Large Scale Security Analysis of Embedded Devices' Firmware
Total Page:16
File Type:pdf, Size:1020Kb
Load more
Recommended publications
-
Adagio for the Internet of Things Iot Penetration Testing and Security Analysis of a Smart Plug
DEGREE PROJECT IN COMPUTER ENGINEERING, FIRST CYCLE, 15 CREDITS STOCKHOLM, SWEDEN 2021 Adagio For The Internet Of Things IoT penetration testing and security analysis of a smart plug RAMAN SALIH KTH ROYAL INSTITUTE OF TECHNOLOGY SCHOOL OF ELECTRICAL ENGINEERING AND COMPUTER SCIENCE Adagio For The Internet Of Things IoT penetration testing and security analysis of a smart plug Raman Salih Supervisor: Pontus Johnson Examiner: Robert Lagerström Abstract— The emergence of the Internet of Things (IoT) Index Terms— Hacking; Wi-Fi; Threat model; IoT security; shows us that more and more devices will be connected to Smart plug the internet for all types of different purposes. One of those devices, the smart plug, have been rapidly deployed because I. INTRODUCTION of the ease it brings users into achieving home automation by turning their previous dumb devices smart by giving them As technology becomes smaller, faster, and more the means of controlling the devices remotely. These IoT connected over time it leads to more and more potential devices that gives the user control could however pose devices to join the internet and exchange data between serious security problems if their vulnerabilities were not carefully investigated and analyzed before we blindly themselves. Everything from coffee makers to blinds for your integrate them into our everyday life. In this paper, we do a windows may one day be connected to the internet and be threat model and subsequent penetration testing on a smart controlled remotely and dynamically. This category of plug system made by particular brand by exploiting its devices is known as the Internet of Things (IoT) and is set to singular communication protocol and we successfully launch reach 20.4 billion connected devices by 2020 according to a five attacks: a replay attack, a MCU tampering attack, a forecast made by Gartner 1 . -
A Letter to the FCC [PDF]
Before the FEDERAL COMMUNICATIONS COMMISSION Washington, DC 20554 In the Matter of ) ) Amendment of Part 0, 1, 2, 15 and 18 of the ) ET Docket No. 15170 Commission’s Rules regarding Authorization ) Of Radio frequency Equipment ) ) Request for the Allowance of Optional ) RM11673 Electronic Labeling for Wireless Devices ) Summary The rules laid out in ET Docket No. 15170 should not go into effect as written. They would cause more harm than good and risk a significant overreach of the Commission’s authority. Specifically, the rules would limit the ability to upgrade or replace firmware in commercial, offtheshelf home or smallbusiness routers. This would damage the compliance, security, reliability and functionality of home and business networks. It would also restrict innovation and research into new networking technologies. We present an alternate proposal that better meets the goals of the FCC, not only ensuring the desired operation of the RF portion of a WiFi router within the mandated parameters, but also assisting in the FCC’s broader goals of increasing consumer choice, fostering competition, protecting infrastructure, and increasing resiliency to communication disruptions. If the Commission does not intend to prohibit the upgrade or replacement of firmware in WiFi devices, the undersigned would welcome a clear statement of that intent. Introduction We recommend the FCC pursue an alternative path to ensuring Radio Frequency (RF) compliance from WiFi equipment. We understand there are significant concerns regarding existing users of the WiFi spectrum, and a desire to avoid uncontrolled change. However, we most strenuously advise against prohibiting changes to firmware of devices containing radio components, and furthermore advise against allowing nonupdatable devices into the field. -
Home Automation for Tinkerers
