physical (in)security: it’s not all about cyber…
DESCRIPTION
Physical (In)security: It’s not all about Cyber…. Inbar Raz Malware & Security Research Manager Check Point Software Technologies. Background. Who am I? I like to reverse things – software, hardware, ideas, rules. I like to find problems and have them fixed (by others…) What do I do? - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/1.jpg)
©2013 Check Point Software Technologies Ltd.
Physical (In)security:
It’s not all about Cyber…
Inbar RazMalware & Security Research ManagerCheck Point Software Technologies
![Page 2: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/2.jpg)
2©2013 Check Point Software Technologies Ltd.
Background
Who am I?– I like to reverse things – software, hardware, ideas, rules.– I like to find problems and have them fixed (by others…)
What do I do?– Run Malware & Security Research at Check Point– Create Responsible Disclosures– Concentrate on “little to no-skills needed”
– Easier to demonstrate and convince
![Page 3: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/3.jpg)
3©2013 Check Point Software Technologies Ltd.
Example #1: Movie Ticket Kiosk
On-site Kiosk
Touch Screen
Credit CardReader
Ticket Printer
No peripherals,No interfaces
![Page 4: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/4.jpg)
4©2013 Check Point Software Technologies Ltd.
The Attack
Improper interface settingsallow the opening of menuoptions.
Menus can be used tobrowse for a new printer.
![Page 5: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/5.jpg)
5©2013 Check Point Software Technologies Ltd.
A limited Windows Exploreris not restricted enough.
A right-click can be used…
To open a full, unrestrictedWindows Explorer.
The Attack
![Page 6: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/6.jpg)
6©2013 Check Point Software Technologies Ltd.
The Attack
Browsing through thefile system revealsinteresting directory names…
And even more interestingfile names.
![Page 7: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/7.jpg)
7©2013 Check Point Software Technologies Ltd.
The Attack
Bingo: Credit Card Data(Unencrypted!)
Tools of the trade: Notepad
We can use the ticketprinter to take it home
![Page 8: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/8.jpg)
8©2013 Check Point Software Technologies Ltd.
The Attack
But that’s not all:RSA Keys and Certificatesare also found on the drive!
Which we can print, takehome and then use afree OCR software to read…
![Page 9: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/9.jpg)
9©2013 Check Point Software Technologies Ltd.
The Attack
The result:
RSA Keys used tobill credit cards.
![Page 10: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/10.jpg)
10©2013 Check Point Software Technologies Ltd.
Example #1: Summary
Device purpose: Print purchased Movie Tickets
Data on device: Credit Card data and Encryption Keys
Method used to hack: 1 finger
![Page 11: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/11.jpg)
11©2013 Check Point Software Technologies Ltd.
Example #2: Point-of-Sale Device
Point-Of-Sale devicesare all around you.
![Page 12: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/12.jpg)
12©2013 Check Point Software Technologies Ltd.
The Attack
PoS Device located outside business during the day
At the end of the day, it is locked inside the business
![Page 13: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/13.jpg)
13©2013 Check Point Software Technologies Ltd.
The Attack
But one thing is left outside, in the street:
![Page 14: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/14.jpg)
14©2013 Check Point Software Technologies Ltd.
The Attack
In the past – play hacker/script kiddie with BackTrack.
Today: Fire up wireshark, discover IPs of live machines.
![Page 15: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/15.jpg)
15©2013 Check Point Software Technologies Ltd.
The Attack
In the past – play hacker/script kiddie with BackTrack.
Today: Fire up wireshark, discover IPs of live machines.
Detected IP addresses:– 192.168.0.1– 192.168.0.2– 192.168.0.4– 192.168.0.250– 192.168.0.254
Confirm by ping (individual and broadcast)
![Page 16: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/16.jpg)
16©2013 Check Point Software Technologies Ltd.
