war texting - ncc group · pdf filewar texting weaponizing machine ... impacts the update...
TRANSCRIPT
![Page 2: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/2.jpg)
whois donb?
![Page 3: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/3.jpg)
whatis iSEC Partners?
![Page 4: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/4.jpg)
whyare we here?
![Page 5: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/5.jpg)
No, really.
• Cellular enabled pill bottles
• Track pill usage remotely
• Email alerts when
▫ Pill count is low
▫ Pills haven’t been taken
▫ When its time to take your pill
![Page 6: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/6.jpg)
Wait. That sounds bad.
![Page 7: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/7.jpg)
But, it’s helping people.
• Alzheimer’s patients
• Children with severe diseases
• Physically disabled patients
• Overworked security consultants
![Page 8: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/8.jpg)
Wait. That sounds good.
![Page 9: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/9.jpg)
![Page 10: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/10.jpg)
![Page 11: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/11.jpg)
Everything will be a computer
![Page 12: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/12.jpg)
Examples?
• Medical devices (personal, industrial)
• Industrial monitoring
• Automated Teller Machines
• Industrial/Commercial Alarm Systems
• Home Alarm Systems
• …Car security systems
![Page 13: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/13.jpg)
I would have owned ATMs, but…
![Page 14: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/14.jpg)
![Page 15: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/15.jpg)
Elegant Attacks Against M2M
![Page 16: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/16.jpg)
Attack methods
• Firmware Over The Air (FOTA)
• Long Range Baseband Compromise
• Access Point Name (APN) Private Network compromise
![Page 17: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/17.jpg)
FOTA Hacking?
![Page 18: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/18.jpg)
FOTA
• A methodology for
▫ Devising a firmware patch/update
▫ Securely packaging the patch/update
▫ Shipping it OTA to be applied
![Page 19: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/19.jpg)
FOTA Attacks
• Benefits▫ Elegant▫ Mass compromise of multiple types of devices Multiple vendors use the same baseband
• Negatives▫ Very chip specific▫ Impacts the update lifecycle▫ Requires specialized firmware▫ Corner cases = potential detection▫ FOTA compromise != Application compromise▫ FOTA may not be used in specific M2M deployments
![Page 20: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/20.jpg)
FOTA Conclusion?
![Page 21: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/21.jpg)
![Page 22: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/22.jpg)
So you thought baseband attacks were
local only, eh?
![Page 23: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/23.jpg)
Long Range Baseband Compromise
• Yep, Basebands have TCP/IP stacks• Oh, and these too
▫ HTTP▫ FTP▫ DNS▫ ICMP▫ TCP client/server▫ UDP client/server▫ POP3▫ SMTP
![Page 24: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/24.jpg)
Long Range Baseband Attacks
• Benefits▫ Elegant▫ Mass persistent compromise▫ Doesn’t mess up firmware updates▫ Backdoors are light weight▫ Potential detection is slim to none
• Negatives▫ Very chip specific▫ Requires zero-day▫ Large time to deployment▫ Target could be Java VM, could be C/C++
![Page 25: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/25.jpg)
Long Range Baseband Conclusion?
![Page 26: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/26.jpg)
![Page 27: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/27.jpg)
APN Private Network Attacks?
![Page 28: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/28.jpg)
APN Private Network Attacks
• Benefits
▫ None
• Negatives
▫ Uninteresting
▫ Boring
▫ Pointless
▫ Repetitive
▫ The Grugq would laugh at me
![Page 29: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/29.jpg)
You don’t need to see a conclusion for
this one.
![Page 30: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/30.jpg)
So, what should we do?
![Page 31: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/31.jpg)
Common M2M Example from Microchip
![Page 32: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/32.jpg)
Find Architectural Commonalities
• Baseband ▫ modules must be approved▫ The approved list is public▫ few features▫ can’t drive Application Logic
• Microcontrollers▫ Small RAM▫ Small Code Space (flash)▫ Minimal security surface (if any)
![Page 33: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/33.jpg)
Find Architectural Commonalities
• Communication
▫ Network Comm = Baseband
▫ Peripheral Comm = uC
▫ Comm between Baseband & uC = UART
• Cryptographic Capability
▫ Only some Basebands provide HTTPS/SSL
Usually only Java VM capable
▫ uC is usually baked (or non-existent)
![Page 34: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/34.jpg)
Basebands Accept Hayes AT
• For network requests
▫ AT+UHTTPC
▫ AT^SISS
▫ AT^USORF
• For Incoming/Outgoing SMS
▫ AT+CMGL
▫ AT^SMGL
![Page 35: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/35.jpg)
The Payload May Be Encrypted
• If the payload is encrypted
▫ Finite ways the Application can generate a key
IMSI
GSM Timestamp
IMEI
Static Secret
Value from Network (Data or SMS)
• Some applications don’t even encrypt
![Page 36: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/36.jpg)
If encrypted, how do we analyze?