Home Automation for tinkerers Abílio Costa [email protected] Once upon a time... Where it all begun ● I had 3 wireless power sockets! (yay?) ● But I was using only one. Why? ○ Only a single remote: ■ How to use the other two in different rooms? ○ They were dumb. ¯\_(ツ)_/¯ ■ It would be nice to have one of them turn on/off on a schedule? Poor man’s solution ● An Arduino Nano + 433MHz RF transmitter + RF receiver. ○ Total cost: less than 5€. ○ Arduino sketch using the RC Switch library. ○ USB to a Raspberry Pi for the brains. ○ Script on the Raspberry Pi; exposing HTTP endpoints. ● My home was now so very smart! ○ Control each power socket through my phone. ○ Office desk power turns on automatically when I get home. ○ Bedroom lamp turned on automatically after the morning alarm. ○ I could buy more power sockets, even from other brands! ● The same idea can be used to interact with many other things: ○ Alarm sensors; Doorbells; Garage doors; etc. Next step: home automation software Why? ● Better management (my script wasn't going very far). ● Allow integrating other devices besides the power plugs. ● Make devices from different brands / protocols talk to each other. ● UI included! Home automation solutions ● Open-source software: ○ Home Assistant ○ Domoticz ○ OpenHAB ○ Pimatic ● Commercial hardware + software: ○ SmartThings ○ Vera ○ Xiaomi Home Assistant Home Assistant ● Good looking and customizable web UI (uses Google Polymer). ● Lightweight; extra functionality added with a plugin-like system. ● Very powerful automation engine (IFTTT on steroids). ● Autodiscovery: many devices will just show up without any config! ● Local: no cloud dependency! ● REST API available. -
How to Install / Use Custom Firmware (Or CFW) on Any Sony
www.markfixesstuff.co.uk Mark Fixes Stuff ‐ Sony PSP CFW guide V1.0 How to install / use Custom Firmware (or CFW) on any Sony PSP Scope: This document is intended to enable you to use Custom Firmware on you Playstation Portable console. It will work as a permanent install for PSP models in the 1000 and 2000 series, and will also function on later models as a loader that can be initiates at the start of each play session. Notes: ‐ I did not write this firmware! Credit for this goes to DJ Godman! ‐ This process is reversible, although as with any hack there is an unlikely chance you might brick your system. I cannot take responsibility for any issues you might encounter. ‐ I have use this process countless times with no problems. ‐ Although this process will allow the playing of pirated ISO files, I do not endorse nor condone piracy, and this process is described to allow you to use homebrew PSP games, emulators or your own ripped software that you own. Please read the entire document first and then you will be able to use it for reference as you hack your PSP! www.markfixesstuff.co.uk Mark Fixes Stuff ‐ Sony PSP CFW guide V1.0 Process: 1. Determine your current Official Firmware (OFW) Version. From the dashboard select Settings, then System Settings. Then System Information. You will see your PSP's official firmware version. Here it's 6.60. You will need at least 6.20!!! www.markfixesstuff.co.uk Mark Fixes Stuff ‐ Sony PSP CFW guide V1.0 2. -
USBESAFE: an End-Point Solution to Protect Against USB-Based Attacks
USBESAFE: An End-Point Solution to Protect Against USB-Based Attacks Amin Kharraz†‡ Brandon L. Daley ‡ Graham Z. Baker William Robertson‡ Engin Kirda‡ MIT Lincoln Laboratory †University of Illinois at Urbana-Champaign ‡Northeastern University Abstract automatically scans removable devices including USB sticks, memory cards, external hard drives, and even cameras after Targeted attacks via transient devices are not new. How- being plugged into a machine. Unfortunately, bypassing such ever, the introduction of BadUSB attacks has shifted the attack checks is often not very difficult as the firmware of USB de- paradigm tremendously. Such attacks embed malicious code vices cannot be scanned by the host. In fact, the introduction in device firmware and exploit the lack of access control in of BadUSB attacks has shifted the attack paradigm tremen- the USB protocol. In this paper, we propose USBESAFE as a dously as adversaries can easily hide their malicious code mediator of the USB communication mechanism. By lever- in the firmware, allowing the device to take covert actions aging the insights from millions of USB packets, we propose on the host [9]. A USB flash drive could register itself as techniques to generate a protection model that can identify both a storage device and a Human Interface Device (HID) covert USB attacks by distinguishing BadUSB devices as a such as a keyboard, enabling the ability to inject surreptitious set of novel observations. Our results show that USBESAFE keystrokes to carry out malice. works well in practice by achieving a true positive [TP] rate of 95.7% with 0.21% false positives [FP] with latency as low Existing defenses against malicious USB devices have re- as three malicious USB packets on USB traffic. -
