internet of compromised things
play

Internet of Compromised Things Damien Cauquil & Nicolas Kovacs - PowerPoint PPT Presentation

Jan 19, 2024 •379 likes •947 views

Internet of Compromised Things Damien Cauquil & Nicolas Kovacs RMLL, July 4th, 2017 Who are we ? Nicolas Kovacs Security Consultant at CERT-UBIK DFIR team leader Bounty Hunter Damien Cauquil R&D director and senior

  1. Internet of Compromised Things Damien Cauquil & Nicolas Kovacs RMLL, July 4th, 2017

  2. Who are we ? • Nicolas Kovacs • Security Consultant at CERT-UBIK • DFIR team leader • Bounty Hunter • Damien Cauquil • R&D director and senior security researcher at CERT-UBIK • Smart Things breaker and reverse-engineer • Special interest in DFIR 2

  3. Agenda I. IoT smart stuff : pirates’ heaven II. The role of a connected/smart device during an investigation III. Digital forensics in the Internet of Things era IV. Traceability and accountability V. Conclusion 3

  4. Internet of super-duper dumb IPv4-enabled connected smart things that may make coffee and maybe more but that would be hacked in less than two minutes

  5. IoT smart stuff : pirates’ heaven • Mirai demonstrated how insecure our smart things are • used to launch DDoS attacks aroung the globe (KrebsOnSecurity, Dyn) • source code quickly released to hide tracks ... • ... a lot of clones were developed and launched • uses telnet and ssh services to break into cameras, DVRs, etc. • Why targeting connected devices rather than servers ? • usually not up-to-date • runs proprietary (unsecure) software • difficult to monitor • It’s getting worse ! 5

  6. IoT smart stuff : pirates’ heaven The Cayla doll case 6

  7. IoT smart stuff : pirates’ heaven What could possibly go wrong ? 7

  8. IoT smart stuff : pirates’ heaven • Smart devices are now wide-spread and used • to secure our houses and flats : smartlocks • to detect burglars and intruders : smart alarms, smart CCTV • to make a patient’s life easier : smart insuline pumps, connected glucose monitoring systems, smart pacemakers, etc. • What happens if one of those fails ? • Don’t worry, you are covered by your insurance policy ! • Are you sure ? • Last but not least, you might be dead . 8

  9. The role of a connected device during an investigation

  10. The role of a connected device during an investigation • Three major cases : • the device was a victim/target of a crime • the device has been used to commit a crime • the device contains some information related to a crime 10

  11. The role of a connected device during an investigation Device as a victim/target Pacemakers, insulin pumps and a lot more devices may injure people or cause death 11

  12. The role of a connected device during an investigation Device as a victim/target • The victim device may contain • information about how the attack was performed • traces related to the origin of the attacker • artefacts (exploits, malwares, backdoors, ...) • Required to evaluate the damages and how bad the situation is ! 12

  13. The role of a connected device during an investigation Device used to commit a crime Quadcopters as bomb droppers 13

  14. The role of a connected device during an investigation Device used to commit a crime • The device may contain • Information that may reveal its owner’s identity : serial number, email address, phone name or number, ... • Geographical information : GPS coordinates, Take off location • Photos, videos, records of previous activity 14

  15. The role of a connected device during an investigation Device contains information related to a case Amazon’s Alexa device analyzed during an FBI investigation 15

  16. The role of a connected device during an investigation Device contains information related to a case • The device may contain • Information about someone’s activity : GPS coordinates, date and time of various events, information about surroundings active devices (WiFi access points), ... • Photos, videos • Logs 16

  17. Digital forensics in the Internet of Things era

  18. Digital forensics in the Internet of Things era Extracting information from devices may seem an easy task • Easy-peasy, its Linux-based with known filesystem ! • We just need to dump the Flash memory and extract everything with Encase ! But wait ... • What if the device uses a secure boot with military-grade encryption ? • What if the device has no filesystem at all ? • What if the device offers no way to access its system to extract live information ? 18

  19. Digital forensics in the Internet of Things era • It uses various electronic chips to store information • eMMC • SPI Flash • F-RAM • Internal flash memory (System on Chip) • Internal EEPROM • It stores information at specific unknown locations • It may use proprietary encryption or obfuscation • It offers no easy way to access the information 19

  20. Digital forensics in the Internet of Things era We need : • standardized procedures • forensic tools with proper documentation • training ! 20

  21. Post-mortem analysis of a smart device

  22. Post-mortem analysis of a smart device Case Study : TheQuickLock padlock 22

  23. Post-mortem analysis of a smart device 1. Open the smartlock 23

  24. Post-mortem analysis of a smart device 2. Remove the screw to unlock the shackle 24

  25. Post-mortem analysis of a smart device 3. Get your hands on the PCB 25

  26. Post-mortem analysis of a smart device • Main component : Texas Instruments CC2541 • Does it run an OS : NO • No external memory chip : data is stored in the CC2541 SoC • Memory access : We need a CC Debugger to dump the flash 26

