student research project 1 homeplug security
play

Student Research Project 1: HomePlug Security Axel Puppe, Jeroen - PowerPoint PPT Presentation

Sep 10, 2023 •148 likes •310 views

Introduction Reverse-engineering Other attack vectors Attack scenario Conclusion Questions? Student Research Project 1: HomePlug Security Axel Puppe, Jeroen Vanderauwera February 2, 2010 Axel Puppe, Jeroen Vanderauwera Student Research

  1. Introduction Reverse-engineering Other attack vectors Attack scenario Conclusion Questions? Student Research Project 1: HomePlug Security Axel Puppe, Jeroen Vanderauwera February 2, 2010 Axel Puppe, Jeroen Vanderauwera Student Research Project 1: HomePlug Security

  2. Introduction Reverse-engineering Other attack vectors Attack scenario Conclusion Questions? Outline Introduction Homeplug technology Homeplug security Research question Reverse-engineering Firmware updater Firmware image Other attack vectors Brute force attack Dictionary attack Denial-of-service Attack scenario Conclusion Questions? Axel Puppe, Jeroen Vanderauwera Student Research Project 1: HomePlug Security

  3. Introduction Reverse-engineering Other attack vectors Attack scenario Conclusion Questions? Homeplug technology How do the homeplugs work? ◮ Network over the power lines ◮ Traffic is broadcasted (200m range) ◮ Plug & Play due to default password ‘HomePlug’ Axel Puppe, Jeroen Vanderauwera Student Research Project 1: HomePlug Security

  4. Introduction Reverse-engineering Other attack vectors Attack scenario Conclusion Questions? Homeplug security How are they secured? ◮ NEK defines logical network ◮ MD5(MD5(password + salt)) * 998 ◮ Salt: 0x08 0x85 0x6D 0xAF 0x7C 0xF5 0x81 0x85 ◮ Size: 8 bytes ◮ 56-bit DES encryption ◮ Security through obscurity Axel Puppe, Jeroen Vanderauwera Student Research Project 1: HomePlug Security

  5. Introduction Reverse-engineering Other attack vectors Attack scenario Conclusion Questions? Research question Our research questions ◮ Can we reverse-engineer the homeplug firmware to enable promiscuous mode? ◮ If successful: Can we decrypt the encryption within a reasonable time frame with consumer hardware? ◮ If unsuccessful: Are there other attack vectors to join or disrupt a target homeplug network? Axel Puppe, Jeroen Vanderauwera Student Research Project 1: HomePlug Security

  6. Introduction Reverse-engineering Other attack vectors Attack scenario Conclusion Questions? Firmware updater Before... Axel Puppe, Jeroen Vanderauwera Student Research Project 1: HomePlug Security

  7. Introduction Reverse-engineering Other attack vectors Attack scenario Conclusion Questions? Firmware updater ...and after Axel Puppe, Jeroen Vanderauwera Student Research Project 1: HomePlug Security

  8. Introduction Reverse-engineering Other attack vectors Attack scenario Conclusion Questions? Firmware image Attempts Firmware image: int5500cs-mac-firmware-zip.img Linux ‘file’ No known magic numbers Linux ‘mount’ No known file system Windows Daemon tools Could not mount it Windows Magic ISO Could not mount it Disassembling in IDA-Pro Failed to load it Looked for strings No plain text Testing randomness True random Scanning for magic numbers Only false positives Looked at other firmwares Did not help us understand the firmware image Atheros did not provide any information, unless we signed an NDA. Axel Puppe, Jeroen Vanderauwera Student Research Project 1: HomePlug Security

  9. Introduction Reverse-engineering Other attack vectors Attack scenario Conclusion Questions? Brute force attack Scripting ◮ Bash: 5.8 keys per second ◮ Python/Scapy: 40 keys per second ◮ Python/Scapy optimised: 65 keys per second Axel Puppe, Jeroen Vanderauwera Student Research Project 1: HomePlug Security

  10. Introduction Reverse-engineering Other attack vectors Attack scenario Conclusion Questions? Brute force attack Covering the entire 8 byte keyspace ◮ Size: 256 8 = 1 . 8 · 10 19 (18 billion billion!) ◮ Speed: 65 keys per second ◮ Time: 8 . 9 · 10 9 = 8.900.000.000 years ◮ Obviously not feasible... Axel Puppe, Jeroen Vanderauwera Student Research Project 1: HomePlug Security