Demystifying Internet of Things Security Successful Iot Device/Edge and Platform Security Deployment — Sunil Cheruvu Anil Kumar Ned Smith David M
Demystifying Internet of Things Security Successful IoT Device/Edge and Platform Security Deployment — Sunil Cheruvu Anil Kumar Ned Smith David M. Wheeler Demystifying Internet of Things Security Successful IoT Device/Edge and Platform Security Deployment Sunil Cheruvu Anil Kumar Ned Smith David M. Wheeler Demystifying Internet of Things Security: Successful IoT Device/Edge and Platform Security Deployment Sunil Cheruvu Anil Kumar Chandler, AZ, USA Chandler, AZ, USA Ned Smith David M. Wheeler Beaverton, OR, USA Gilbert, AZ, USA ISBN-13 (pbk): 978-1-4842-2895-1 ISBN-13 (electronic): 978-1-4842-2896-8 https://doi.org/10.1007/978-1-4842-2896-8 Copyright © 2020 by The Editor(s) (if applicable) and The Author(s) This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. Open Access This book is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made. The images or other third party material in this book are included in the book’s Creative Commons license, unless indicated otherwise in a credit line to the material. -
America Exposed Who’S Watching You Through Your Computer’S
America Exposed Who’s Watching You Through Your Computer’s Camera? May 2017 By: James Scott, Senior Fellow, The Institute for Critical Infrastructure Technology 1 America Exposed Who’s Watching You Through Your Computer’s Camera May 2017 Authored by: James Scott, Sr. Fellow, ICIT Except for (1) brief quotations used in media coverage of this publication, (2) links to the www.icitech.org website, and (3) certain other noncommercial uses permitted as fair use under United States copyright law, no part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher. For permission requests, contact the Institute for Critical Infrastructure Technology. Copyright © 2017 Institute for Critical Infrastructure Technology – All Rights Reserved ` 2 Support ICIT & Increase Webcam Privacy CamPatch®, the world’s leading manufacturer of webcam covers, is proud to donate 100% of net proceeds to ICIT. Custom Branded Webcam Covers are a powerful tool for security training initiatives, and are a valuable and impactful promotional giveaway item. Visit www.CamPatch.com or contact [email protected] to learn more. Upcoming Events The Annual ICIT Forum June 7, 2017, The Four Seasons Washington D.C. www.icitforum.org ` 3 Contents Are You Being Watched? .............................................................................................................................. 4 Computing Devices -
A Reliable Booting System for Zynq Ultrascale+ Mpsoc Devices
A reliable booting system for Zynq Ultrascale+ MPSoC devices An embedded solution that provides fallbacks in different parts of the Zynq MPSoC booting process, to assure successful booting into a Linux operating system. A thesis presented for the Bachelor of Science in Electrical Engineering at the University of Applied Sciences Utrecht Name Nekija Dˇzemaili Student ID 1702168 University supervisor Corn´eDuiser CERN supervisors Marc Dobson & Petr Zejdlˇ Field of study Electrical Engineering (embedded systems) CERN-THESIS-2021-031 17/03/2021 February 15th, 2021 Geneva, Switzerland A reliable booting system for Zynq Ultrascale+ MPSoC devices Disclaimer The board of the foundation HU University of Applied Sciences in Utrecht does not accept any form of liability for damage resulting from usage of data, resources, methods, or procedures as described in this report. Duplication without consent of the author or the