luis ringzero net luis miras what i m not covering what i
play

luis@ringzero.net Luis Miras What Im Not Covering What I Will Be - PDF document

Nov 26, 2023 •12 likes •722 views

luis@ringzero.net Luis Miras What Im Not Covering What I Will Be Covering Attack Passive (Sniffing) authentication data sensitive data Active (Injection) Denial of Service Execution of arbitrary commands RF

  1. luis@ringzero.net Luis Miras

  2. What I’m Not Covering

  7. What I Will Be Covering

  12. Attack • Passive (Sniffing) – authentication data – sensitive data • Active (Injection) – Denial of Service – Execution of arbitrary commands

  13. RF • RF design is hard, not needed. • Scanners are not needed. • Devices come with TX and RX circuits. (use them) • Think of TX and RX circuits as a network socket.

  14. Let’s get HIDphy!!

  15. HID – human interface device • Keyboard – HID codes similar to ps/2 scan codes • Mice – Relative movements and buttons – Positional movement and buttons

  17. Device Research

  21. Device Internals

  28. Device Reversing

  29. Communication • One way traffic (replay attacks!) – except kb • No standard data protocol • Varied RF protocols and frequencies. – 27 Mhz – 900 Mhz – 2.4 Ghz

  31. 0111110 1010 1110 0110 0100 0111110 1010 1110 0110 0100

  32. 0111110 1010 1110 0110 0100 0111110 1010 1110 0110 0100

  33. Reversing the protocol • One way messages must include – Authentication data (serial number) – Data • Tap at the input to the TX Chip – No noise or errors • Tap at the output of RX to verify and build the sniffer.

  37. Clock Clock Clock Clock Sync Sync Sync Sync

  38. Data Data Data Data

  40. Reversing the Protocol Page Down 0111110 1010 1110 0110 0100 1001 0101 0010 1000001 Page Up 0111110 1010 1110 0110 0100 1101 0101 0110 1000001 “Hide” 0111110 1010 1110 0110 0100 1011 0101 1010 1000001

  41. Reversing the Protocol Page Down 0111110 0111110 1010 1110 0110 0100 1001 0101 0010 1000001 1000001 Page Up 0111110 0111110 1010 1110 0110 0100 1101 0101 0110 1000001 1000001 “Hide” 0111110 0111110 1010 1110 0110 0100 1011 0101 1010 1000001 1000001

  42. Reversing the Protocol Page Down 1010 1110 0110 0100 1001 0101 0010 Page Up 1010 1110 0110 0100 1101 0101 0110 “Hide” 1010 1110 0110 0100 1011 0101 1010

  43. Reversing the Protocol Page Down 1010 1110 0110 0100 1010 1110 0110 0100 1001 0101 0101 0010 Page Up 1010 1110 0110 0100 1010 1110 0110 0100 1101 0101 0101 0110 “Hide” 1010 1110 0110 0100 1010 1110 0110 0100 1011 0101 0101 1010

  44. Reversing the Protocol Page Down 1010 1110 0110 0100 1001 1001 0101 0010 0010 Page Up 1010 1110 0110 0100 1101 1101 0101 0110 0110 “Hide” 1010 1110 0110 0100 1011 1011 0101 1010 1010

  45. Reversing the Protocol header serial data serial data footer 0111110 xxxx xxxx xxxx xxxx xxxx xxxx xxxx 01001

  46. Attacks

  47. BYOM (bring your own MCU) • Ideally the original MCU would be reprogrammed – Most are OTP (One time programmable) – Can’t read them, security fuse blown • Our own MCUs are needed

  48. Sniffing at the chiplevel

  50. Injecting at the chiplevel

  52. Passive attacks • Needed to acquire authentication data • Sensitive data from keyboards (passwords) • Mouse data not very useful

  53. – Keyboards (including presenters) Attacks are HID type dependent Active attacks – Mice •

  54. + ‘R’ == (: Active Keyboard Attacks

  58. While at the cmd … Echo data to a bat file Run the bat file

  59. Active Mouse Attacks What can be done by being able to inject mouse movement and clicks? • Being able to see the screen. (Attacking a live presentation) • Blind