  11. Introduction Reverse-engineering Other attack vectors Attack scenario Conclusion Questions? Dictionary attack Alternative to bruteforce ◮ English dictionary: 80.000 words ◮ Speed: 65 keys per second ◮ Time required: 20 minutes ◮ Drawbacks: ◮ Success rate is not 100% ◮ Only works if people picked a weak password Axel Puppe, Jeroen Vanderauwera Student Research Project 1: HomePlug Security

  12. Introduction Reverse-engineering Other attack vectors Attack scenario Conclusion Questions? Denial-of-service If we can’t hack it, can we break it? Yes we can! Without DoS DoS with DoS without correct NEK correct NEK Minimum 2ms 2ms 61ms Average 2ms 271ms 462ms Maximum 5ms 1184ms 1300ms Packetloss 0% 2% 30% Download speed 731KBps 3KBps 10Bps Axel Puppe, Jeroen Vanderauwera Student Research Project 1: HomePlug Security

  13. Introduction Reverse-engineering Other attack vectors Attack scenario Conclusion Questions? Step-by-step plan 1. Reverse engineer the firmware updater 2. Set up the sniffing machine 3. Initiate denial-of-service attack 4. Hand over the malicious firmware to the victim 5. Terminate denial-of-service attack Axel Puppe, Jeroen Vanderauwera Student Research Project 1: HomePlug Security

  14. Introduction Reverse-engineering Other attack vectors Attack scenario Conclusion Questions? And the results are... ◮ Can we reverse-engineer the homeplug firmware to enable promiscuous mode? No. ◮ If successful: Can we decrypt the encryption within a reasonable time frame with consumer hardware? No. ◮ If unsuccessful: Are there other attack vectors to join or disrupt a target homeplug network? Yes. ◮ Can we conclude that it’s safe? Axel Puppe, Jeroen Vanderauwera Student Research Project 1: HomePlug Security

  15. Introduction Reverse-engineering Other attack vectors Attack scenario Conclusion Questions? And the results are... ◮ Can we reverse-engineer the homeplug firmware to enable promiscuous mode? No. ◮ If successful: Can we decrypt the encryption within a reasonable time frame with consumer hardware? No. ◮ If unsuccessful: Are there other attack vectors to join or disrupt a target homeplug network? Yes. ◮ Can we conclude that it’s safe? No! Axel Puppe, Jeroen Vanderauwera Student Research Project 1: HomePlug Security

  16. Introduction Reverse-engineering Other attack vectors Attack scenario Conclusion Questions? Any questions? Axel Puppe, Jeroen Vanderauwera Student Research Project 1: HomePlug Security

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

When Priority Resolution Goes Way Too Far: An Experimental Evaluation in PLC Networks Cristina

When Priority Resolution Goes Way Too Far: An Experimental Evaluation in PLC Networks Cristina

When Priority Resolution Goes Way Too Far: An Experimental Evaluation in PLC Networks Cristina Cano and David Malone 09/06/2015 2/9 Motivation In-house Power Line Communications Standards: Homeplug/Homeplug AV/IEEE 1901 Qualcomm Atheros

257 views • 9 slides
On Efficiency and Validity of Previous Homeplug MAC Performance Analysis Cristina Cano and David

On Efficiency and Validity of Previous Homeplug MAC Performance Analysis Cristina Cano and David

On Efficiency and Validity of Previous Homeplug MAC Performance Analysis Cristina Cano and David Malone Hamilton Institute, NUI Maynooth. Supported by Science Foundation Ireland grants 08/SRC/I1403 and 07/SK/I1216a. MAC Modeling The

393 views • 12 slides
Undergraduate Math/Stat Research Project Introductions Exchange and MSU Student Research Teams

Undergraduate Math/Stat Research Project Introductions Exchange and MSU Student Research Teams

Undergraduate Math/Stat Research Project Introductions Exchange and MSU Student Research Teams Friday, February 1, 2019 4:30 6:30, C-304 WH Professor: Yuehua Cui Exchange Student: Yang Liu MSU Students: Gaeun Lee, Deontae Hardnett, Glenna

327 views • 4 slides
NEWS ANALYSIS RESEARCH PRESENTATION PROPOSAL Student Name Madeleine Marlow Research Project

NEWS ANALYSIS RESEARCH PRESENTATION PROPOSAL Student Name Madeleine Marlow Research Project

Journalism Theory and News EthicsBournemouth University NEWS ANALYSIS RESEARCH PRESENTATION PROPOSAL Student Name Madeleine Marlow Research Project Title How is Climate Change Represented in UK Broadsheet and Tabloid Newspapers? Research

423 views • 4 slides
Security of diabetes monitoring apps Research project 1 Security and Network Engineering Edgar