college is not permitted. If the graduation assignment is executed within a company, explicit consent of the company is necessary for duplication or copying of text from this report. Het bestuur van de Stichting Hogeschool Utrecht te Utrecht aanvaardt geen enkele aansprakelijkheid voor schade voortvloeiende uit het gebruik van enig gegeven, hulpmiddel, werkwijze of procedure in dit verslag beschreven. Vermenigvuldiging zonder toestemming van de auteur(s) en de school is niet toegestaan. Indien het afstudeerwerk in een bedrijf is verricht, is voor vermenigvuldiging of overname van tekst uit dit verslag eveneens toestemming van het bedrijf vereist. N. Dˇzemaili page 1 of 110 A reliable booting system for Zynq Ultrascale+ MPSoC devices Preface This thesis was written for the BSc Electrical Engineering degree of the HU University of Applied Sciences Utrecht, the Netherlands. -
SECURING the INTERNET of THINGS the Emerging Internet of Things Raises New Security Concerns and Puts a Spin on Old Ones
INFORMATION AUGUST 2014 EDITOR’S DESK: INTERNET OF THINGS AND ECURITY SECURITY S Insider Edition SECURING THE INTERNET OF THINGS The emerging Internet of Things raises new security concerns and puts a spin on old ones. In this Insider Edition, InfoSec pros find out how to assess IoT risks and create an effective IoT security policy. IS YOUR SECURITY PROGRAM READY FOR THE INTERNET OF THINGS? WHO’S IN CHARGE HERE? SECURING THE INTERNET OF THINGS EDITOR’S DESK The Benefits of the Internet of Things HOME EDITOR’S DESK Can’t Overshadow Security Concerns SEVEN IOT RISKS While connecting billions of new devices to the Internet offers many advantages, YOU MUST CONSIDER organizations must also manage the risks involved. BY BRANDAN BLEVINS IS YOUR SECURITY PROGRAM READY FOR THE INTERNET OF THINGS? WHO’S IN CHARGE HERE? SECURING THE INTERNET OF THINGS Y 2015, CISCO predicts that around 25 bil- enterprise IoT risks today, some of which will look famil- lion devices will be connected to the iar on first glance: DDoS attacks, patch management chal- Internet. That number is expected to lenges and traffic analytics. The nature and number of IoT double by 2020. This web of Internet- devices puts a twist on those risks, though. connected devices, dubbed the Inter- In the other features, we explore some of the challen- net of Things, has been touted by tech giants as a way to ges associated with securing IoT devices. Experts say the Befficiently share data and improve lives. Indeed, we’ve devices may not have the processing power to run security already seen compelling products introduced, and the software, while debate also remains over which party is companies creating these items are profiting from API even responsible for securing the Internet of Things. -
Conference Reports
ConferenceREPORTS Reports 23rd USENIX Security Symposium AT&T was a US government regulated monopoly, with over August 20–22, 2014, San Diego 90% of the telephone market in the US. They owned everything, Summarized by David Adrian, Qi Alfred Chen, Andrei Costin, Lucas Davi, including the phones on desktops and in homes, and, as a monop- Kevin P. Dyer, Rik Farrow, Grant Ho, Shouling Ji, Alexandros Kapravelos, oly, could and did charge as much as $5 per minute (in 1950) for a Zhigong Li, Brendan Saltaformaggio, Ben Stock, Janos Szurdi, Johanna cross-country call. In 2014 dollars, that’s nearly $50 per minute. Ullrich, Venkatanathan Varadarajan, and Michael Zohner In the beginning, the system relied on women, sitting in front Opening Remarks of switchboards with patch cables in hand, to connect calls. Summarized by Rik Farrow ([email protected]) Just like Google today, AT&T realized that this model, relying on human labor, cannot scale with the growth in the use of the Kevin Fu, chair of the symposium, started off with the numbers: telephone: They would have needed one million operators by a 26% increase in the number of submissions for a total of 350, 1970. Faced with this issue, company researchers and engineers and 67 papers accepted, a rate of 19%. The large PC was perhaps developed electro-mechanical switches to replace operators. not large enough, even with over 70 members, and included out- side reviewers as well. There were 1340 paper reviews, with 1627 The crossbar switch, first used only for local calls, used the pulse follow-up comments, and Fu had over 8,269 emails involving the of the old rotary telephone to manipulate a Strowger switch, symposium. -
