Welcome back to our monthly review of some of the most interesting security research publications.
S. Tanase and G. Cirlig, Drive safely on the internet lane: how smart cars can leak your data, DefCamp 2017
We don’t have the paper, slides, or video for this presentation yet. Only a press article. And the car vendor’s name has been kept secret.
Apparently, the researchers discovered several privacy leaks on the car’s infotainment system: plaintext storage of call histories, contact, emails, directories etc.
However, the most impressive to my eyes is that they managed to get access to the infotainment system by inserting a USB key into it. Due to a vulnerability, the infotainment system read and executed files on the USB key. The researchers were then able to gain access to a Linux shell. Next, they developed a Proof of Concept malware that would track the car’s position on a map (Of course, this is just an example of the potential attacks would be feasible by exploiting this vulnerability.)While the USB exec vulnerability now seems to be patched, it requires driving to a service center to have the firmware updated.
kylma, Flash dumping, Blackhoodie 17
This talk explains how to dump flash – the style of the presentation is similar to a workshop. The methodology is:
Extract the flash chip from the board. You can do this using a hot air soldering gun.
Design a breakout PCB for the chip. You’ll need to read the specs for the chip and find which pins you are interested in. The slides explain well the differences between most chip packages: DIP, SOP, BGA, QFP and LCC. Then, using that information, design the PCB with a tool such as Kicad (open source)
Create the PCB. The presentation explains the etching process and milling.
Solder the chip onto the breakout PCB. Most of the time, this requires a microscope.
Dump it with a TNM5000 programmer
GreHack also featured a cool micro-soldering workshop where attendees could experiment with de-soldering and re-balling. Both GreHack speakers and kylma came to the same conclusion: hardware reverse engineering tools are not as expensive as people think they are. You can get excellent microscopes for 500 euros or less, and most equipment is easily affordable for a company or even an individual amateur.
R. Lifchitz, Security Review of Proximity Technologies: Beacons and Physical, BlackAlps, slides video
Screenshot taken from YouTube video
Beacons are typically low-cost, small Bluetooth Low Energy (BLE) devices meant to advertise data and/or interact withexisting applications within BLE range (max of around 100 meters).
There are two primary types of Beacons: iBeacon (Apple) and EddyStone (Google). According to Wikipedia, there are also AltBeacon and URIBeacon, though these are less frquently used.
To scan, read, or clone beacons, the following tools are useful:
Android BLE applications such as nRF Connect or Beacon Toy
Linux BLE tools:
hcitoolto scan and
hcidump --raw -X -tto read data
For hardware forensics, beacons typically aren’t very secure and test points are often accessible. It is also possible to access the Flash chip and dump it.
As you’d expect, beacons are handy (an easy way to broadcast short information), but they are quite unsecure. Don’t use them to broadcast sensitive information such as traffic jams, etc ;-( because information can be spoofed, cloned, etc.
The Ph0wn smart devices CTF featured a BLE beacon challenge. That beacon advertised an encrypted message and participants needed to find a way to decrypt it.
Azeria, Writing ARM Shellcode, Blackhoodie 17
Azeria’s ARM cheat sheet can be downloaded here
Those labs are a nice introduction to ARM assembly and shellcode writing. They are well explained and helpful for newcomers to the ARM architecture. In particular, you can learn:
How to compile ARM assembly on a Raspberry Pi, or a QEMU with RPi.
How to find a given syscall number
How to force Thumb mode
How to prevent null bytes in a shellcode, using instructions such as
eor x, xinstead of
mov x, #0
— the Crypto Girl (aka cryptax)