Security of diabetes monitoring apps Research project 1 Security and Network Engineering Edgar

Security of diabetes monitoring apps Research project 1 Security and Network Engineering Edgar Bohte & Roy Vermeulen Why diabetes? 2 3 The upside 4 Smartphone app security 5 Health data confidentiality 6 Diabetes data integrity

645 views • 28 slides
Research Project 1 Research project by: Supervisor: Catherine de Weever Jeroen Scheerder

Research Project 1 Research project by: Supervisor: Catherine de Weever Jeroen Scheerder

Zero Trust Network Security Model in containerized environment Research Project 1 Research project by: Supervisor: Catherine de Weever Jeroen Scheerder Marios Andreou The Problem Deploy Container Images with Malicious Code.

316 views • 20 slides
CS 315: Computer Security Team/Term Project Fengwei Zhang SUSTech CS 315 Computer Security 1

CS 315: Computer Security Team/Term Project Fengwei Zhang SUSTech CS 315 Computer Security 1

CS 315: Computer Security Team/Term Project Fengwei Zhang SUSTech CS 315 Computer Security 1 General Information A research project with 2-5 individuals Building a new system Improving an existing technique Performing a large

647 views • 9 slides
Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security

Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security

Security Testing Checking for what shouldnt happen Azqa Nadeem PhD Student @ Cyber Security Group The Cyber Security lecture series 1 Agenda for today Part I Latest security news Security vulnerabilities in Java

2.02k views • 185 slides
Upcoming Project Milestones Professor Adam Bates Fall 2018 Security & Privacy Research at

Upcoming Project Milestones Professor Adam Bates Fall 2018 Security & Privacy Research at

CS 563 - Advanced Computer Security: Upcoming Project Milestones Professor Adam Bates Fall 2018 Security & Privacy Research at Illinois (SPRAI) Project Milestones Throughout the remainder of the semester you will be incrementally

316 views • 16 slides
Security for smart Electricity GRIDs Project type: Collaborative project small or medium

Security for smart Electricity GRIDs Project type: Collaborative project small or medium

Security for smart Electricity GRIDs Project type: Collaborative project small or medium scale focused research project Grant agreement no: 607109 Thematic Priority: FP7-SEC-2013-1 October 1 st , 2014 Start date of project: Duration: 36

303 views • 11 slides
security (CLICO) an FP7 research project Christiane Gerstetter Ecologic Institute

security (CLICO) an FP7 research project Christiane Gerstetter Ecologic Institute

www.ecologic.eu Climate change, water conflicts and human security (CLICO) an FP7 research project Christiane Gerstetter Ecologic Institute www.ecologic.eu Climate Change, Hydro-conflict and Human Security A three year project lead by the

316 views • 15 slides
Security of Mobility-as-a-Service(MaaS) applications on Mobile Phones. Alexander Blaauwgeers

Security of Mobility-as-a-Service(MaaS) applications on Mobile Phones. Alexander Blaauwgeers

Security of Mobility-as-a-Service(MaaS) applications on Mobile Phones. Alexander Blaauwgeers alexander.blaauwgeers@os3.nl University of Amsterdam Student Presentation for Research Project 1 RP1 Project Presentation Supervisor: Alex

522 views • 24 slides
CS 598 - Computer Security in the Physical World: Project Submission #1 & Pacemakers and

CS 598 - Computer Security in the Physical World: Project Submission #1 & Pacemakers and

CS 598 - Computer Security in the Physical World: Project Submission #1 & Pacemakers and Implantable Cardiac Defibrillators Professor Adam Bates Fall 2016 Security & Privacy Research at Illinois (SPRAI) Oct 4th Deliverable

792 views • 20 slides
Whos me? Zequi V azquez DevOps & Backend PhD student Hacking & Security

Whos me? Zequi V azquez DevOps & Backend PhD student Hacking & Security

Whos me? Zequi V azquez DevOps & Backend PhD student Hacking & Security RocknRoll (electric guitarist) Videogames Books Zequi V azquez @RabbitLair Drupal #ExtremeScaling Introduction 1 The Project 2 Problems and

465 views • 30 slides
Security for smart Electricity GRIDs Collaborative project small or medium scale focused

Security for smart Electricity GRIDs Collaborative project small or medium scale focused

Security for smart Electricity GRIDs Collaborative project small or medium scale focused research project Project type: Grant agreement no: 607109 Thematic Priority: FP7-SEC-2013-1 October 1 st , 2014 Start date of project: Duration: 39

