digitalsecurity.fr Email : damien.cauquil@digitalsecurity.fr Twitter Digital Security : @iotcert Twitter Personal account : @virtualabs