  60. Accessibility for the Attacker

  61. Mouse movement scripting No visual feedback. Educated guessing Blind Attacks • • •

  62. Getting Feedback • Attempt to connect to controlled webserver • Check logs • Readjust and reattack

  63. Microcontrollers

  67. More MCU uses • Custom bit stream sniffer/recorder/iterface • Custom bit generator driven by software

  68. Software controlled bit generation Scripting interface Future Work Keyboards • • •

  70. Summary • Find FCC ID info • Tap into data path. • Reverse the protocol • Inject/Sniff data using customized MCUs • Client enforced security is still client enforced security

  71. luis@ringzero.net Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Attacking SMS BlackHat USA 2009 Zane Lackey (zane@isecpartners.com) Luis Miras

Attacking SMS BlackHat USA 2009 Zane Lackey (zane@isecpartners.com) Luis Miras

Attacking SMS BlackHat USA 2009 Zane Lackey (zane@isecpartners.com) Luis Miras (luis@ringzero.net) RingZero https://luis.ringzero.net Agenda SMS Background Overview SMS in mobile security Testing Challenges

877 views • 66 slides
Jug Tutorial: Coarse-Level Parallel Programming in Python Luis Pedro Coelho luis@luispedro.org

Jug Tutorial: Coarse-Level Parallel Programming in Python Luis Pedro Coelho luis@luispedro.org

Jug Tutorial: Coarse-Level Parallel Programming in Python Luis Pedro Coelho luis@luispedro.org May 15, 2013 Luis Pedro Coelho (luis@luispedro.org) Jug Tutorial 0 May 15, 2013 (1 / 24) Problem Brute force a password. Luis Pedro

741 views • 24 slides
Who is Luis? PhD in architecture, multiprocessors, parallelism, compilers. University of

Who is Luis? PhD in architecture, multiprocessors, parallelism, compilers. University of

University of Washington The Hardware/Software Interface CSE351 Autumn20111st Lecture, September 28 Instructor: Luis Ceze Teaching Assistants: Nick Hunt, Michelle Lim, Aryan Naraghi, Rachel Sobel University of Washington Who is Luis? PhD in

436 views • 39 slides
On the adequacy of SDN and TSN for Industry 4.0 Luis Silva, Paulo Pedreiras , Pedro Fonseca, Luis

On the adequacy of SDN and TSN for Industry 4.0 Luis Silva, Paulo Pedreiras , Pedro Fonseca, Luis

On the adequacy of SDN and TSN for Industry 4.0 Luis Silva, Paulo Pedreiras , Pedro Fonseca, Luis Almeida UA/FEUP/IT/Cister Valencia, May 7-9 2019 This work is funded by FCT/MEC through national funds and when applicable co funded by FEDER

434 views • 24 slides
COUNTY OF SAN LUIS OBISPO www.slocounty.ca.gov COUNTY OF SAN LUIS OBISPO www.slocounty.ca.gov

COUNTY OF SAN LUIS OBISPO www.slocounty.ca.gov COUNTY OF SAN LUIS OBISPO www.slocounty.ca.gov

COUNTY OF SAN LUIS OBISPO www.slocounty.ca.gov COUNTY OF SAN LUIS OBISPO www.slocounty.ca.gov Department of Planning and Building Community Advisory Councils Training Agenda Welcome Role of CACs in County Government Your Role in

815 views • 25 slides
Luis C. E. De Bona Marcos Castilho Fabiano Silva Daniel Weingartner Luis H. A. Louren co

Luis C. E. De Bona Marcos Castilho Fabiano Silva Daniel Weingartner Luis H. A. Louren co

Introduction and Motivation A Model for Maintenance and Management of Computing Laboratories Paran a Digital Project Conclusion Managing a Grid of Computer Laboratories for Educational Purposes Luis C. E. De Bona Marcos Castilho Fabiano

337 views • 31 slides
{Behat & BDD} Luis Ribeiro Systems Architect ciandt.com Presenter Luis Ribeiro >

{Behat & BDD} Luis Ribeiro Systems Architect ciandt.com Presenter Luis Ribeiro >

{Behat & BDD} Luis Ribeiro Systems Architect ciandt.com Presenter Luis Ribeiro > Systems Architect at CI&T > +5Years Drupal experience > Large Open Source experience > Working with ~150 Drupallers ciandt.com Why

