HARDSPLOITFrameworkforHardwareSecurityAudit

abridgebetweenhardware&aso0warepentester

Who am I ?

•  Julien Moinard -  Electronic engineer @opale-security (French company) -  Security consultant, Hardware & SoDware pentester -  Team project leader of Hardsploit -  DIY enthusiast

16/03/2016 2

Opale Security in 1 slide

16/03/2016 3

Internet of Things & Privacy concern ?

•  AnyIoTobjectcouldrevealinforma@onaboutindividuals

• WearableTechnology:clothes,watches,contactlenseswithsensors,microphoneswithcamerasembeddedandsoon• Quan@fiedSelf:pedometers,sleepmonitors,andsoon•  HomeAutoma@on:connectedhouseholdsusingsmartfridges,smartligh<ngandsmartsecuritysystems,andsoon• …

16/03/2016 4

Internet of Things & Privacy concern ?

•  Lastnews:(youcanupdatethisslideeveryweekL)

Firmwarecanbereadwithoutanyproblem(SPImemory)

VTechwashackedinNovember,exposingmillionsofaccounts.Inresponse,thefirmtooksomeessen<alservicesoffline,meaningproductscouldnotberegisteredonChristmasDay.

16/03/2016 5

Iot Eco-system (20000 feet view)

• PrivacyRisklevel:Where?

HFcommunica<on(ISMBand)+Wifi+3G-5G,Bluetooth,Sigfox,Loraetc..

Classicalwiredconnec<ons

Centralservers,UserInterface,API,Backofficeetc.

IoTdevices

16/03/2016 6

SOFTWARETosecureit:•  Securityproducts(Firewall,An<virus,IDS,…)•  Securityservices(Pentest,Audit,…)•  Tools(Uncountablenumberofthem)

HARDWARETosecureit:•  Feworunimplementedsolu<ons(Encryp<onwithkeyinasecurearea,an<-replaymechanisms,readoutprotec<on,…)

Security speaking, hardware is the new soDware ?

16/03/2016 7

•  1/Openit•  2/Fingerprintallthecomponentifyoucanelseautoma@cbruteforcing•  3/Usethosethatmaycontaindata(Online/Offlineanalysis?)•  4/Performread|writeopera@ononthem•  5/Reverseengineering,findvulnerabili<esandexploitthem

Hardsploit & hardware hacking basic procedure

16/03/2016 8

Global Purpose

16/03/2016 9

Why ?

•  Becausechipscontaininteres<ng/privatedata•  Passwords•  Filesystems•  Firmware•  …

16/03/2016 10

How ?

• Ahardwarepentesterneedtoknowelectronicbusesandheneedtobeabletointeractwiththem

1-Wire

JTAG/SWDUART

CAN

PARALLEL

Custom16/03/2016 11

Hardsploit framework

Samehardwarebutasofwareupdateisneededtoaddanewprotocols

Hardsploit

IoTtarget

Input/Output

database Module(SWD,SMBus,I2C,SPI,etc..)

16/03/2016 12

Hardsploit bus indenSficaSon & scanner (in progress, not published yet)

Hardsploit

IoTtarget

Input/Output

Databaseofpagerns

Databaseofcomponents Module(I2C,SPI,etc..)

IOhardwaremixer

Scanner

16/03/2016 13

Tool of trade

FUNCTIONALITIES BUSPIRATE JTAGULATOR GOODFET HARDSPLOIT

UART Busiden<fica<on

SPI

PARALLEL

I2C

JTAG/SWD Busiden<fica<on

MODULARITY Microcontroller Microcontroller Microcontroller uC/FPGA

EASEOFUSE Cmdline+datasheet Commandline Commandline OfficialGUI/API/DB

I/ONUMBER <10 24 <14 64(pluspower)

WIRING TEXT(butMOSI=SDAJ) TEXT/AUTOMATICiden<fica<on

TEXT LED/TEXT/AUTOMATICiden<fica<on

16/03/2016 14

Hardsploit: CommunicaSon

16/03/2016 15

Prototype making

• Applyingsolderingpaste(lowbudgetstyle)

16/03/2016 16

Prototype making

• Manualreflowoven(DIYstyle)

16/03/2016 17

Prototype V0.1 aka The Green Goblin J

16/03/2016 18

Prototype making (with a budget)

•  Therebirth

16/03/2016 19

The board – Final version

•  64I/Ochannels•  ESDProtec<on•  Targetvoltage:3.3&5V• UseaCycloneIIFPGA• USB2.0•  20cmx9cm

16/03/2016 20

Hardsploit organizaSon

16/03/2016 21

Chip management

•  Search• Create• Modify•  Interact

16/03/2016 22

Wiring helper

Datasheetrepresenta<on

HardsploitWiringmodulerepresenta<on

GUI<–>Boardinterac<on

16/03/2016 23

Se[ngs

16/03/2016 24

Command editor

16/03/2016 25

What are available on github (Open) ?

