Supply Chain (In-) Security

Similar documents
Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken

Patterns for Secure Boot and Secure Storage in Computer Systems

The Trivial Cisco IP Phones Compromise

Frontiers in Cyber Security: Beyond the OS

That Point of Sale is a PoS

Technical Brief Distributed Trusted Computing

BitLocker Drive Encryption Hardware Enhanced Data Protection. Shon Eizenhoefer, Program Manager Microsoft Corporation

Avaya G700 Media Gateway Security - Issue 1.0

Installing the Operating System or Hypervisor

Panda Perimeter Management Console. Guide for Partners

What IT Auditors Need to Know About Secure Shell. SSH Communications Security

ACL Compliance Director FAQ

SanDisk Enterprise Secure USB Flash Drive Security Vulnerability

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

UNCLASSIFIED Version 1.0 May 2012

Reboot the ExtraHop System and Test Hardware with the Rescue USB Flash Drive

Fighting Advanced Threats

Basics of Internet Security

Avaya TM G700 Media Gateway Security. White Paper

Network Security: 30 Questions Every Manager Should Ask. Author: Dr. Eric Cole Chief Security Strategist Secure Anchor Consulting

Dell Client BIOS: Signed Firmware Update

Hacking Database for Owning your Data

PROFESSIONAL SECURITY SYSTEMS

Release Notes for Dominion SX Firmware 3.1.6

I N S T A L L A T I O N M A N U A L

FortiOS Handbook - Hardening your FortiGate VERSION 5.2.3

Hardware Backdooring is practical. Jonathan Brossard (Toucan System) Florentin Demetrescu (Cassidian)

CimTrak Technical Summary. DETECT All changes across your IT environment. NOTIFY Receive instant notification that a change has occurred

Digi Connect Wan 3G Application Guide Update the firmware, backup and restore the configuration of a Digi Connect Wan 3G using a USB flash drive.

Implementation and Implications of a Stealth Hard-Drive Backdoor

USB etoken and USB Flash Features Support

Converting SSG 300M-series and SSG 500M-series Security Devices to J-series Services Routers with a USB Storage Device

AlienVault. Unified Security Management x Offline Update and Software Restoration Procedures

Security Overview for Windows Vista. Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation

Five Steps to Improve Internal Network Security. Chattanooga Information security Professionals

What is Really Needed to Secure the Internet of Things?

SysPatrol - Server Security Monitor

Updates Click to check for a newer version of the CD Press next and confirm the disc burner selection before pressing finish.

"EZHACK" POPULAR SMART TV DONGLE REMOTE CODE EXECUTION

Recipe for Mobile Data Security: TPM, Bitlocker, Windows Vista and Active Directory

DiamondStream Data Security Policy Summary

Backup & Disaster Recovery Appliance User Guide

S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 2 Systems Threats and Risks

Security for Mac Computers in the Enterprise

Pentesting Mobile Applications

FortiAnalyzer VM (VMware) Install Guide

Leading by Innovation McAfee Endpoint Security The Future of Malware-Detection: Activate protection on all Layers outside the Operating System

05.0 Application Development

SAST, DAST and Vulnerability Assessments, = 4

Cisco FlexFlash: Use and Manage Cisco Flexible Flash Internal SD Card for Cisco UCS C-Series Standalone Rack Servers

Cisco Trust Anchor Technologies

Who is Watching You? Video Conferencing Security

Working Together Managing and Securing Enterprise Mobility WHITE PAPER. Larry Klimczyk Digital Defence P:

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Acronis Backup & Recovery 11.5

How Do I Upgrade Firmware and Save Configurations on PowerConnect Switches?

How To Set Up A Vns3 Controller On An Ipad Or Ipad (For Ahem) On A Network With A Vlan (For An Ipa) On An Uniden Vns 3 Instance On A Vn3 Instance On

ERNW Newsletter 42 / December 2013

Executable Integrity Verification

Linux Embedded devices with PicoDebian Martin Noha

Analysis of advanced issues in mobile security in android operating system

5 Steps to Advanced Threat Protection

Cyber Security In High-Performance Computing Environment Prakashan Korambath Institute for Digital Research and Education, UCLA July 17, 2014

Virtualization Technology

Intelligent Power Protector User manual extension for Microsoft Virtual architectures: Hyper-V 6.0 Manager Hyper-V Server (R1&R2)

8 Steps for Network Security Protection

Dell DR4000 Disk Backup System. Introduction to the Dell DR4000 Restore Manager A primer for creating and using a Restore Manager USB flash drive

Embedded Security for Modern Building Automation Systems

8 Steps For Network Security Protection

Thick Client Application Security

Compromise-as-a-Service

Virtualization System Security

Using the IPMI interface

Quick Start Guide. Version R91. English

Dell EqualLogic Red Hat Enterprise Linux 6.2 Boot from SAN

Side Channel Analysis and Embedded Systems Impact and Countermeasures

Post-Access Cyber Defense

Windows Phone 8 Security Overview

McAfee SMC Installation Guide 5.7. Security Management Center

FortiOS Handbook VM Installation for FortiOS 5.0

NOC PS manual. Copyright Maxnet All rights reserved. Page 1/45 NOC-PS Manuel EN version 1.3

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

Hacking Satellite TV receivers : Are those IoT devices secure?