![Page 37: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/37.jpg)
How do we extract it?
• Use datasheet to find pins
▫ Don’t have the uC datasheet?
▫ Most baseband datasheets are public
• Use multimeter to
▫ trace baseband UART -> uC UART
▫ Trace VCC, VSS
▫ = Now you know 4 pins on your unknown uC
▫ Scan leftovers for JTAG/etc
![Page 38: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/38.jpg)
How do we extract it?
• Logic Analyzer
▫ Tap the UART pins
▫ Find test pads, if available
▫ Solder only when necessary (limit damage)
• Most basebands will only talk
▫ Async Serial 9600 8N1
▫ Async Serial 115200 8N1
▫ Process data at both speeds
![Page 39: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/39.jpg)
![Page 40: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/40.jpg)
![Page 41: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/41.jpg)
Next, we reverse.
![Page 42: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/42.jpg)
It’s not always easy
• Difficult to determine crypto keys
• Protocol may be dynamic
• Nonces may get in the way
![Page 43: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/43.jpg)
Some light Hardware Hacking?
![Page 44: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/44.jpg)
Nothing too new
• Simple/Differential Power Analysis
▫ Extract keys
• Glitching
▫ Extract firmware
▫ Bypass fuses to set DEBUG mode
• Blue wire fixes
▫ Enable DEBUG mode
• Add/remove resistors
▫ Enable DEBUG mode
![Page 45: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/45.jpg)
Revenge (REVerse ENGinEering)
• uC are easy
▫ Small code base
▫ Predictable vectors
▫ Simple opcode architecture
▫ Typically noMMU (used)
![Page 46: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/46.jpg)
The STM8 example
• stm8s207xx
▫ 24MHz clock
▫ 6KB RAM
▫ 128KB Flash
▫ 96 assembly instructions
![Page 47: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/47.jpg)
![Page 48: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/48.jpg)
![Page 49: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/49.jpg)
![Page 50: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/50.jpg)
Disassembling & Emulating = Easy
• Few registers (X, Y, PC, SP, A, C)
• Instructions are easy to decode
▫ A common bit represents a type of memory access
▫ No Store, just Load
• Emulation requirements are minimal
▫ Inject interrupts as desired
▫ Managing the Clock isn’t complex
▫ Simple buffer for UART bytes
![Page 51: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/51.jpg)
![Page 52: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/52.jpg)
Releasable Tools
• GPLv2 License
• This week
▫ STM8 disassembler
▫ STM8 emulator
• At HITB KL
▫ STM8 SWIM for GoodFET
![Page 53: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/53.jpg)
Point of Reverse Engineering?
• Determine vectors for communication
▫ SMS
▫ Internet
▫ Voice calls
• Extract messages for Comm Channels
• Develop Protocol APIs
![Page 54: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/54.jpg)
With comm channel…
• Identify commands
• Build payloads
• Assess delivery mechanisms
• Essentially: Build a strategy for attack
![Page 55: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/55.jpg)
Building a Fingerprint
![Page 56: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/56.jpg)
Device Profiling
• Network fingerprint▫ Which network provider?▫ Is it allocated an MSISDN?▫ Is voice allowed?▫ Is SMS allowed?▫ Caller ID?▫ NPA NXX?▫ HLR?
• Physical fingerprint▫ Recognizable SIM▫ Baseband Capabilities
![Page 57: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/57.jpg)
Why Device Profile?
• SMS is Noisy
▫ Hundreds of thousands of MSISDN
▫ Decrease cost
▫ Evade SMS SPAM filters
▫ Don’t tip off your Target
![Page 58: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/58.jpg)
Simple Profiling Tools
• Scripts by donb and NickDE!
