Security Research News in Brief – November 2017 Edition

Welcome back to our monthly review of some of the most interesting security research publications.

Past editions: October 2017 September 2017 August 2017 July 2017 June 2017 May 2017 April 2017 March 2017

S. Tanase and G. Cirlig, Drive safely on the internet lane: how smart cars can leak your data, DefCamp 2017

We don’t have the paper, slides, or video for this presentation yet. Only a press article. And the car vendor’s name has been kept secret.

Apparently, the researchers discovered several privacy leaks on the car’s infotainment system: plaintext storage of call histories, contact, emails, directories etc.

However, the most impressive to my eyes is that they managed to get access to the infotainment system by inserting a USB key into it. Due to a vulnerability, the infotainment system read and executed files on the USB key. The researchers were then able to gain access to a Linux shell. Next, they developed a Proof of Concept malware that would track the car’s position on a map (Of course, this is just an example of the potential attacks would be feasible by exploiting this vulnerability.)While the USB exec vulnerability now seems to be patched, it requires driving to a service center to have the firmware updated.

kylma, Flash dumping, Blackhoodie 17

This talk explains how to dump flash – the style of the presentation is similar to a workshop. The methodology is:

  1. Extract the flash chip from the board. You can do this using a hot air soldering gun.

  2. Design a breakout PCB for the chip. You’ll need to read the specs for the chip and find which pins you are interested in. The slides explain well the differences between most chip packages: DIP, SOP, BGA, QFP and LCC. Then, using that information, design the PCB with a tool such as Kicad (open source)

  3. Create the PCB. The presentation explains the etching process and milling.

  4. Solder the chip onto the breakout PCB. Most of the time, this requires a microscope.

  5. Dump it with a TNM5000 programmer

GreHack also featured a cool micro-soldering workshop where attendees could experiment with de-soldering and re-balling. Both GreHack speakers and kylma came to the same conclusion: hardware reverse engineering tools are not as expensive as people think they are. You can get excellent microscopes for 500 euros or less, and most equipment is easily affordable for a company or even an individual amateur.

R. Lifchitz, Security Review of Proximity Technologies: Beacons and Physical, BlackAlps, slides video

Screenshot taken from YouTube video

Beacons are typically low-cost, small Bluetooth Low Energy (BLE) devices meant to advertise data and/or interact withexisting applications within BLE range (max of around 100 meters).

There are two primary types of Beacons: iBeacon (Apple) and EddyStone (Google). According to Wikipedia, there are also AltBeacon and URIBeacon, though these are less frquently used.

To scan, read, or clone beacons, the following tools are useful:

  • Android BLE applications such as nRF Connect or Beacon Toy

  • Linux BLE tools: hcitool to scan and hcidump --raw -X -t to read data

  • For hardware forensics, beacons typically aren’t very secure and test points are often accessible. It is also possible to access the Flash chip and dump it.

As you’d expect, beacons are handy (an easy way to broadcast short information), but they are quite unsecure. Don’t use them to broadcast sensitive information such as traffic jams, etc ;-( because information can be spoofed, cloned, etc.

The Ph0wn smart devices CTF featured a BLE beacon challenge. That beacon advertised an encrypted message and participants needed to find a way to decrypt it.

Azeria, Writing ARM Shellcode, Blackhoodie 17

Azeria’s ARM cheat sheet can be downloaded here

The material for this workshop is not provided on BlackHoodie, but we can guess that it is based on Azeria’s ARM Exploitation workshops.

Those labs are a nice introduction to ARM assembly and shellcode writing. They are well explained and helpful for newcomers to the ARM architecture. In particular, you can learn:

  • How to compile ARM assembly on a Raspberry Pi, or a QEMU with RPi.

  • How to find a given syscall number

  • How to force Thumb mode

  • How to prevent null bytes in a shellcode, using instructions such as eor x, x instead of mov x, #0


— the Crypto Girl (aka cryptax)