SLIDE 1
2
Who are we ?
- Nicolas Kovacs
- Security Consultant at CERT-UBIK
- DFIR team leader
- Bounty Hunter
- Damien Cauquil
- R&D director and senior security researcher at CERT-UBIK
- Smart Things breaker and reverse-engineer
- Special interest in DFIR
Internet of Compromised Things Damien Cauquil & Nicolas Kovacs - - PowerPoint PPT Presentation
Internet of Compromised Things Damien Cauquil & Nicolas Kovacs - - PowerPoint PPT Presentation
Internet of Compromised Things Damien Cauquil & Nicolas Kovacs RMLL, July 4th, 2017 Who are we ? Nicolas Kovacs Security Consultant at CERT-UBIK DFIR team leader Bounty Hunter Damien Cauquil R&D director and senior
SLIDE 2
SLIDE 3
3
Agenda
- I. IoT smart stuff : pirates’ heaven
- II. The role of a connected/smart device during an investigation
- III. Digital forensics in the Internet of Things era
- IV. Traceability and accountability
- V. Conclusion
SLIDE 4
Internet of super-duper dumb IPv4-enabled connected smart things that may make coffee and maybe more but that would be hacked in less than two minutes
SLIDE 5
5
IoT smart stuff : pirates’ heaven
- Mirai demonstrated how insecure our smart things are
- used to launch DDoS attacks aroung the globe
(KrebsOnSecurity, Dyn)
- source code quickly released to hide tracks ...
- ... a lot of clones were developed and launched
- uses telnet and ssh services to break into cameras, DVRs, etc.
- Why targeting connected devices rather than servers ?
- usually not up-to-date
- runs proprietary (unsecure) software
- difficult to monitor
- It’s getting worse !
SLIDE 6
6
IoT smart stuff : pirates’ heaven
The Cayla doll case
SLIDE 7
7
IoT smart stuff : pirates’ heaven
What could possibly go wrong ?
SLIDE 8
8
IoT smart stuff : pirates’ heaven
- Smart devices are now wide-spread and used
- to secure our houses and flats : smartlocks
- to detect burglars and intruders : smart alarms, smart CCTV
- to make a patient’s life easier : smart insuline pumps, connected
glucose monitoring systems, smart pacemakers, etc.
- What happens if one of those fails ?
- Don’t worry, you are covered by your insurance policy !
- Are you sure ?
- Last but not least, you might be dead.
SLIDE 9
The role of a connected device during an investigation
SLIDE 10
10
The role of a connected device during an investigation
- Three major cases :
- the device was a victim/target of a crime
- the device has been used to commit a crime
- the device contains some information related to a crime
SLIDE 11
11
The role of a connected device during an investigation
Device as a victim/target
Pacemakers, insulin pumps and a lot more devices may injure people or cause death
SLIDE 12
12
The role of a connected device during an investigation
Device as a victim/target
- The victim device may contain
- information about how the attack was performed
- traces related to the origin of the attacker
- artefacts (exploits, malwares, backdoors, ...)
- Required to evaluate the damages and how bad the
situation is !
SLIDE 13
13
The role of a connected device during an investigation
Device used to commit a crime
Quadcopters as bomb droppers
SLIDE 14
14
The role of a connected device during an investigation
Device used to commit a crime
- The device may contain
- Information that may reveal its owner’s identity : serial number,
email address, phone name or number, ...
- Geographical information : GPS coordinates, Take off location
- Photos, videos, records of previous activity
SLIDE 15
15
The role of a connected device during an investigation
Device contains information related to a case
Amazon’s Alexa device analyzed during an FBI investigation
SLIDE 16
16
The role of a connected device during an investigation
Device contains information related to a case
- The device may contain
- Information about someone’s activity : GPS coordinates, date
and time of various events, information about surroundings active devices (WiFi access points), ...
- Photos, videos
- Logs
SLIDE 17
Digital forensics in the Internet of Things era
SLIDE 18
18
Digital forensics in the Internet of Things era
Extracting information from devices may seem an easy task
- Easy-peasy, its Linux-based with known filesystem !
- We just need to dump the Flash memory and extract
everything with Encase ! But wait ...
- What if the device uses a secure boot with military-grade
encryption ?
- What if the device has no filesystem at all ?
- What if the device offers no way to access its system to
extract live information ?
SLIDE 19
19
Digital forensics in the Internet of Things era
- It uses various electronic chips to store information
- eMMC
- SPI Flash
- F-RAM
- Internal flash memory (System on Chip)
- Internal EEPROM
- It stores information at specific unknown locations
- It may use proprietary encryption or obfuscation
- It offers no easy way to access the information
SLIDE 20
20
Digital forensics in the Internet of Things era
We need :
- standardized procedures
- forensic tools with proper documentation
- training !
SLIDE 21
Post-mortem analysis of a smart device
SLIDE 22
22
Post-mortem analysis of a smart device
Case Study : TheQuickLock padlock
SLIDE 23
23
Post-mortem analysis of a smart device
- 1. Open the smartlock
SLIDE 24
24
Post-mortem analysis of a smart device
- 2. Remove the screw to unlock the shackle
SLIDE 25
25
Post-mortem analysis of a smart device
- 3. Get your hands on the PCB
SLIDE 26
26
Post-mortem analysis of a smart device
- Main component : Texas Instruments CC2541
- Does it run an OS : NO
- No external memory chip : data is stored in the CC2541 SoC
- Memory access : We need a CC Debugger to dump the flash
SLIDE 27
27
Post-mortem analysis of a smart device
- 4. Access the memory and dump
SLIDE 28
28
Post-mortem analysis of a smart device
- Where is the interesting information stored ?