447 views • 40 slides
Mquinas Elctricas I Generalidades Luis Pestana Luis Pestana ndice Generalidades

Mquinas Elctricas I Generalidades Luis Pestana Luis Pestana ndice Generalidades

Mquinas Elctricas I Generalidades Luis Pestana Luis Pestana ndice Generalidades Motor de corrente continua Equaes de funcionamento Gerador de corrente contnua Motor Shunt Principio de funcionamento

977 views • 70 slides
Homeless Services San Luis Obispo County CALCAPA Annual Conference In the late 1980s

Homeless Services San Luis Obispo County CALCAPA Annual Conference In the late 1980s

Homeless Services San Luis Obispo County CALCAPA Annual Conference In the late 1980s various local groups were trying to assist homeless in San Luis Obispo. City and County of San Luis Obispo partnered with then EOC to oversee and

496 views • 30 slides
Bijections for tree-decorated map and applications to random maps. Luis Fredes (Work in progress

Bijections for tree-decorated map and applications to random maps. Luis Fredes (Work in progress

Bijections for tree-decorated map and applications to random maps. Luis Fredes (Work in progress with Avelio Seplveda (Univ. Lyon 1)) ALEA 2019 Luis Fredes (Universit de Bordeaux) Tree-decorated maps 1 / 24 MAPS Luis Fredes (Universit

763 views • 47 slides
nations heroes into agriculture. What is Veteran Fields? A San Luis Valley Veteran to Farmer

nations heroes into agriculture. What is Veteran Fields? A San Luis Valley Veteran to Farmer

A San Luis Valley partnership bringing our nations heroes into agriculture. What is Veteran Fields? A San Luis Valley Veteran to Farmer Initiative Our Goals: Support veterans seeking work in farming and ranching. Launch new veteran-led

424 views • 19 slides
What next for the Eurozone? London School of Economics, Jan 23, 2013 Luis Garicano , London School

What next for the Eurozone? London School of Economics, Jan 23, 2013 Luis Garicano , London School

What next for the Eurozone? London School of Economics, Jan 23, 2013 Luis Garicano , London School of Economics Credits Present work joint with Euro-nomics economists: Markus Brunnermeier, Luis Garicano, Philip Lane, Stijn Van Nieuwerburgh,

921 views • 77 slides
Atlas Tracking Optimization on GPU Luis Domingues Professor: Frdric Bapst Supervisors:

Atlas Tracking Optimization on GPU Luis Domingues Professor: Frdric Bapst Supervisors:

Master Thesis Atlas Tracking Optimization on GPU Luis Domingues Professor: Frdric Bapst Supervisors: Paolo Calafiura Wim Lavrijsen Expert: Mathieu Monney 02/25/2015 Target Luis Domingues - January 2015 2 Code we started from

555 views • 23 slides
Bijections for tree-decorated map and applications to random maps. Luis Fredes (Work in progress

Bijections for tree-decorated map and applications to random maps. Luis Fredes (Work in progress

Bijections for tree-decorated map and applications to random maps. Luis Fredes (Work in progress with Avelio Seplveda (Univ. Lyon 1)) LIX 2019 Luis Fredes (Universit de Bordeaux) Tree-decorated maps 1 / 30 MAPS Luis Fredes (Universit

914 views • 57 slides
75 Year Anniversary NCSU Statistics Department Perspectives from Cal Poly San Luis Obispo

75 Year Anniversary NCSU Statistics Department Perspectives from Cal Poly San Luis Obispo

75 Year Anniversary NCSU Statistics Department Perspectives from Cal Poly San Luis Obispo October 2016 Jimmy Doi jdoi@calpoly.edu California Polytechnic State University San Luis Obispo Department of Statistics Introduction

649 views • 28 slides
Memory Systems Survey on the Off-Chip Scheduling of Memory Accesses in the Memory Interface of

Memory Systems Survey on the Off-Chip Scheduling of Memory Accesses in the Memory Interface of

IEE5008 Autumn 2012 Memory Systems Survey on the Off-Chip Scheduling of Memory Accesses in the Memory Interface of GPUs Garrido Platero, Luis Angel EECS Graduate Program National Chiao Tung University luis.garrido.platero@gmail.com Luis

