際際滷

際際滷Share a Scribd company logo

Microcontroller mayhem - ECTF & USSS 2011

W
warezjoe

This document discusses the emerging threat of USB microcontrollers as an attack platform. It provides background on microcontrollers and how they have evolved alongside USB devices. Attackers now commonly use inexpensive microcontrollers like Arduino and Teensy boards to carry out attacks. These can emulate human interface devices like keyboards to gain access to systems before they fully boot. They are small and concealable, and can be used to inject malware, steal data, or sabotage industrial systems. Existing security tools may not detect these types of attacks. The document warns that blended hardware/software attacks will likely increase and that security will need to adapt to address threats from programmable devices.

1 of 34
Downloaded 13 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Microcontroller mayhem - ECTF & USSS 2011
Pop Quiz! You are an investigator. What do you think when you see this?
Microcontroller mayhem - ECTF & USSS 2011
USB Microcontrollers as an Attack Platform
Who am I Information Security Operations Manager for Federal Reserve Background - Threat Management, Forensics and Incident Response Local Instructor for the SANS Institute GCIA, GCFA, GCIH Board Officer - Philadelphia Chapter of InfraGard 2010 Excellence in Government Service award Writer / Researcher Corporate Espionage & Emerging Threats
Disclaimer Everything presented here is based on personal research. Statements and opinions are based on my personal perspective and does not reflect those of my employer. I do not work for nor do I endorse any product or solution providers. All testing was performed in a controlled isolated environment. I do not condone the use of microcontrollers for malicious purposes. Material presented here is for educational purposes.
Agenda Microcontroller primer Evolution of USB based attacks New & Emerging USB Threats Wired and wireless attacks Real World examples Challenges to Security Professionals What the future holds Q&A
Primer What are Microcontrollers What classifies as a microcontroller? Small programmable computer Same fundamental components of a computer Typically an embedded device Self contained Typically interact with other systems Characteristics Small Low cost Low power Easily integrated Highly adaptable & tolerant Wired or Wireless
Primer What are Microcontrollers Continued.. Whats the relationship to USB devices? Virtually all USB devices have some form of microcontrollers in them USB devices and microcontrollers have evolved together over the years Consumer grade microcontrollers are often connected, programmed, controlled and interfaced via USB. рNo electronic device interacts more with the physical world than Microcontrollers!
Primer What are Microcontrollers Continued.. Where are microcontrollers used? Computer peripherals Electronics (ipods, smart phones, tv, toasters, etc.) Becoming more popular in appliances (washer, dryers, etc.) Home water and gas meters Sensors (heat, water, pressure, etc.) SCADA Systems (Supervisory Control & Data Acquisition) HVAC (Heating & AC) Fire suppression Systems Lighting Systems USB connected electronics So whats the connection to USB devices?
In The Beginning Attacks Were Without Form USB Antiquity Attacks & Malware Since Inception USB keys and other connected devices have contained malicious code Stand alone binaries Relied on luck or social engineering User initiated (Clicking the file) More focused on destruction and propagation Popularity grows Price Drops USB as a malware transport increases (Slightly) Many variations of drives become available Drives become very small Very cost effective data storage
Things Start Getting Interesting Around 5-7 years ago USB drive popularity explodes Highly reliable for storing large amounts of data Cost effective way of storing data Operating Systems on a stick USB booting supported on most major operating systems Self contained operating system Bootable images become widely available U3 drives Hit the market! Small microcontroller emulates Cdrom drive Read-only ISO9660 volume AutoRun Advantage Ability to be reflash
Things Start Getting Interesting Cont New attack platform emerges! U3 drives USB Hacksaws (Switchblade) Utilized AutoRun features of Windows Many variations created Highly adaptable & effective* PsStart spinoff Non-U3 variations created Utilized autorun.inf & icons Somewhat effective
Security Industry Catches up The Attack method Still works but. The attack is well know in the Info. Sec. Community Only affective against Windows OS up to WinXP SP2. WinXP SP3 and Windows 7 disabled AutoRun. Not as effective on Mac, Linux, etc. AntiVirus, Malware, DLP & IDS detect most variants Forensically easy to detect on system Application Logs Network logs System logs
The Bad Guys (Evolve) Alter their Tactics What would the next evolution of USB attacks need? Interacts, powered, developed, controlled via USB Adapt to changes in motive Looking to make money Corporate Espionage / Data Theft Botnets / System compromises Fast and capable of surreptitiously executing code Easy to develop and modify Small (concealable) Ample storage or ability to add additional storage Forensically difficult to detect* Easily integrated with both wired and wireless Networks CHEAP!
Microcontrollers become the new attack Platform of Choice Arduino Microcontrollers Beginner friendly Highly Adaptable / Capable Low power consumption (powered via USB) Come in all sizes and shapes Easy to build and develop (C++ish language) Large repositories of available code Huge community following! Large assortment of add-ons (shields) CHEAP! Other Microcontrollers (Parallax & Texas Instruments) Basic Stamp I & II MSP430 LaunchPad
Arduino Microcontrollers
Two devices rise to the Top Broadest range of functionality Embraced by the Hacker and criminal community Unique characteristics that make them attractive from an Attackers perspective Free development environment Inexpensive / disposable ($20 to $45) Small and easily concealed
Teensy Microcontroller Teensy Created by Paul Stoffregen and Robin Coon http://www.pjrc.com Originally designed to be a USB development board Not Technically an Arduino Very small 1.2 by 0.7 AVR processor, running up to 16mhz ATMEGA32U4 Chip 32k flash memory Teensyduino allows the Teensy to use the Arduino IDE Some disadvantages Limited storage space (32k flash) fills up pretty quick with Libraries Small number of I/O pins Defaults to only 2mhz* If running at 3.3v cant go over 8mhz Built in ability to emulate HID devices!