The Attack
Evidence of SMB (plus prior knowledge) leads to the next step:
And the response:
![Page 17: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/17.jpg)
17©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Things to do with an open share
#1: Look around– Establish possible attack vectors
![Page 18: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/18.jpg)
18©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Things to do with an open share
#1: Look around– Establish possible attack vectors
#2: Create a file list– Not like stealing data, but very helpful
![Page 19: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/19.jpg)
19©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
The mystery of 192.168.0.250
Answers a ping, but no SMB.
First guess: the ADSL Modem.
Try to access the Web-UI:
![Page 20: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/20.jpg)
20©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
The mystery of 192.168.0.250
Use the full URL:
![Page 21: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/21.jpg)
21©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Reminder: We actually had this information.
Going for the ADSL router
![Page 22: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/22.jpg)
22©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Going for the ADSL router
Naturally, there is access control:
Want to guess?
![Page 23: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/23.jpg)
23©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Example #2: Summary
Device purpose: Cash Register and Local Server
Data on device: Credit Card data, Customer Database
Method used to hack: MacBook Pro, Free Software
![Page 24: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/24.jpg)
24©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Other opportunities
A Medical Clinic in Tel-Aviv– Complete disregard for
attendance systems
![Page 25: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/25.jpg)
25©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Other opportunities
A Hospital in Tel-Aviv
![Page 26: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/26.jpg)
26©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Other opportunities
An ATM at a shopping mall
![Page 27: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/27.jpg)
27©2013 Check Point Software Technologies Ltd.
Example #3: Hospital Smart TV
Features– Watch TV– Listen to music– VOD– Browse the Internet
Peripherals:– Touch Screen– Credit Card Reader– Earphones
And…
– USB…
![Page 28: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/28.jpg)
28©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
The Attack
Start with a USB Keyboard– Numlock works– Nothing else does
Power off, Power on, F11
![Page 29: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/29.jpg)
29©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Our options are opening up.
Let’s boot something else
BackTrack (kali):Never leave homewithout it
![Page 30: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/30.jpg)
30©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Even though I’m set to DHCP, I have no IP address.
An examination of the config files reveals the problem:
But I’m facing a problem
# The loopback interface, this is the default configuration:auto loiface lo inet loopback
pre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autoneg offpre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autoneg off
# The first network interface.# In this case we want to receive an IP-address through DHCP:auto eth0iface eth0 inet dhcp
# In this case we have a wired network:wpa-driver wired
# Tell the system we want to use WPA-Supplicant # with our configuration file:wpa-conf /etc/wpa_supplicant.confpre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autoneg off
![Page 31: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/31.jpg)
31©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Even though I’m set to DHCP, I have no IP address.
An examination of the config files reveals the problem.
But this is linux, everything is in text files
But I’m facing a problem
network={ key_mgmt=IEEE8021X eap=TTLS MD5 identity="a*****c“ anonymous_identity="a*****c“ password=“*****“ phase1="auth=MD5“ phase2="auth=PAP password=*****“ eapol_flags=0}
![Page 32: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/32.jpg)
32©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Even though I’m set to DHCP, I have no IP address.
An examination of the config files reveals the problem.
But this is linux, everything is in text files I copy the files, and try again.
But I’m facing a problem
![Page 33: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/33.jpg)
33©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
What next?
Find out where we are (external IP)
Proof-of-Concept: Open reverse shell
![Page 34: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/34.jpg)
34©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Further analysis of files reveals a lead:
http://192.168.0.250/client/
This is the actual User Interface:
But it’s not enough…
![Page 35: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/35.jpg)
35©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
So the next logical step is…
![Page 36: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/36.jpg)
36©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
So what’s next?
We lost access to the devices– At least easy access
Complete the report and go for disclosure
However…
Turns out other hospitals have the same device– So now we wait for someone to get sick…
![Page 37: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/37.jpg)
37©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Example #3: Summary
Device purpose: Smart TV for Hospital Patients
Data on device: Network Encryption Keys, Possible access to other networks
Method used to hack: USB Drive, Free Software, Keyboard, Mouse
![Page 38: Physical (In)security: It’s not all about Cyber…](https://reader035.vdocuments.mx/reader035/viewer/2022062400/5681687d550346895ddef217/html5/thumbnails/38.jpg)
38©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Questions?