hacking non-traditional systems
DESCRIPTION
This talk will demonstrate common vulnerabilities in 'non-traditional' systems such as kiosks, embedded systems, and the like and explain why these systems are such low-hanging fruit for security researchers.TRANSCRIPT
Hacking Non-Traditional Systems
Luis ‘connection’ Santana
Who Am I?
• Independent Security Researcher
• Security Consultant @ AccuvantLABS
• Newbie Hardware Hacker
• @hacktalkblog on twitter
• ‘Connection’ on the interwebz
• Physical Security Sucks!
What’s The Point
The Big Problem
• Physical Security
• Accessible USB ports
Physical Security
• Rudimentary
• Often A Second Thought
• Completely non-existent
• Devices share many vulnerabilities
• Highly trivial
• Plain-text communications
Common Vulnerabilities
• Highly trivial
• Old techniques, new devices
• OMIGAWD 0day!
• Electrical Engineering skills not needed
Easy As Pi
• Bus Pirate
• Standard serial protocols.
– I2C
–UART
– JTAG
– SPI
• Common ‘Industry’ Protocols
The Protocols
‘Kiosk-Like’ Systems
• Often touchscreen
• USB FTW
• Local Administrator
• Hidden Menus
• Easy break-outs
• Often Windows XP
• PXE Booting
‘Kiosk-Like’ Systems
Accessible USB Ports
• Should be hidden
• Consumers don’t need them
• #DontLeaveShit
Vending Machines
• Debug codes
• Limited security
• No Encrypted Swipe
Vending Machines
• Much more than debug menus
Not Just 4-2-3-1
Hacking Is Delicious!!!
• The Device That Cried ‘SQLi’
Story Time!
• Research
• Working With Vendors
• Methodologies
• Funding
• Toolkits
• New Market
What’s Next?
• Patrick Fleming– For my first non-traditional system gig
• Accuvant LABS– For letting me poke at hardware and work on this
talk
• You!– For coming to my talk and (hopefully) learning
some new things
Thanks
• Any Questions?
• Contact Info:
–Email: [email protected]
–Gtalk: [email protected]
–Twitter: @hacktalkblog
Questions?