Teensy Microcontroller What is a HID device? Human Interface Device (HID) Most commonly a Keyboard / Mouse Many other interface devices that are used to enter data HID devices are very special HID devices initiate before at system startup Load before operating system and other software Use a special abstract layer that doesnt require an OS Have unique allocations of (ram) memory Has for the most part been unchanged for many years Well documented
Hacker community Develops PhukD Libraries Hacker community discovers the HID capabilities Programmable HID USB Keystroke Dongle Free Open source Platform independent (Windows, Mac, etc.) Easy to use and well documented Emulates a person at the keyboard* Complete control of a system before it boots Can inject any combination of keystrokes Provides special key combinations for Windows systems Can execute commands, move files, delete files Think about the possibilities!
How it is being used Numerous examples of their uses have been seen in the wild Several example code snippets have been released Embedded in common devices (mice, keyboards, toys, etc.) Identify specific keystrokes or passwords from a device Teensy as a Social Engineering Toolkit component (SET) Disable Anti-virus or Firewall configuration Open Browser to Malicious site to download code Powershell to compile exploit code Wscript HTTP GET MSF reverse shell
Its potential uses Used by an insider there are many potential attacks / applications The Incriminator A warning to Forensic Analysts Inject false files and data on to a target system Extremely difficult to repudiate* Very effective for data theft or espionage Leave posts on pages Download files Send emails Snag documents Upload documents to remote site Execute tasks based on time /date Drive by or done over long periods Defense Lawyers dream
What Would a Security Analyst Do? Think about the forensic process. Capture memory, running processes from live system etc. Make a bit-by-bit image Create a timeline Review activity and look for evidence Browser history, email vids, pics, etc. Files, docs, etc. Collect findings and generate report
Teensy - Incriminator Existing Forensic Tools are not designed to effectively detect HID type of attacks Executed commands run under the context of the logged in user Application execution (Firefox, Internet Explorer, etc.) File attributes will show time, date and file owner all point to target user Directory structure will show folder owned by target user Registry and typically reviewed files Usbapi.log will show little to no evidence that anything malicious or abnormal transpired on the system USBstor keys show no evidence and a keyboard is unlikely to raise suspicion Device does not tag the registry with many of the keys since it is not a mass storage device Logs Application logs will not identify anyone but the logged in user as the source of the activity Content filtering logs will confirm users activity Browser history will not be a pretty site
Limitations of this type of attack One size does not fit all Needs to be highly specialized and target to an individual business or person Requires physical access to the system* Must be connected to target machine during the entire attack Require some knowledge of environment and system configuration Computer make, model, specs, etc. Commonly used hardware (keyboards, mice, etc.) Knowledge of habits and installed software Attack has some timing requirements Attack is limited to wired systems. At least for now!*
Shifting gears - Lets go wireless! A spinoff to USB based attacks emerges Niche wireless has become a focus Zigbee (xbee) 802.15.4 2.4 Ghz range FreakLabs Chibi Arduino device Low power, low cost, decent range Simplicity of setup and design Easily implemented (no wiring costs or labor) Not a new protocol but has only recently been adopted Not heavily used on consumer products (currently) Very heavily used in industrial applications
Why Zigbee & Why should we care The motives of attackers continues to shift Cyber warfare, Terrorism, Extortion Very little today in the way of detection & defense Zigbee enabled Microcontrollers are widely used in Industry Widely deployed in U.S. and Europe Commonly found in Refineries (mixture, flow control, pressure etc.) Water treatment facilities (value control, pressure, leak detection) Power plants Manufacturing plants (system control belts, lighting, combustibles) Medical Systems monitoring, reporting (BP & pulse oximeter devices)
Zigbee Attack Types Even low tech attacks can have significant consequences DoS (Communication interruptions between devices) Spoofing data being sent to a device Intentional focused attacks could be devastating! Takedown power grid Chemical explosions, fires Contamination (Water, Food, Materials, etc.) Some of these attack vectors exist today Very difficult to detect No products exist today to monitoring or protect against attacks Lack of awareness about the risks and threats
Microcontroller mayhem - ECTF & USSS 2011
In Summary USB microcontrollers are a new attack platform Devices are inexpensive & easy to learn and use! Criminals have found them and are learning Fast! Attack tools exist today to use these new technologies These devices are designed for attacks against people and/or infrastructure. (Data theft, Espionage, Terrorism) Wireless microcontrollers are used extensively in industry Simple attacks can have a real impact There is a lack of awareness and understanding about these types of attacks It can be extremely difficult to detect USB microcontroller attacks with existing security tools and forensic practices We are adapting to these new attacks slower than the bad guys!
Where are Things Going? What does the future hold? The use of blended attacks using hardware and software devices will continue to grow. Microcontrollers as an attack platform will grow rapidly More specialized USB microcontroller attack tools will be developed. Attacks will be more focused on infrastructure & financial targets Organizations will start focusing resources to monitor for blended attacks I suspect well start seeing the big vendors start selling products that play in this space. Blended (hardware & software) security will become a new field or specialty in Information Security and/or Law Enforcement
Microcontroller mayhem - ECTF & USSS 2011
THANK YOU!!! Contact information : Brad Bowers bbowers@digitalintercept.com
Ad