•  Microcontroller(c)•  API(ruby)•  GUI(ruby)•  CreateyourownHardsploitmodule:VHDL&API(ruby)

16/03/2016 26

Already available (github) Parallelnonmul<plexedmemorydump•  32bitsforaddress•  8/16bitsfordata

HelpingwiringI2C100Khz400Khzand1Mhz•  Addressesscan•  Read,write,automa<cfullandpar<aldump

SPImode0,1,2,3upto25Mhz•  Read,write,automa<cfullandpar<aldump

SWDinterface(likeJTAGbutforARMcore)•  DumpandwritefirmwareofmostARMCPU

GPIOinteract/bitbanging(APIonlyforthemoment)•  Lowspeed<500Hzread&writeopera<onson64bits

16/03/2016 27

More to come (see online roadmap)… •  Automa<cbusinden<fica<on&Scanner(@30%)•  Component&commandssharingplatorm(@90%)•  TTLUARTModulewithautoma<cdetec<onspeed(@80%)•  Parallelcommunica<onwithmul<plexedmemory•  I2Csniffing(shotof4000bytesupto1Mhz)•  SPIsniffing(shotof8000/4000bytehalf/fullupto25Mhz)•  RFWirelesstransmissiontrainingplateform(NordicNRF24,433Mhz,868Mhztranscievers)•  Metasploitintegra<on(module)??•  JTAG•  1Wire•  CanBUS(withhardwareleveladapter)•  …

16/03/2016 28

Concrete case

• Anelectroniclocksystem•  4characterspincodeA–B–C–D

•  Goodcombinaison–Dooropens,greenL.E.Dturnon• Wrongcombinaison–Doorcloses,redL.E.Dturnon

16/03/2016 29

Concrete case: Open it

16/03/2016 30

Concrete case: Fingerprint

I2CMEMORIES24LC64

STM32F103RBT6

SPIMEMORY25LC08

16/03/2016 31

Concrete case: Online / Offline analysis ?

16/03/2016 32

Concrete case: hardsploit scenario

1.  OpenHardsploittocreatethecomponent(ifnotexist)2.  ConnectthecomponenttoHardsploit(wiringhelping)3.  Enterandsavethecomponentseungs(ifnotexist)4.  Dumpthecontentofthememories(1click)5.  Changethedoorpasswordbyusingcommands(fewclicks)6.  Trythenewpasswordonthelocksystem(enjoy)

16/03/2016 33

Concrete case: Read | Write operaSon, I2C, SPI, SWD …

•  Timeforalivedemo?

16/03/2016 34

Parallel bus memory

16/03/2016 35

Concrete case: Fingerprint

16/03/2016 36

Concrete case: Offline analysis

16/03/2016 37

Concrete case: Ready to dump the content

16/03/2016 38

Conclusion

•  IoTDeviceare(also)pronetovulnerabili<eshelpyoutofindthem•  Securitypolicyneedtobeadpated,nowadays,itisnotsodifficultto

extractdataonIoT•  Designersneedtodesignwithsecurityinmind•  SkillsrelatedtopentestahardwaredeviceismandatoryforSecurity

Experts(buttrainingexist)•  Industryneedtotakecareaboutdevicesecurity

16/03/2016 39

Thank you ! Hardsploitboardisavailableatshop-hardsploit.com(250€/277USD/370CADexcludingVAT)

TolearnmoreaboutHardsploitandfollowthedevelopment

Hardsploit.io&Opale-Security.com•  YannALLAIN(CEO)•  yann.allain@opale-security.com•  +33645453381 Hardware&Sofware,Pentest,Audit,Training

•  JulienMOINARD(ProjectleaderofHardsploit)•  julien.moinard@opale-security.com•  +33972438707

16/03/2016 40