  27. Post-mortem analysis of a smart device 4. Access the memory and dump 27

  28. Post-mortem analysis of a smart device • Where is the interesting information stored ? • No OS, information is stored in Flash • We need to find where the interesting information is stored • It is not a trivial task, but requires some time to figure out 28

  29. Post-mortem analysis of a smart device 5. Extract the PIN code from Flash 29

  30. Post-mortem analysis of a smart device 6. Extract the event log 30

  31. Post-mortem analysis of a smart device We need moar tools ! • Tools to desolder and clean electronic memory chips • Tools to access memory devices and forensically extract information • Tools to reverse-engineer firmwares and find where and how the information is stored • Tools to bypass memory protections and other anti-dump techniques and tools (i.e. exploits !) 31

  32. Post-mortem analysis of a smart device We need a specific methodology ! • Maximum of information, minimum effort • allowing investigators to quickly extract valuable information • reducing risk of loss of information (when possible) and ensuring evidences integrity 32

  33. Live analysis of compromised devices

  34. Live analysis of compromised devices • Analysis is often difficult • no easy way to communicate with the device • no system access while the system is active (if we want to keep it active) • no standard procedure , it’s not a computer ! • Lack of proper tools • We have to deal with U(S)ART or BLE interfaces • Standard DFIR toolkits provide no way to interact with these protocols 34

  35. Live analysis of compromised devices • If it’s on, keep it on ! • Powering off the device may destroy evidence • The device may provide an easy way to extract valuable information • Identify the best way to extract information from the device • Find a working communication channel • Ensure it offers access to valuable information • Use this communication channel to gather as much information as possible • Available information depends on the device • The device MUST provide a feature to get valuable information (error codes, logs, ...) 35

  36. Live analysis of compromised devices • Use available tools to access the device • Linux’ GATT client to communicate through BLE • screen or minicom to communicate through U(S)ART • Collect every valuable piece of information, following the Order of Volatility • Active memory • Processes list • Active connections • IP Addresses • BD Addresses • Files (or assimilated) • Serial numbers 36

  37. Live analysis of compromised devices Case Study : Fora Glucose Monitoring System 37

  38. Live analysis of compromised devices • The device relies on its own protocol over Bluetooth LE • Old serial protocol ported to BLE • Offers a lot of features • May be used to extract information 38

  39. Live analysis of compromised devices 39

  40. Live analysis of compromised devices • We can then collect • All records stored in the device • Firmware information • Serial Number • Dedicated tool available in the HFDB • Collect all the measures stored on a device • Features in development : serial number and firmware info 40

  41. Live analysis of compromised devices $ node diamondmini.js -t XX:XX:XX:XX:XX:XX Number of records: 1 Newest record index is: 0 --- Records ---- 16/8/16 16:43 - 147 mg/dL 41

  42. 42

  43. Introducing the Hardware Forensic Database

  44. Introducing the Hardware Forensic Database • Origins • We needed a central place to report the tools/methodologies required to extract information from various devices • We wanted it to be collaborative as other CERTs may want to add more information about other devices • What does it contain ? • Detailed information about various devices (electronics, available interfaces) • Curated methodologies to investigate each device • Forensically-sound open-source tools to collect information • Known vulnerabilities that may be used to bypass protections and access information 44

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Internet of Compromised Things Damien Cauquil Hack In Paris, June 22nd, 2017 Who am I ?

Internet of Compromised Things Damien Cauquil Hack In Paris, June 22nd, 2017 Who am I ?

Internet of Compromised Things Damien Cauquil Hack In Paris, June 22nd, 2017 Who am I ? R&D director and senior security researcher at CERT-UBIK Smart Things breaker and reverse-engineer Special interest in DFIR 2 Agenda IoT

650 views • 62 slides
The Internet of Things Afloat by Digital Yacht What is the Internet of Things ? The

The Internet of Things Afloat by Digital Yacht What is the Internet of Things ? The

The Internet of Things Afloat by Digital Yacht What is the Internet of Things ? The Internet of Things (IoT ). A proposed development of the Internet in which everyday objects have network connectivity, allowing them to send

575 views • 24 slides
The Internet of Things Niels Olof Bouvin 1 Overview What is the Internet of Things? The vision

The Internet of Things Niels Olof Bouvin 1 Overview What is the Internet of Things? The vision

The Internet of Things Niels Olof Bouvin 1 Overview What is the Internet of Things? The vision Domains of the Internet of Things The challenges RFID 2 What is the Internet of Things? (CERP-IoT 2009): Internet of Things (IoT) is an