Recommended

Computer Viruses
Computer Viruses
mkgspsu
Securing embedded systems
Securing embedded systems
aissa benyahya
Free Libre Open Source Software Development
Free Libre Open Source Software Development
Frederik Questier
Computer , Internet and physical security.
Computer , Internet and physical security.
Ankur Kumar
CH. 5 Computer Security and Safety, Ethics and Privacy
CH. 5 Computer Security and Safety, Ethics and Privacy
malik1972
Internet security
Internet security
Antony Mathew
2014CyberSecurityProject
2014CyberSecurityProject
Kaley Hair
Senior Technology Education
Senior Technology Education
Summerpair77
Chapter 11
Chapter 11
Mohd Khairil Borhanudin
Important keyword to remember
Important keyword to remember
Iszamli Jailani
Computer security risks
Computer security risks
Aasim Mushtaq
System failure
System failure
chrispaul8676
Computer Security
Computer Security
Greater Noida Institute Of Technology
The effects of using ict
The effects of using ict
odalyfer
Information security and privacy
Information security and privacy
Joy Chakraborty
Computer security: hackers and Viruses
Computer security: hackers and Viruses
Wasif Ali Syed
WhatsApp Forensic
WhatsApp Forensic
Animesh Shaw
Operating Systems: Computer Security
Operating Systems: Computer Security
Damian T. Gordon
Open Source Software
Open Source Software
Andrew Nolen, MCJ/FP, CDCA
Computer security and_privacy_2010-2011
Computer security and_privacy_2010-2011
lbcollins18
Desktop Pc Computer Security
Desktop Pc Computer Security
Nicholas Davis
BAIT1003 Chapter 11
BAIT1003 Chapter 11
limsh
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9
Amanda Case
Unit 1 introduction to computers
Unit 1 introduction to computers
San Diego Continuing Education
Computer Security and Risks
Computer Security and Risks
Miguel Rebollo
6unit1 virus and their types
6unit1 virus and their types
Neha Kurale
Barcamp: Open Source and Security
Barcamp: Open Source and Security
Joshua L. Davis
01-intro-thompson.ppt
01-intro-thompson.ppt
SadiaMuqaddas
Computer and Network Security
Computer and Network Security
Asif Raza
01-intro-thompson.ppt
01-intro-thompson.ppt
ROHITCHHOKER3

