1 / 23

CAS CS591 Topics in Internet Security

CAS CS591 Topics in Internet Security. Kingpin (kingpin@L0pht.com) http://www.L0pht.com [L-zero-P-H-T] Hardware and Embedded System Security Pitfalls. Introduction. The L0pht Origin Mission Members Who am I?. The L0pht - Origin. Banded together in 1992

mea
Download Presentation

CAS CS591 Topics in Internet Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CAS CS591 Topics in Internet Security Kingpin (kingpin@L0pht.com) http://www.L0pht.com [L-zero-P-H-T] Hardware and Embedded System Security Pitfalls

  2. Introduction • The L0pht • Origin • Mission • Members • Who am I?

  3. The L0pht - Origin • Banded together in 1992 • Originally set out as a simple communal storage area • Combination of everyone’s “junk” turned into gems • From networks to watchdogs • The security puzzle

  4. The L0pht - Mission • Learn and explore • Provide an unbiased soap-box for our views and beliefs on technology • Give back to the network security community without playing favorites • Have the place self perpetuate (pay for itself)

  5. The L0pht - Members Mudge Weld Pond Kingpin John Tan Brian Oblivion Space Rogue Silicosis Dildog

  6. Kingpin • Involved w/ L0pht since inception, 1992 • Electrical engineer, hardware hacker • Dial-up/telephone systems • Product design

  7. Hardware and Embedded System Security Pitfalls • Security problems aren’t just limited to software • Consider all possibilities when interfacing with the outside world! • Any design can have fundamental flaws

  8. Applications Complex Simple

  9. Answering Machine • Users can access supervisory functions of various answering machines “Secure” 3-digit password max 10^3 or 1000 H/W jumpers determine password 2 * 2 * 4 = 16 combinations (371, 372, …, 485, 486) AT&T Model 1320

  10. Consider easy user accessibility issues for other products? Ethernet MAC Cloning • MAC Address stored in easily reprogrammable Serial EEPROM • http://www.L0pht.com/~kingpin/mac_address_cloning.pdf • Can often do in configuration software

  11. PalmOS: BeamCrack • One-bit flag in each database determines whether it can be “beamed” or not • Designed for ease of application developer, not for practical security of applications • http://www.L0pht.com/~kingpin/pilot.html

  12. PalmOS: BeamCrack (cont.) for (i=0; i < numDatabases; ++i) { dbID = DmGetDatabase (cardNo, i); // Retreive the database ID of a database by index if (dbID) // If it exists... { // get the current attributes, turn on/off protection, and save them. DmDatabaseInfo(cardNo, dbID, 0, &attributes, 0,0,0,0,0,0,0,0,0); if (!(attributes & dmHdrAttrReadOnly)) // If database isn't read-only { if (dbProtect) attributes = attributes | dmHdrAttrCopyPrevention; // Set the beam-lock bit else attributes = attributes & ~dmHdrAttrCopyPrevention; // Remove the beam-lock bit DmSetDatabaseInfo(cardNo, dbID, 0, &attributes, 0,0,0,0,0,0,0,0,0); } } }

  13. 0 8 2 0 4 E Cisco Router • “Encrypted” password stored on router (can read on configuration screen) • Passwords of type 7 encoded by XOR’ing plaintext against constant value = ab offset 1st char. 2nd char.

  14. Cisco Router (cont.) tfd;kfoA,.iyewrkldJKD Easy enough to calculate by hand!

  15. Wireless Data • Unencrypted, easily receivable digital data streams POCSAG / FLEX / GOLAY ARDIS / MOBITEX MDC4800 ACARS • “Who would listen?” mentality • Encryption could be used to authenticate, not just obfuscate the information • Decrease risk of “phantom controller” and spoofing

  16. TEMPEST • Receive electromagnetic interference (EMI) from monitors, keyboards and recreate signal/data • Ways to prevent EMI: Shielding, proper circuit board design, Soft Tempest Fonts (Markus Kuhn, http://www.cl.cam.ac.uk/~mgk25/st-fonts.zip) Long story short...

  17. TEMPEST (cont.) Clinton Grand Jury Testimony Encrypted from Point A to Point B Two endpoints completely wide open!

  18. How much better are these new technologies? Smartcards, Biometrics, etc. Newest buzzwords and “high-tech” gadgetry Evaluate for yourself!

  19. Dallas iButton • One-wire I/O interface • Unique technology • Authentication, encryption, many uses… • iButton Touch Memory Primer (2600 Magazine, Winter 1998-1999, vol. 15 #4) • Emerging area, hope to investigate further E-mail me for a copy

  20. Time-based Tokens • Proprietary algorithm • Originally designed for non-promiscuous environments (i.e. phone lines) • Not designed with physical tampering in mind! Should self-destruct critical information? • Reverse-engineered device down to circuitry level

  21. Time-based Tokens (cont.) • Placement of crystal allows us to: • Speed it up - view more iterations to look for repeated sequences • Slow it down - single-step, external measurement tools (logic analyzer) • Serial programming terminals! • Set or retrieve secret number for cloning

  22. In Closing... • These examples not necessarily related to topics in the class, but the problems are widespread • Be careful, be proactive, peer review • Shortcomings in any technology - pick the one that best fits, “raise the bar”

  23. Thanks! Kingpin (kingpin@L0pht.com) http://www.L0pht.com [L-zero-P-H-T]

More Related