- No OS, information is stored in Flash
- We need to find where the interesting information is stored
- It is not a trivial task, but requires some time to figure out
SLIDE 29
29
Post-mortem analysis of a smart device
- 5. Extract the PIN code from Flash
SLIDE 30
30
Post-mortem analysis of a smart device
- 6. Extract the event log
SLIDE 31
31
Post-mortem analysis of a smart device
We need moar tools !
- Tools to desolder and clean electronic memory chips
- Tools to access memory devices and forensically extract
information
- Tools to reverse-engineer firmwares and find where and how
the information is stored
- Tools to bypass memory protections and other anti-dump
techniques and tools (i.e. exploits !)
SLIDE 32
32
Post-mortem analysis of a smart device
We need a specific methodology !
- Maximum of information, minimum effort
- allowing investigators to quickly extract valuable information
- reducing risk of loss of information (when possible) and
ensuring evidences integrity
SLIDE 33
Live analysis of compromised devices
SLIDE 34
34
Live analysis of compromised devices
- Analysis is often difficult
- no easy way to communicate with the device
- no system access while the system is active (if we want to keep
it active)
- no standard procedure, it’s not a computer !
- Lack of proper tools
- We have to deal with U(S)ART or BLE interfaces
- Standard DFIR toolkits provide no way to interact with these
protocols
SLIDE 35
35
Live analysis of compromised devices
- If it’s on, keep it on !
- Powering off the device may destroy evidence
- The device may provide an easy way to extract valuable
information
- Identify the best way to extract information from the
device
- Find a working communication channel
- Ensure it offers access to valuable information
- Use this communication channel to gather as much
information as possible
- Available information depends on the device
- The device MUST provide a feature to get valuable information
(error codes, logs, ...)
SLIDE 36
36
Live analysis of compromised devices
- Use available tools to access the device
- Linux’ GATT client to communicate through BLE
- screen or minicom to communicate through U(S)ART
- Collect every valuable piece of information, following the
Order of Volatility
- Active memory
- Processes list
- Active connections
- IP Addresses
- BD Addresses
- Files (or assimilated)
- Serial numbers
SLIDE 37
37
Live analysis of compromised devices
Case Study : Fora Glucose Monitoring System
SLIDE 38
38
Live analysis of compromised devices
- The device relies on its own protocol over Bluetooth LE
- Old serial protocol ported to BLE
- Offers a lot of features
- May be used to extract information
SLIDE 39
39
Live analysis of compromised devices
SLIDE 40
40
Live analysis of compromised devices
- We can then collect
- All records stored in the device
- Firmware information
- Serial Number
- Dedicated tool available in the HFDB
- Collect all the measures stored on a device
- Features in development : serial number and firmware info
SLIDE 41
41
Live analysis of compromised devices
$ node diamondmini.js -t XX:XX:XX:XX:XX:XX Number of records: 1 Newest record index is: 0
- -- Records ----
16/8/16 16:43 - 147 mg/dL
SLIDE 42
42
SLIDE 43
Introducing the Hardware Forensic Database
SLIDE 44
44
Introducing the Hardware Forensic Database
- Origins
- We needed a central place to report the tools/methodologies
required to extract information from various devices
- We wanted it to be collaborative as other CERTs may want to
add more information about other devices
- What does it contain ?
- Detailed information about various devices (electronics,
available interfaces)
- Curated methodologies to investigate each device
- Forensically-sound open-source tools to collect information
- Known vulnerabilities that may be used to bypass protections
and access information
SLIDE 45
45
Introducing the Hardware Forensic Database
- Goals
- To allow a quick and efficient incident response
- To provide all the required materials to investigate a device
- To provide the right methodology when handling a device
In short, to speed up investigations !
SLIDE 46
46
Introducing the Hardware Forensic Database
HFDB home page
SLIDE 47
47
Introducing the Hardware Forensic Database
Forensic Summaries
SLIDE 48
48
Introducing the Hardware Forensic Database
Detailed methodology for each device
SLIDE 49
49
Introducing the Hardware Forensic Database
Opensource forensic tools
SLIDE 50
50
Introducing the Hardware Forensic Database
http://hfdb.io/
SLIDE 51
51
Introducing the Hardware Forensic Database
- Only 4 devices listed at this time in this database
- We are working with vendors/organisms to publicly disclose
forensic tools related to some other devices (get rid of NDAs)
- Other devices are currently investigated, but it takes time !
- The HFDB is still in development
- We regularly add content to this database
- We hope other CERTs and security researchers will jump in the
band wagon !
SLIDE 52
52
SLIDE 53
Traceability & Accountability
SLIDE 54
54
Traceability & Accountability
- Lack of logging and documentation
- Unlike computers, embedded systems do not have a standard
way to log and keep tracks
- Every vendor does it his way, we have to figure out every one
- f them
- Security vs. Forensic investigations
- Vendors harden their systems to avoid IP theft or hacking
- Since they do not provide a way to securely extract valuable
information, we too need to hack into these systems !
- Still some efforts to do !
- Why not use SD cards to log information (if any) ?
- Vendors may document their logging mechanisms or
- provide tools and features to extract information
SLIDE 55
Questions ?
SLIDE 56
56