More Related Content

What's hot (18)

Chapter 11
Chapter 11
Mohd Khairil Borhanudin
Important keyword to remember
Important keyword to remember
Iszamli Jailani
Computer security risks
Computer security risks
Aasim Mushtaq
System failure
System failure
chrispaul8676
Computer Security
Computer Security
Greater Noida Institute Of Technology
The effects of using ict
The effects of using ict
odalyfer
Information security and privacy
Information security and privacy
Joy Chakraborty
Computer security: hackers and Viruses
Computer security: hackers and Viruses
Wasif Ali Syed
WhatsApp Forensic
WhatsApp Forensic
Animesh Shaw
Operating Systems: Computer Security
Operating Systems: Computer Security
Damian T. Gordon
Open Source Software
Open Source Software
Andrew Nolen, MCJ/FP, CDCA
Computer security and_privacy_2010-2011
Computer security and_privacy_2010-2011
lbcollins18
Desktop Pc Computer Security
Desktop Pc Computer Security
Nicholas Davis
BAIT1003 Chapter 11
BAIT1003 Chapter 11
limsh
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9
Amanda Case
Unit 1 introduction to computers
Unit 1 introduction to computers
San Diego Continuing Education
Computer Security and Risks
Computer Security and Risks
Miguel Rebollo
6unit1 virus and their types
6unit1 virus and their types
Neha Kurale
Chapter 11
Chapter 11
Mohd Khairil Borhanudin
Important keyword to remember
Important keyword to remember
Iszamli Jailani
Computer security risks
Computer security risks
Aasim Mushtaq
System failure
System failure
chrispaul8676
Computer Security
Computer Security
Greater Noida Institute Of Technology
The effects of using ict
The effects of using ict
odalyfer
Information security and privacy
Information security and privacy
Joy Chakraborty
Computer security: hackers and Viruses
Computer security: hackers and Viruses
Wasif Ali Syed
WhatsApp Forensic
WhatsApp Forensic
Animesh Shaw
Operating Systems: Computer Security
Operating Systems: Computer Security
Damian T. Gordon
Open Source Software
Open Source Software
Andrew Nolen, MCJ/FP, CDCA
Computer security and_privacy_2010-2011
Computer security and_privacy_2010-2011
lbcollins18
Desktop Pc Computer Security
Desktop Pc Computer Security
Nicholas Davis
BAIT1003 Chapter 11
BAIT1003 Chapter 11
limsh
LIS3353 SP12 Week 9
LIS3353 SP12 Week 9
Amanda Case
Unit 1 introduction to computers
Unit 1 introduction to computers
San Diego Continuing Education
Computer Security and Risks
Computer Security and Risks
Miguel Rebollo
6unit1 virus and their types
6unit1 virus and their types
Neha Kurale

Similar to Microcontroller mayhem - ECTF & USSS 2011 (20)