▫ Hello, Carmen Sandiego :)
• Snarf Caller ID
• Scan HLR
• Build MSC databases
![Page 59: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/59.jpg)
![Page 60: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/60.jpg)
Quick Example: iPad on AT&T
• Provider?
▫ AT&T (MCC: 310, MNC: 410)
• Caller ID?
▫ Billable name “BAILEY DON”
• MSISDN & MSC
▫ MSC location != NPA NXX
• Voice capability
▫ Error
![Page 61: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/61.jpg)
Phew! That’s a lot of stuff!
![Page 62: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/62.jpg)
Overall Strategy?
• Identify target industry
• Build doc library
• Intercept initial command set
• Attack hardware
• Reverse engineer firmware
• Extract commands
• Identify command channels
• Devise network fingerprint
• Attack!
![Page 63: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/63.jpg)
Case Study: Zoombak Tracking Device
![Page 64: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/64.jpg)
Zoombak “Advanced GPS Tracker”
• Sold in over 12,500 stores in USA
• Smart Phone App (iPhone, Android, Blackberry)
• 2x as big as your 6th Generation iPod Nano
• Track your…
▫ Car
▫ Family
▫ Pet
▫ Valuables
![Page 65: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/65.jpg)
Zoombak Architecture
• Renesas SH microprocessor
• Cinterion Wireless MC56
• GR-520 GPS Module
![Page 66: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/66.jpg)
Intercept Initial AT Command Set
• Accepts SMS commands
• Uploads data to Internet
• Retrieves IMSI, IMEI, Network Timestamp, etc
• Monitors Base Station Info (RSSI, LAC, CI, etc)
![Page 67: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/67.jpg)
![Page 68: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/68.jpg)
![Page 69: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/69.jpg)
Zoombak Communication Channel
• Comm Vectors
▫ SMS
▫ Internet
• Control Channel
▫ Use SMSsubmit to ship the SMS via Kannel
• Callbacks
▫ SIM in GSM Modem
![Page 70: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/70.jpg)
Zoombak Network Fingerprint
• HLR
• Caller ID
• Voice capability
• MSC vs. MSISDN
• Specialized SMS
![Page 71: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/71.jpg)
![Page 72: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/72.jpg)
Fingerprint Result?
• 72% Success Rate
• Several hundred Zoombak
![Page 73: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/73.jpg)
Zoombak Overall Result?
![Page 74: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/74.jpg)
![Page 75: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/75.jpg)
![Page 76: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/76.jpg)
Case Study: Car Security Module
![Page 77: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/77.jpg)
Strategy
• Target industry
• Doc library
• Intercept initial command set
• Attack hardware
• RevEng firmware
• Identify command channels
• Devise network fingerprint
• Attack!
![Page 78: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/78.jpg)
Car Security Overall Result?
![Page 79: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/79.jpg)
![Page 80: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/80.jpg)
![Page 81: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/81.jpg)
Embedded Security is Hard.
![Page 82: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/82.jpg)
Don’t make it harder
• Increase crypto usage
• Ensure APN security
• Use Nonces/Tokens
• Don’t embed IP addresses in SMS ;)
• Don’t push insecure architecture
▫ Require PKI/SSL
• Decrease Prices of Security uC
▫ Atmel
▫ ST
![Page 83: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/83.jpg)
All tools can be downloaded…
• https://wartexting.org/
• Simple Zoombak Scanner
• FindMe HLR/MSC snarfer
• WhoIs Caller ID client
• Soon to come (end of next week)
▫ STM8 Disassembler
▫ STM8 Emulator
![Page 84: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/84.jpg)
Thanks to…
• iSEC Partners, NCC Group, and Alex Stamos• Mat Solnik• Joe Gratz• Nick DePetrillo• Mike Ossmann• Travis Goodspeed• Patrick McCanna• Justine Osborne• Heidi Cuda• David Munson• Robot insect image © Mike Libby
![Page 85: War Texting - NCC Group · PDF fileWar Texting Weaponizing Machine ... Impacts the update lifecycle ... IMEI Static Secret Value from Network (Data or SMS) •Some applications don’t](https://reader031.vdocuments.us/reader031/viewer/2022022423/5a9fb8e77f8b9a76178d2b2f/html5/thumbnails/85.jpg)
“Even if my collar bones crush or crumble.”
- Eminem