813 views • 33 slides
on the Internet of Things Software Project What is the Internet of Things? A system in which

on the Internet of Things Software Project What is the Internet of Things? A system in which

on the Internet of Things Software Project What is the Internet of Things? A system in which objects in the physical world can be connected to the Internet by sensors and actuators (coined 1999 by Kevin Ashton) Key aspects: E2E

343 views • 10 slides
The Internet of Things: an overview "Workshop on New Frontiers in Internet of Things

The Internet of Things: an overview "Workshop on New Frontiers in Internet of Things

The Internet of Things: an overview "Workshop on New Frontiers in Internet of Things Telecommunications/ICT4D Laboratory (T/ICT4D) of the Abdus Salam International Centre for Theoretical Physics (ICTP) 17 March 2016 (Trieste, Italy)

758 views • 37 slides
Wi-Fi Backscatter: Battery-free Internet Connectivity to Empower the Internet of Things

Wi-Fi Backscatter: Battery-free Internet Connectivity to Empower the Internet of Things

Wi-Fi Backscatter: Battery-free Internet Connectivity to Empower the Internet of Things Ubiquitous Computing Seminar FS2015 Bjarni Benediktsson | | Internet of Things The Internet of Things (IoT) is a computing concept that

657 views • 36 slides
How Were Failing To Secure The Internet Of Things Mark Stanislav

How Were Failing To Secure The Internet Of Things Mark Stanislav

How Were Failing To Secure The Internet Of Things Mark Stanislav <mstanislav@duosecurity.com> About The Internet Of Things The Internet of Things is the network of physical objects that contain embedded technology to

519 views • 25 slides
Introduction to The Web of Things Niels Olof Bouvin 1 Overview What is the Internet of Things?

Introduction to The Web of Things Niels Olof Bouvin 1 Overview What is the Internet of Things?

Introduction to The Web of Things Niels Olof Bouvin 1 Overview What is the Internet of Things? The vision Domains of the Internet of Things The challenges The Proto Web of Things The Raspberry Pi as a WoT platform The challenge of the

1.21k views • 63 slides
Securing the Web of Things Andrei Sabelfeld @asabelfeld Web of Things Internet of Things (IoT)

Securing the Web of Things Andrei Sabelfeld @asabelfeld Web of Things Internet of Things (IoT)

Securing the Web of Things Andrei Sabelfeld @asabelfeld Web of Things Internet of Things (IoT) Incompatible standards, platforms, technologies World Wide Web Consortium (W3C) is in a unique position to create the royalty-free and

273 views • 15 slides
for the Internet of Things Shaowei Lin GTC San Jose May 2017 Internet of Things Heterogeneous

for the Internet of Things Shaowei Lin GTC San Jose May 2017 Internet of Things Heterogeneous

Artificial General Intelligence for the Internet of Things Shaowei Lin GTC San Jose May 2017 Internet of Things Heterogeneous Systems Resource Constraints Higher-Order Intelligence Distributed Intelligence Deep Neural Networks

269 views • 24 slides
LoRa Wireless Network for the Internet of Things Content 1) The Internet of Things 2) Low-Power

LoRa Wireless Network for the Internet of Things Content 1) The Internet of Things 2) Low-Power

LoRa Wireless Network for the Internet of Things Content 1) The Internet of Things 2) Low-Power Wide-Area Network (LPWAN) 3) LoRa Architecture Layers Limitations 4) Other LPWAN Technologies 5) Conclusion 2 The Internet of Things

10.73k views • 27 slides
Internet of things: Next evolution of the Internet Cisco blog quotes: The number of devices

Internet of things: Next evolution of the Internet Cisco blog quotes: The number of devices

6PANview : A Network Monitoring System for the Internet of Things 23-August-2011 Lohith Y S, Brinda M C, Anand SVR, Malati Hegde Department of ECE Indian Institute of Science Bangalore Funded by DIT, Government of India Internet of

520 views • 20 slides
INDUSTRIAL INTERNET OF THINGS Title : The State of the Industrial Internet of Things

INDUSTRIAL INTERNET OF THINGS Title : The State of the Industrial Internet of Things

THE STATE OF THE INDUSTRIAL INTERNET OF THINGS Title : The State of the Industrial Internet of Things Overview : From industry to industry the industrial internet of things is creating tremendous value. This webinar, based on insights

573 views • 34 slides
Policy and Technology Drivers in Policy and Technology Drivers in the Internet of Things the

Policy and Technology Drivers in Policy and Technology Drivers in the Internet of Things the