Barcamp: Open Source and Security
Barcamp: Open Source and Security
Joshua L. Davis
01-intro-thompson.ppt
01-intro-thompson.ppt
SadiaMuqaddas
Computer and Network Security
Computer and Network Security
Asif Raza
01-intro-thompson.ppt
01-intro-thompson.ppt
ROHITCHHOKER3
01-intro-thompson.ppt
01-intro-thompson.ppt
MarcoAntonioSotoVera
Ch02 System Threats and Risks
Ch02 System Threats and Risks
Information Technology
Building Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal Devices
Javier Gonz叩lez
Whittaker How To Break Software Security - SoftTest Ireland
Whittaker How To Break Software Security - SoftTest Ireland
David O'Dowd
amrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdf
amrapalibuildersreviews
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
Tom Eston
Anton Chuvakin on Honeypots
Anton Chuvakin on Honeypots
Anton Chuvakin
Csi Netsec 2006 Poor Mans Guide Merdinger
Csi Netsec 2006 Poor Mans Guide Merdinger
shawn_merdinger
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
HackIT Ukraine
Ch11 system administration
Ch11 system administration
Raja Waseem Akhtar
Ch11
Ch11
Raja Waseem Akhtar
CISSP Week 14
CISSP Week 14
jemtallon
Emerging Threats to Infrastructure
Emerging Threats to Infrastructure
Jorge Orchilles
Role of a Forensic Investigator
Role of a Forensic Investigator
Agape Inc
Mobile security
Mobile security
Stefaan
FINDING FORENSIC ARTIFACTS FROM WINDOW REGISTRY
FINDING FORENSIC ARTIFACTS FROM WINDOW REGISTRY
nitinparashar786
Barcamp: Open Source and Security
Barcamp: Open Source and Security
Joshua L. Davis
01-intro-thompson.ppt
01-intro-thompson.ppt
SadiaMuqaddas
Computer and Network Security
Computer and Network Security
Asif Raza
01-intro-thompson.ppt
01-intro-thompson.ppt
ROHITCHHOKER3
01-intro-thompson.ppt
01-intro-thompson.ppt
MarcoAntonioSotoVera
Ch02 System Threats and Risks
Ch02 System Threats and Risks
Information Technology
Building Trust Despite Digital Personal Devices
Building Trust Despite Digital Personal Devices
Javier Gonz叩lez
Whittaker How To Break Software Security - SoftTest Ireland
Whittaker How To Break Software Security - SoftTest Ireland
David O'Dowd
amrapali builders @@hacking printers.pdf
amrapali builders @@hacking printers.pdf
amrapalibuildersreviews
Smart Bombs: Mobile Vulnerability and Exploitation
Smart Bombs: Mobile Vulnerability and Exploitation
Tom Eston
Anton Chuvakin on Honeypots
Anton Chuvakin on Honeypots
Anton Chuvakin
Csi Netsec 2006 Poor Mans Guide Merdinger
Csi Netsec 2006 Poor Mans Guide Merdinger
shawn_merdinger
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
"Cryptography, Data Protection, and Security For Start-Ups In The Post Snowde...
HackIT Ukraine
Ch11 system administration
Ch11 system administration
Raja Waseem Akhtar
Ch11
Ch11
Raja Waseem Akhtar
CISSP Week 14
CISSP Week 14
jemtallon
Emerging Threats to Infrastructure
Emerging Threats to Infrastructure
Jorge Orchilles
Role of a Forensic Investigator
Role of a Forensic Investigator
Agape Inc
Mobile security
Mobile security
Stefaan
FINDING FORENSIC ARTIFACTS FROM WINDOW REGISTRY
FINDING FORENSIC ARTIFACTS FROM WINDOW REGISTRY
nitinparashar786
Ad