494 views • 14 slides
University Credits 4.0 Project Group Proposal 2020/2021 whoami Interim Professor for IT security

University Credits 4.0 Project Group Proposal 2020/2021 whoami Interim Professor for IT security

University Credits 4.0 Project Group Proposal 2020/2021 whoami Interim Professor for IT security Research in Software Security Java Security Vulnerability Analysis Usability in Security Type Systems Ben Hermann ben.hermann@upb.de Static

362 views • 12 slides
Multilocality in Rwanda: forced of deliberate choice? Ine Cottyn Phd Candidate International

Multilocality in Rwanda: forced of deliberate choice? Ine Cottyn Phd Candidate International

Multilocality in Rwanda: forced of deliberate choice? Ine Cottyn Phd Candidate International Development Studies I.R.R.J.B.Cottyn@uu.nl Dr. Gery Nijenhuis Assistant Professor Human Geography and Planning International Development Studies

1.22k views • 25 slides
BUILDING ON THE PAST Brad Anderson Alberta Chamber of Resources 2/19/2016 Alberta Chamber of

BUILDING ON THE PAST Brad Anderson Alberta Chamber of Resources 2/19/2016 Alberta Chamber of

BUILDING ON THE PAST Brad Anderson Alberta Chamber of Resources 2/19/2016 Alberta Chamber of Resources Script for 80 th Annual General Meeting Shaw Conference Centre, Edmonton, Albert February 19, 2016 Building on the Past Brad Anderson

290 views • 17 slides
Working on ENIAC: The Lost Labors of the Information Age Thomas Haigh www.tomandmaria.com/tom

Working on ENIAC: The Lost Labors of the Information Age Thomas Haigh www.tomandmaria.com/tom

Working on ENIAC: The Lost Labors of the Information Age Thomas Haigh www.tomandmaria.com/tom University of Wisconsin Milwaukee & Mark Priestley www.MarkPriestley.net This Research Is Sponsored By Mrs L.D. Ropes Second

1.45k views • 107 slides
The Case for Targeting SETI Haystacks and Needles William Edmondson Honorary Senior Research

The Case for Targeting SETI Haystacks and Needles William Edmondson Honorary Senior Research

The Case for Targeting SETI Haystacks and Needles William Edmondson Honorary Senior Research Fellow School of Computer Science University of Birmingham Life on Other Worlds Steven J. Dick 1998 The Haystack I The universe of

293 views • 14 slides
Sampling and Reconstruction Using Bloom Filters Neha Sengupta 1 , Amitabha Bagchi 1 , Srikanta

Sampling and Reconstruction Using Bloom Filters Neha Sengupta 1 , Amitabha Bagchi 1 , Srikanta

Sampling and Reconstruction Using Bloom Filters Neha Sengupta 1 , Amitabha Bagchi 1 , Srikanta Bedathur 2 , Maya Ramanath 1 1 IIT Delhi 2 IBM India Research Lab Bloom Filters Compact storage m bits, k hash functions Set Membership

348 views • 19 slides
Detecting Advanced Network Threats Using a Similarity Search AIMS 2016 Wednesday 22 nd June, 2016

Detecting Advanced Network Threats Using a Similarity Search AIMS 2016 Wednesday 22 nd June, 2016

Detecting Advanced Network Threats Using a Similarity Search AIMS 2016 Wednesday 22 nd June, 2016 Milan ermk Pavel eleda State of the Art of Network Data Analysis Methods classification based on the detection approach Statistical Soft

215 views • 17 slides
Wireless LAN Setup & Optimizing Wireless Client in Linux Hacking and Cracking Wireless

Wireless LAN Setup & Optimizing Wireless Client in Linux Hacking and Cracking Wireless

Wireless LAN Setup & Optimizing Wireless Client in Linux Hacking and Cracking Wireless LAN Setup Host Based AP ( hostap ) in Linux & freeBSD Securing & Managing Wireless LAN : Implementing 802.1x EAP-TLS PEAP-MSCHAPv2

278 views • 14 slides
CYBE R SE CURI T Y Pre se nte d b y Willia m Whitne y I I I Ga rla nd Po we r & L ig

CYBE R SE CURI T Y Pre se nte d b y Willia m Whitne y I I I Ga rla nd Po we r & L ig

CYBE R SE CURI T Y Pre se nte d b y Willia m Whitne y I I I Ga rla nd Po we r & L ig ht 3/ 23/ 2016 Wha t is Cyb e r Se c urity? ? ? Me a sure s ta ke n to pro te c t a c o mpute r o r c o mpute r syste m (a s o n the I

577 views • 6 slides

More recommend