Laboratory for Dependable Distributed Systems

Transcription

1 On the Meaning of Physical Access to a Computing Device A vulnerability classification of mobile computing devices Knut Eckstein, NATO C3A Maximillian Dornseif, RWTH-Aachen Laboratory for Dependable Distributed Systems

2 Agenda Scope of the Problem Access from short distance Access through local external interfaces Access to circuit board interfaces Conclusion & Recommendations

3 Scope of the Problem Traditional Scenarios Hardened hardware centralized and well protected deployment NEC/NCW Scenarios often COTS Hard- & Software distributed deployment

4 To which degree can COTS Hardware like Notebooks and PDAs be secured with reasonable effort?

5 Taxonomy Method of access: short distance external interfaces internal interfaces Access: read-only read-write

6 Access from short distance WLAN, Bluetooth, PANs, Sensor Networks Protocols often not build with security in mind Implementations often extremely insecure

7 Case Study: WLAN Original WLAN crypto (WEP) was broken implementations where often even more broken with newer implementations thinks like association behavior or authentication Protocols can be attacked. Wireless vulnerabilities from rogue access points by Shane K2 Macaulay & Dino Dai Zovi

8 Case Study: Bluethooth Protocol implemented with security in mind Implementations have often next to no security in place Achievable distance about 250 times further than specified

9 More LED and Monitor radiation Keyboard EM radiation, Fingerprints wireless Keyboards and Mice COTS devices may contain GPS/location chip or GUIDs possibly mandated by consumer/fcc regulations This data might be transmitted in propertiary protocols

10 Access through local external interfaces Relevant interfaces: FireWire, USB, Serial, PC-Card/PCMCIA/ CF, SD, Memory Stick Several of them have debugging capabilities/ backdoors

11 Case Study: PC-Card PCMCIA ISA, PC-CARD PCI A Hardware-Based Memory Acquisition Procedure for Digital Investigations by Joe Grand and Brian Carrier

12 Case Study: FireWire FireWire allows direct memory access read and write arbitrary memory per default many operating systems offer no access control where access control mechanisms exist, they are undocumented

13 Case Study: USB USB has a tree structure No sniffing techniques for leave nodes are known so far OS usually does not inform the user of the type of device connected Example: WLAN, ATA, Keyboard combo

14 Access to circuit board interfaces Often accessible from the outside Relevant Interfaces: I2C, JTAG, propertiary ones Keyboard internal busses Internal USB Hubs

15 g! Case Study: JTAG Extensible standard for low level interface Most devices contain JTAG interfaces for testing Access to JPEG port results g! in full control over the hardware.

16 Case Study: XBox Hacking the Xbox: An Introduction to Reverse Engineering by Andrew Huang Xbox had encrypted, hidden boot code student taped the LDT on-board bus on the circuit board to get the unencrypted boot code

17 Conclusion wireless external interfaces read only LEDs Monitors etc read write WLAN Bluetooth Sensor networks FireWire USB internal interfaces circuit board access JTAG

18 Penetration can happen with only seconds of physical exposure COTS devices are far from offering any substantial tamer resistance

19 Knut Eckstein, NATO C3A Maximillian Dornseif, RWTH-Aachen Slides at Further Information: Laboratory for Dependable Distributed Systems