Microcontroller mayhem - ECTF & USSS 2011

  • 2. Pop Quiz! You are an investigator. What do you think when you see this?
  • 4. USB Microcontrollers as an Attack Platform
  • 5. Who am I Information Security Operations Manager for Federal Reserve Background - Threat Management, Forensics and Incident Response Local Instructor for the SANS Institute GCIA, GCFA, GCIH Board Officer - Philadelphia Chapter of InfraGard 2010 Excellence in Government Service award Writer / Researcher Corporate Espionage & Emerging Threats
  • 6. Disclaimer Everything presented here is based on personal research. Statements and opinions are based on my personal perspective and does not reflect those of my employer. I do not work for nor do I endorse any product or solution providers. All testing was performed in a controlled isolated environment. I do not condone the use of microcontrollers for malicious purposes. Material presented here is for educational purposes.
  • 7. Agenda Microcontroller primer Evolution of USB based attacks New & Emerging USB Threats Wired and wireless attacks Real World examples Challenges to Security Professionals What the future holds Q&A
  • 8. Primer What are Microcontrollers What classifies as a microcontroller? Small programmable computer Same fundamental components of a computer Typically an embedded device Self contained Typically interact with other systems Characteristics Small Low cost Low power Easily integrated Highly adaptable & tolerant Wired or Wireless
  • 9. Primer What are Microcontrollers Continued.. Whats the relationship to USB devices? Virtually all USB devices have some form of microcontrollers in them USB devices and microcontrollers have evolved together over the years Consumer grade microcontrollers are often connected, programmed, controlled and interfaced via USB. рNo electronic device interacts more with the physical world than Microcontrollers!
  • 10. Primer What are Microcontrollers Continued.. Where are microcontrollers used? Computer peripherals Electronics (ipods, smart phones, tv, toasters, etc.) Becoming more popular in appliances (washer, dryers, etc.) Home water and gas meters Sensors (heat, water, pressure, etc.) SCADA Systems (Supervisory Control & Data Acquisition) HVAC (Heating & AC) Fire suppression Systems Lighting Systems USB connected electronics So whats the connection to USB devices?
  • 11. In The Beginning Attacks Were Without Form USB Antiquity Attacks & Malware Since Inception USB keys and other connected devices have contained malicious code Stand alone binaries Relied on luck or social engineering User initiated (Clicking the file) More focused on destruction and propagation Popularity grows Price Drops USB as a malware transport increases (Slightly) Many variations of drives become available Drives become very small Very cost effective data storage
  • 12. Things Start Getting Interesting Around 5-7 years ago USB drive popularity explodes Highly reliable for storing large amounts of data Cost effective way of storing data Operating Systems on a stick USB booting supported on most major operating systems Self contained operating system Bootable images become widely available U3 drives Hit the market! Small microcontroller emulates Cdrom drive Read-only ISO9660 volume AutoRun Advantage Ability to be reflash
  • 13. Things Start Getting Interesting Cont New attack platform emerges! U3 drives USB Hacksaws (Switchblade) Utilized AutoRun features of Windows Many variations created Highly adaptable & effective* PsStart spinoff Non-U3 variations created Utilized autorun.inf & icons Somewhat effective
  • 14. Security Industry Catches up The Attack method Still works but. The attack is well know in the Info. Sec. Community Only affective against Windows OS up to WinXP SP2. WinXP SP3 and Windows 7 disabled AutoRun. Not as effective on Mac, Linux, etc. AntiVirus, Malware, DLP & IDS detect most variants Forensically easy to detect on system Application Logs Network logs System logs
  • 15. The Bad Guys (Evolve) Alter their Tactics What would the next evolution of USB attacks need? Interacts, powered, developed, controlled via USB Adapt to changes in motive Looking to make money Corporate Espionage / Data Theft Botnets / System compromises Fast and capable of surreptitiously executing code Easy to develop and modify Small (concealable) Ample storage or ability to add additional storage Forensically difficult to detect* Easily integrated with both wired and wireless Networks CHEAP!
  • 16. Microcontrollers become the new attack Platform of Choice Arduino Microcontrollers Beginner friendly Highly Adaptable / Capable Low power consumption (powered via USB) Come in all sizes and shapes Easy to build and develop (C++ish language) Large repositories of available code Huge community following! Large assortment of add-ons (shields) CHEAP! Other Microcontrollers (Parallax & Texas Instruments) Basic Stamp I & II MSP430 LaunchPad
  • 18. Two devices rise to the Top Broadest range of functionality Embraced by the Hacker and criminal community Unique characteristics that make them attractive from an Attackers perspective Free development environment Inexpensive / disposable ($20 to $45) Small and easily concealed
  • 19. Teensy Microcontroller Teensy Created by Paul Stoffregen and Robin Coon http://www.pjrc.com Originally designed to be a USB development board Not Technically an Arduino Very small 1.2 by 0.7 AVR processor, running up to 16mhz ATMEGA32U4 Chip 32k flash memory Teensyduino allows the Teensy to use the Arduino IDE Some disadvantages Limited storage space (32k flash) fills up pretty quick with Libraries Small number of I/O pins Defaults to only 2mhz* If running at 3.3v cant go over 8mhz Built in ability to emulate HID devices!
  • 20. Teensy Microcontroller What is a HID device? Human Interface Device (HID) Most commonly a Keyboard / Mouse Many other interface devices that are used to enter data HID devices are very special HID devices initiate before at system startup Load before operating system and other software Use a special abstract layer that doesnt require an OS Have unique allocations of (ram) memory Has for the most part been unchanged for many years Well documented