The Top Web Application Attacks: Are you vulnerable?

Windows Client/Server Local Area Network (LAN) System Security Lab 2 Time allocation 3 hours

Oracle Solaris Security: Mitigate Risk by Isolating Users, Applications, and Data


Quick Note 038. Upgrade Software options and/or VPN Licenses on a Digi Transport router.

Building A Secure Microsoft Exchange Continuity Appliance

From Hypervisors to Clouds

Installing JSA Using a Bootable USB Flash Drive

Navigating Endpoint Encryption Technologies

Hardware Security Modules for Protecting Embedded Systems

Transcription:

Supply Chain (In-) Security Graeme Neilson & Enno Rey Contact us: graeme@aurasoftwaresecurity.co.nz, erey@ernw.de

Graeme & Enno Graeme Neilson Security Consultant & Researcher Networking, Reverse engineering, appliances 2

Graeme & Enno Enno Rey Old-school network guy & founder of ERNW Blogs at www.insinuator.net Regularly rants at Day-Con Hosts TROOPERS 3

Why this talk Most cons have some specific characteristic So does Day-Con Angus loves talks about potential future attack paths sometimes with a spooky element in them This talk is our contribution to this space ;-) What we love about Day-Con: Pretty much all talks make you think. Not just sit around: cool demo, next one 4

Agenda Supply Chain Overview Threats & Vulnerabilities Some common appliances internal architecture and how to attack those Mitigation & Conclusion 5

Device Compromise is a well-known threat 6

Device Compromise is a well-known threat Black Hat USA 2010 Bojinov 6

Device Compromise is a well-known threat Black Hat USA 2010 Bojinov Black Hat USA 2010 Heffner 6

Device Compromise is a well-known threat Black Hat USA 2010 Bojinov Black Hat Europe 2006 Jack Black Hat USA 2010 Heffner 6

Device Compromise is a well-known threat Black Hat USA 2010 Bojinov Black Hat Europe 2006 Jack Black Hat USA 2010 Heffner Black Hat Europe 2010 Mende, Rey 6

and there s well known controls for this one 7

and there s well known controls for this one 8

at least for some attack vectors Remote Compromise Physical access to device (on organization s premise) 9

But... some thing may be overlooked here 10

Ask yourselves Who touches a device BEFORE it enters an organization s premises? 11

Overview Supply Chain Do you trust the? 12

Overview Supply Chain Manufacturer Do you trust the? 12

Overview Supply Chain Plant Do you trust the? Manufacturer 12

Overview Supply Chain Plant Do you trust the? Distributor Manufacturer 12

Overview Supply Chain Plant Do you trust the? Distributor Manufacturer Reseller 12

Overview Supply Chain Plant Do you trust the? Distributor Manufacturer Deployed appliance Your network Reseller 12

Overview Supply Chain Plant Distributor Manufacturer Deployed appliance Your network Reseller 13

Overview Supply Chain Plant Manufacturer And what s about the carrier processes? e.g.: Distributor Deployed appliance Your network Reseller 13

Overview Supply Chain Plant Manufacturer And what s about the carrier processes? Or customs, if borders are crossed? Distributor Deployed appliance Your network Reseller 13

We won t discuss the malicious manfacturer scenario here 14

So what does this mean? Potentially every party in this chain might be able to touch sensitive parts of the device. 15

And maybe not only authorized parties 16

What do you mean by sensitive parts? Bootloader Firmware / Image Configuration Files 17

At a device s going-into-production, Are you sure? For the bootloader?? Would you notice (and delete) a user sysupdate in the administrators group of $SOME_SECURITY_APPLIANCE? 18

Isn t firmware protected against by cryptographic means (checksums, digital signatures etc.) Well, that s what you might expect. Reality proves otherwise 19

So why would somebody want to do that? Blowing up something, some time Deployment of backdoors (to devices or your network) 20

Blowing up something, some time http://en.wikipedia.org/wiki/siberian_pipeline_sabotage 21

Blowing up something, some time http://en.wikipedia.org/wiki/siberian_pipeline_sabotage 21

Backdoors [PAXSON00]: A backdoor is a mechanism surreptitiously introduced into a computer system to facilitate unauthorized access to the system. 22

More on this This brings up some interesting questions. Is enabled SNMP with public/private a backdoor? Based on deliberate decision (= surreptitiously?). Means to provide access. Well, yes, maybe not intended for unauthorized access. But used for such in many cases 23

Types of backdoors Buffer Overflow vulnerabilities Hidden configuration options ( allowhiddenaccountlogin=yes ) Unsecure cryptographic properties Weak initialization vectors Manipulated S-Boxes (e.g. in AES) Deterministic PRNGs Master password ( lkwpeter ) Hidden credentials (user/pass) Port knocking Data leakage/logging second channel (external system, ) Additional access mechanism (SSH, telnet, ) most common rootkit behavior 24