891 views • 36 slides
2016 HEALTH INSURANCE OPTIONS Cindy Hagen, Independent Insurance Agent Health Insurance Flow

2016 HEALTH INSURANCE OPTIONS Cindy Hagen, Independent Insurance Agent Health Insurance Flow

2016 HEALTH INSURANCE OPTIONS Cindy Hagen, Independent Insurance Agent Health Insurance Flow Chart HEALTH INSURANCE AN OVERVIEW IN 623 EASY STEPS What is it? Who pays for it? Where do you find it? When can you get it? Why

319 views • 8 slides
Towards a Sustainable Internet The Opportunity of IPv6 Marco Hogewoning | September 217 |

Towards a Sustainable Internet The Opportunity of IPv6 Marco Hogewoning | September 217 |

Towards a Sustainable Internet The Opportunity of IPv6 Marco Hogewoning | September 217 | Bahrain Steady Decline of Available IPv4 No immediate shortage of IPv4 addresses Transfer market appears to fulfil industry demands Still some

282 views • 12 slides
SBMS Math Team Ashley Robinson, 6th grade Kimberly Lum, 6th grade Gretchen Suchman, 7th grade

SBMS Math Team Ashley Robinson, 6th grade Kimberly Lum, 6th grade Gretchen Suchman, 7th grade

SBMS Math Team Ashley Robinson, 6th grade Kimberly Lum, 6th grade Gretchen Suchman, 7th grade Sara Jenson, 8th grade Tasha Katsuda, Administrator Maddy Ahearn, District Math Administrator District Philosophy Eugene 4J holds the following

266 views • 4 slides
Effective Facilitation Part 4 of the Service Leadership Series for the Bonner Program What

Effective Facilitation Part 4 of the Service Leadership Series for the Bonner Program What

Effective Facilitation Part 4 of the Service Leadership Series for the Bonner Program What Well Do Warm Up: What is a Facilitator? 1) Brainstorm: What Does a Facilitator Do? 2) Discussion: Facilitation Framework 3) The

281 views • 6 slides
Victoria Hall Volunteers Presentation to Council February 19, 2019 To assist the Town of Cobourg

Victoria Hall Volunteers Presentation to Council February 19, 2019 To assist the Town of Cobourg

Victoria Hall Volunteers Presentation to Council February 19, 2019 To assist the Town of Cobourg in the preservation of the heritage and historical aspects of Victoria Hall and to contribute towards the purchasing and refurbishing of articles

433 views • 24 slides
Text Editors and vi in particular Hans Vangheluwe Text Editors ... Window, Icon, Menu,

Text Editors and vi in particular Hans Vangheluwe Text Editors ... Window, Icon, Menu,

Text Editors and vi in particular Hans Vangheluwe Text Editors ... Window, Icon, Menu, Pointing device WYSIWYG (or not quite ...) 1974 TAOCP Explicitly state the thoughts behind the program: Explain the link between

301 views • 14 slides
Improving the Efficiency in the Test Lab Media Cross Connect Julie Alnwick MCC Product Line

Improving the Efficiency in the Test Lab Media Cross Connect Julie Alnwick MCC Product Line

Improving the Efficiency in the Test Lab Media Cross Connect Julie Alnwick MCC Product Line Manager jalnwick@mrv.com www.mrv.com/tap March, 2011 MRV OCS Fast Facts Founded in 1988 Over 20 years of optical innovation OCS Group

580 views • 36 slides
SEMINAR with MI K E WI SE F I R S T- T I M E H O M E B U YE R O V E R V I E W W HAT IS A

SEMINAR with MI K E WI SE F I R S T- T I M E H O M E B U YE R O V E R V I E W W HAT IS A

FIRST-TIME HOME BUYER SEMINAR with MI K E WI SE F I R S T- T I M E H O M E B U YE R O V E R V I E W W HAT IS A M ORTGAGE ? W HO IS I NVOLVED ? H OW DO I Q UALIFY ? W HAT ABOUT MY C REDIT ? L OAN P ROGRAMS W HAT DOES

620 views • 12 slides

More recommend