  • 21. Hacker community Develops PhukD Libraries Hacker community discovers the HID capabilities Programmable HID USB Keystroke Dongle Free Open source Platform independent (Windows, Mac, etc.) Easy to use and well documented Emulates a person at the keyboard* Complete control of a system before it boots Can inject any combination of keystrokes Provides special key combinations for Windows systems Can execute commands, move files, delete files Think about the possibilities!
  • 22. How it is being used Numerous examples of their uses have been seen in the wild Several example code snippets have been released Embedded in common devices (mice, keyboards, toys, etc.) Identify specific keystrokes or passwords from a device Teensy as a Social Engineering Toolkit component (SET) Disable Anti-virus or Firewall configuration Open Browser to Malicious site to download code Powershell to compile exploit code Wscript HTTP GET MSF reverse shell
  • 23. Its potential uses Used by an insider there are many potential attacks / applications The Incriminator A warning to Forensic Analysts Inject false files and data on to a target system Extremely difficult to repudiate* Very effective for data theft or espionage Leave posts on pages Download files Send emails Snag documents Upload documents to remote site Execute tasks based on time /date Drive by or done over long periods Defense Lawyers dream
  • 24. What Would a Security Analyst Do? Think about the forensic process. Capture memory, running processes from live system etc. Make a bit-by-bit image Create a timeline Review activity and look for evidence Browser history, email vids, pics, etc. Files, docs, etc. Collect findings and generate report
  • 25. Teensy - Incriminator Existing Forensic Tools are not designed to effectively detect HID type of attacks Executed commands run under the context of the logged in user Application execution (Firefox, Internet Explorer, etc.) File attributes will show time, date and file owner all point to target user Directory structure will show folder owned by target user Registry and typically reviewed files Usbapi.log will show little to no evidence that anything malicious or abnormal transpired on the system USBstor keys show no evidence and a keyboard is unlikely to raise suspicion Device does not tag the registry with many of the keys since it is not a mass storage device Logs Application logs will not identify anyone but the logged in user as the source of the activity Content filtering logs will confirm users activity Browser history will not be a pretty site
  • 26. Limitations of this type of attack One size does not fit all Needs to be highly specialized and target to an individual business or person Requires physical access to the system* Must be connected to target machine during the entire attack Require some knowledge of environment and system configuration Computer make, model, specs, etc. Commonly used hardware (keyboards, mice, etc.) Knowledge of habits and installed software Attack has some timing requirements Attack is limited to wired systems. At least for now!*
  • 27. Shifting gears - Lets go wireless! A spinoff to USB based attacks emerges Niche wireless has become a focus Zigbee (xbee) 802.15.4 2.4 Ghz range FreakLabs Chibi Arduino device Low power, low cost, decent range Simplicity of setup and design Easily implemented (no wiring costs or labor) Not a new protocol but has only recently been adopted Not heavily used on consumer products (currently) Very heavily used in industrial applications
  • 28. Why Zigbee & Why should we care The motives of attackers continues to shift Cyber warfare, Terrorism, Extortion Very little today in the way of detection & defense Zigbee enabled Microcontrollers are widely used in Industry Widely deployed in U.S. and Europe Commonly found in Refineries (mixture, flow control, pressure etc.) Water treatment facilities (value control, pressure, leak detection) Power plants Manufacturing plants (system control belts, lighting, combustibles) Medical Systems monitoring, reporting (BP & pulse oximeter devices)
  • 29. Zigbee Attack Types Even low tech attacks can have significant consequences DoS (Communication interruptions between devices) Spoofing data being sent to a device Intentional focused attacks could be devastating! Takedown power grid Chemical explosions, fires Contamination (Water, Food, Materials, etc.) Some of these attack vectors exist today Very difficult to detect No products exist today to monitoring or protect against attacks Lack of awareness about the risks and threats
  • 31. In Summary USB microcontrollers are a new attack platform Devices are inexpensive & easy to learn and use! Criminals have found them and are learning Fast! Attack tools exist today to use these new technologies These devices are designed for attacks against people and/or infrastructure. (Data theft, Espionage, Terrorism) Wireless microcontrollers are used extensively in industry Simple attacks can have a real impact There is a lack of awareness and understanding about these types of attacks It can be extremely difficult to detect USB microcontroller attacks with existing security tools and forensic practices We are adapting to these new attacks slower than the bad guys!
  • 32. Where are Things Going? What does the future hold? The use of blended attacks using hardware and software devices will continue to grow. Microcontrollers as an attack platform will grow rapidly More specialized USB microcontroller attack tools will be developed. Attacks will be more focused on infrastructure & financial targets Organizations will start focusing resources to monitor for blended attacks I suspect well start seeing the big vendors start selling products that play in this space. Blended (hardware & software) security will become a new field or specialty in Information Security and/or Law Enforcement
  • 34. THANK YOU!!! Contact information : Brad Bowers bbowers@digitalintercept.com
About
息 2025 際際滷