Sok: “Plug & Pray” Today – Understanding USB Insecurity In
SoK: “Plug & Pray” Today – Understanding USB Insecurity in Versions 1 through C Dave (Jing) Tian∗, Nolen Scaife∗, Deepak Kumary, Michael Baileyy, Adam Batesy, Kevin R. B. Butler∗ ∗University of Florida fdaveti, scaife, butlerg@ufl.edu yUniversity of Illinois at Urbana-Champaign fdkumar11, mdbailey, [email protected] Abstract—USB-based attacks have increased in complexity in systematizing the defenses present in the USB ecosystem, we recent years. Modern attacks now incorporate a wide range of find that most defenses often focus on protecting a single layer, attack vectors, from social engineering to signal injection. To which proves ineffective against a suite of attacks that appear address these challenges, the security community has responded with a growing set of fragmented defenses. In this work, at many communication layers. In addition, misaligned goals we survey and categorize USB attacks and defenses, unifying between industry and academia further fragment the defense observations from both peer-reviewed research and industry. space. Commercial solutions focus on the prevention of data Our systematization extracts offensive and defensive primitives loss and anti-malware without regard for emerging attack that operate across layers of communication within the USB vectors, while research prototypes vary and are hamstrung by ecosystem. Based on our taxonomy, we discover that USB attacks often abuse the trust-by-default nature of the ecosystem, and the lack of built-in security building blocks in the existing transcend different layers within a software stack; none of USB specifications. As a result, research solutions often rely the existing defenses provide a complete solution, and solutions on new host and peripheral architectures that are unlikely to expanding multiple layers are most effective. -
Centralized Library Management for Heterogeneous Iot Devices
Capture: Centralized Library Management for Heterogeneous IoT Devices Han Zhang Abhijith Anilkumar Matt Fredrikson Carnegie Mellon University Carnegie Mellon University Carnegie Mellon University Yuvraj Agarwal Carnegie Mellon University Abstract protocols [43], and outdated software [57,61]. Making matters worse, despite their deployment in homes, these devices may With their growing popularity, Internet-of-Things (IoT) de- connect directly to public Internet hosts to send data and even vices have become attractive targets for attack. Like most listen for incoming connections [30, 64]. If any of them are modern software systems, IoT device firmware depends on compromised, attackers can easily wreak further havoc by external third-party libraries extensively, increasing the at- moving on to other devices on the same network [5, 80]. tack surface of IoT devices. Furthermore, we find that the risk is compounded by inconsistent library management prac- Although many current IoT exploits originate from miscon- tices and delays in applying security updates—sometimes figurations, weak credentials, and insecure applications [3,40], hundreds of days behind the public availability of critical the extensive use of third-party libraries in IoT devices may patches—by device vendors. Worse yet, because these depen- have security implications but remains overlooked. Vulnera- dencies are “baked into” the vendor-controlled firmware, even bilities in common libraries, when left unpatched, can affect security-conscious users are unable to take matters into their a massive number of devices (e.g., CallStrager [82] and Rip- own hands when it comes to good security hygiene. ple20 [84]). The security impact of vulnerable libraries in traditional software systems is well-known [12, 14], with We present Capture, a novel architecture for deploying IoT slow rollout of security-critical patches exacerbating the is- device firmware that addresses this problem by allowing de- sue [21,41,49].