Policy and Technology Drivers in Policy and Technology Drivers in the Internet of Things the Internet of Things Grald Santucci Head of Unit Networked enterprise & Radio Frequency Identification (RFID) Internet of Things 2008, Zurich

732 views • 28 slides
Internet of Things Security A Survey by Avi Webberman Outline What is the Internet of Things

Internet of Things Security A Survey by Avi Webberman Outline What is the Internet of Things

Internet of Things Security A Survey by Avi Webberman Outline What is the Internet of Things (IoT)? Why is IoT Security so Important? Dyn DDOS Attack What are the security challenges of an IoT network? A Proposed Taxonomy

176 views • 14 slides
Internet of Things Hafedh Yahmadi LOGO Contents Whats Internet of Things 1 State of the

Internet of Things Hafedh Yahmadi LOGO Contents Whats Internet of Things 1 State of the

Internet of Things Hafedh Yahmadi LOGO Contents Whats Internet of Things 1 State of the Art of IoT 2 Challenges and Limitation of IoT 3 Future of IoT 4 Thing Ask google : where is my keys.? Where are my kids? History Whats the

591 views • 40 slides
What Makes An Investment Socially Responsible? Louis Berger Co-Founder & Principal

What Makes An Investment Socially Responsible? Louis Berger Co-Founder & Principal

What Makes An Investment Socially Responsible? Louis Berger Co-Founder & Principal Washington Square Capital Management Email: louis.berger@wsqcapital.com Twitter: @louisberger Young Jain Professionals -- July 10, 2014

124 views • 10 slides
Knowledge: Barrier to the Effective Implementation of the Performance Management and Development

Knowledge: Barrier to the Effective Implementation of the Performance Management and Development

University of Pretoria Moselene AR du-Plessis Knowledge: Barrier to the Effective Implementation of the Performance Management and Development System (PMDS) in Selected Primary Health Care Clinics in Gauteng. Introduction and Background

699 views • 34 slides
TRANSFORMING MOMENTS Gcina Mhlope TITLE Transforming means change from one state to another.

TRANSFORMING MOMENTS Gcina Mhlope TITLE Transforming means change from one state to another.

TRANSFORMING MOMENTS Gcina Mhlope TITLE Transforming means change from one state to another. The story is about the narrator who changes from someone who has a low self-esteem to a confident female praise poet within a short space of time

427 views • 13 slides
Sovereignty Assertion of authority Greater than the Whole Land/Borders Entitlement Violence

Sovereignty Assertion of authority Greater than the Whole Land/Borders Entitlement Violence

Sovereignty Assertion of authority Greater than the Whole Land/Borders Entitlement Violence Borders: Native & Hispanic Groups Manifest Destiny Sovereign Treaties Forced Migration: Trail of Tears Forced Citizenry: Division

699 views • 5 slides
Cool URIs Are Human Readable Linked Open Data and MultilingualWeb 11 June 2012

Cool URIs Are Human Readable Linked Open Data and MultilingualWeb 11 June 2012

* help? contents? restart? slide 1/17 Cool URIs Are Human Readable Linked Open Data and MultilingualWeb 11 June 2012 http://www.w3.org/2012/Talks/0611_phila_mlw/ Phil Archer <phila@w3.org> @philarcher1 * help? contents? restart?

269 views • 11 slides
Archery @ NDGF Dmytro Karpenko (UiO/NDGF) ARC6 retreat, November 2018, Ume Idea ! First,

Archery @ NDGF Dmytro Karpenko (UiO/NDGF) ARC6 retreat, November 2018, Ume Idea ! First,

Archery @ NDGF Dmytro Karpenko (UiO/NDGF) ARC6 retreat, November 2018, Ume Idea ! First, to test the new thing ? y a w r o N s i e r e But also 2 ATLAS CEs that h w got ARC6 installed and became , m invisible

91 views • 8 slides
Shall I Bow To My Creator? NO! YES! ancient myths ancient monotheism eastern

Shall I Bow To My Creator? NO! YES! ancient myths ancient monotheism eastern

Shall I Bow To My Creator? NO! YES! ancient myths ancient monotheism eastern religions ancient Israel western philosophy Bible modern theology Fundamentalism Continuity of Being

65 views • 4 slides
Contour Detection and Hierarchical Image Segmentation P. Arbelaez, M. Maire, C. Fowlkes, and J.

Contour Detection and Hierarchical Image Segmentation P. Arbelaez, M. Maire, C. Fowlkes, and J.

Contour Detection and Hierarchical Image Segmentation P. Arbelaez, M. Maire, C. Fowlkes, and J. Malik. IEEE TPAMI 2011. Islam Beltagy Original slides from: Hsin-Min Cheng http://archer.ee.nctu.edu.tw/powerpoint/GM_1024.pptx Outline

644 views • 31 slides

More recommend