Typical vulnerabilities in supply Lack of standards ISO 28001 much lesser known than ISO 27001 Lack of visibility Lack of tools for verification 25

Architecture details of some popular security appliances 26

Disclaimer All this stuff is not too well documented. We did our best when assembling the information displayed in the following slides. Still, it might be inaccurate here + there. 27

Cisco ASA Based on (mostly) standard PC hardware, x86 architecture Image is based on Linux kernel and can be extracted, see e.g.[1] Presumably the BIOS can be modified/replaced, although this voids the warranty ;-), see [2] Verify command for verifying the MD5 checksum present [3] but does not inhibit firmware execution if checksum fails 29

Juniper routers Routing engine is commodity hardware with Intel CPU, harddrive, flashdrive etc. Parts can be exchanged easily JunOS based on FreeBSD kernel Usually new image released every 90 days One can predict new image ;-) REs have CF card slot Which, by default, is booted from first 30

Juniper Netscreen devices ScreenOS proprietary RTOS on PowerPC Previous research Netscreen of the Dead Blackhat 2009 See http://www.troopers.de/content/e728/e897/e938/troopers10_netscreen_of_the_dead_graeme_neilson.pdf Weakness in the firmware protection & verification Developed fully trojaned ScreenOS firmware image with backdoor custom code execution firmware update prevention 10/22/10 31

Nokia & Check Point Check Point supply Firewall-1/VPN-1 software which can run on top of other operating systems Appliances Linux/FreeBSD based Example Appliance (admittedly an old one, newer behave differently) Nokia IP71 series with SuperH RISC processor System is stored in on-board flash with no option to download flash :( Restricted shell with a custom menu console application running Attack vectors are: break out of app and restricted shell customise or overwrite BIOS to gain control of flash memory 10/22/10 32

Nokia IP71 Flash BIOS 10/22/10 33

Nokia (IP71) BIOS Removable BIOS chip running Nokia boot loader Remove chip, dump code, reverse engineer, modify, reflash chip BIOS rootkit or BootKit 10/22/10 34

Demo : ZomBIOS BIOS level control 10/22/10 35

Fortigate Fortinet make Fortigate appliances (x86 platform). Runs FortiOS - based on Linux. Supplied as standard gzip file with certificate and hash appended. Decompress gives an encrypted blob of data. The encryption used has weaknesses: Watermarks (patterns in the data) looks like a disk image. Location of MBR, kernel, root file system can be seen. This allows known plain text attacks 10/22/10 36

Watermarks 10/22/10 37

Fortigate Compact Flash BIOS 10/22/10 38

Fortigate Fortigate will load firmware even if it has no certificate, no hash and is unencrypted. The verification is of filenames contained within the gzips Start of MBR must contain a filename matching a device & version ID Kernel must be called fortikernel.out 10/22/10 39

Fortigate Can modify existing system or replace kernel and file system. Automated firmware upgrade on reboot from USB stick is a feature. Boot into custom linux and dd memory to Compact Flash data is encrypted to serial console there is no encryption 10/22/10 40

Demo : ZombiOS Operating system level control 10/22/10 41

As a point of comparison Playstation 3 NOT a firewall, NOT protecting your data, designed to protect Sony's intellectual property and investment in game development. IBM Cell architecture chip designed with security at the hardware level Secure processing vault Runtime secure boot Hardware root of secrecy Signed code necessary at multiple levels: boot time, hypervisor, gameos, game. 42

As a point of comparison Full hard disk encryption Recently a flaw in the USB stack allows running unsigned code BUT this is not persistent across reboots because of the signed boot code and signed hypervisor. A gaming console is a more secure platform than most security appliances! PlayStation 3 cluster 43

Some (kind-of-checklist) questions What are the motivations/incentives of the involved parties? Do you think they re capable (of providing a secure supply chain)? What do you know about your organization s (security device) supply chain? 44

Conclusions (Most) security appliances are not designed to withstand unauthorized physical access. The supply chain may not be as secure as you expect. This might lead to interesting scenarios ;-) Think about it! 45

There s never enough time THANK YOU...for yours! 46

TROOPERS II, 03/28-04/01/2011 Heidelberg, Germany Subscribe to the newsletter at www.troopers.de, follow us on Twitter @WEareTROOPERS and meet with experts from around the world at TROOPERS11 at Heidelberg, Germany.

References Specific to Cisco ASA [1] Simulation [of] Cisco ASA with QEMU and GNS3 : http://kizwan.blogspot.com/2010/01/simulatio-cisco-asa-with-qemu-and-gns3.html [2] Cisco ASA 5580 Adaptive Security Appliance Hardware Installation Guide: http://www.cisco.com/en/us/docs/security/asa/hw/maintenance/5580guide/procedures.html [3] Cisco ASA verify command http://www.cisco.com/en/us/docs/security/asa/asa80/command/reference/uz.html#wp1569565 Specific to Cisco routers http://www.cisco.com/web/about/security/intelligence/iosimage.html 48

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information