Machine-to-machine (M2M) security. Hunz Zn000h at gmail.com

Similar documents
The Shift to Wireless Data Communication

Technical Notes TN 1 - ETG FactoryCast Gateway TSX ETG 3021 / 3022 modules. How to Setup a GPRS Connection?

Mobile Security. Practical attacks using cheap equipment. Business France. Presented the 07/06/2016. For. By Sébastien Dudek

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

F2103 GPRS DTU USER MANUAL

How to hack your way out of home detention

That Point of Sale is a PoS

Smart Card APDU Analysis

Topics in Network Security

GSM Risks and Countermeasures

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

High-performance VoIP Traffic Optimizer Client Solution

Hacking. Aims. Naming, Acronyms, etc. Sources

L2F Case Study Overview

Today. Important From Last Time. Old Joke. Computer Security. Embedded Security. Trusted Computing Base

Mobile Stream USB Modem User's Guide Version 1.32 for Windows Mobile

LIGHTNING. Key Features :: Cellular (UMTS/GSM) Sensors. Iridium SBD. Power. Physical Features

Testing Overview [Document subtitle]

Synapse s SNAP Network Operating System

Broadcasting encryption or systematic #FAIL? Phil

Product Description. HUAWEI E5220s-81 Mobile WiFi V100R001 HUAWEI TECHNOLOGIES CO., LTD. Issue 01. Date

The GSM and GPRS network T /301

Right-Sizing M2M Security: The Best Security is Security Tailored to Your Application

Tips, techniques and tools for remote monitoring

TNC is an open architecture for network access control. If you re not sure what NAC is, we ll cover that in a second. For now, the main point here is

Secure Cloud Storage and Computing Using Reconfigurable Hardware

SCADA System Security. ECE 478 Network Security Oregon State University March 7, 2005

CHANCES AND RISKS FOR SECURITY IN MULTICORE PROCESSORS

Silabs Ember Development Tools

CCNA Exploration: Accessing the WAN Chapter 7 Case Study

Sistemi ad agenti Principi di programmazione di sistema

Secure Network Access System (SNAS) Indigenous Next Generation Network Security Solutions

Lecture Objectives. Lecture 8 Mobile Networks: Security in Wireless LANs and Mobile Networks. Agenda. References

UNCLASSIFIED Version 1.0 May 2012

IT-AMS. Course Overview. Applied Microcontroller Systems (5 ECTS, Q3, E/IKT/EP) Version: , Henning Hargaard

Chapter 2 Introduction

OpenWRT - embedded Linux for wireless routers

Getting a Secure Intranet

Virtual Private Networks

June 2013 v. 0.2

E-Blocks Easy Internet Bundle

INDUSTRIAL GATEWAYS VPN ROUTERS SERIAL DEVICE SERVERS

ALL-ZC-2140P-DVI PCoIP Zero Client Overview

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

HMS Industrial Networks. Putting industrial applications on the cloud

Network connectivity controllers

Selection Criteria for ZigBee Development Kits

Who is Watching You? Video Conferencing Security

Reviving smart card analysis

Bluetooth Web Enabler

Pre-lab and In-class Laboratory Exercise 10 (L10)

ReadyNAS Remote White Paper. NETGEAR May 2010

15 May 2013 Version 5. for Mac OS X. Public version. Gemfor s.r.o. Tyršovo nám Roztoky Czech Republic

Tank Gauges and Security on the Internet

Securing end devices

Penetration Testing LAB Setup Guide

The shortest path to cellular communications: Cellular Development Platform

USR-TCP232-T Hard Version: V2.0 Doc Version: V

! encor e networks TM

What is Really Needed to Secure the Internet of Things?

SBC6245 Single Board Computer

IP Address and Pre-configuration Information

Talk2M ewon Internet Connection How To

Storage Cloud Infrastructures

Quick Note 53. Ethernet to W-WAN failover with logical Ethernet interface.

Web'n'walk. Manager. for Windows USER MANUAL

SIMATIC S It s the Interplay that makes the difference. Siemens AG All Rights Reserved.

Using a VPN with Niagara Systems. v0.3 6, July 2013

The Internet of Things: Opportunities & Challenges

Machine control going www - Opportunities and risks when connecting a control system to the Internet

How To Use A Femtocell (Hbn) On A Cell Phone (Hbt) On An Ipad Or Ipad (Hnt) On Your Cell Phone On A Sim Card (For Kids) On The Ipad/Iph

Innovative Defense Strategies for Securing SCADA & Control Systems

SIMtrace Usermanual i. SIMtrace Usermanual

System i and System p. Customer service, support, and troubleshooting

Remote Access via VPN Configuration (May 2011)

Direct VPN Connection Using a Modem

Ways to Use USB in Embedded Systems

Overview. Firewall Security. Perimeter Security Devices. Routers

RuggedCom Solutions for

Nokia and Nokia Connecting People are registered trademarks of Nokia Corporation

Track Forever GPS Tracking Control Center Specification

Technical papers Virtual private networks

Information Security Group (ISG) Core Research Areas. The ISG Smart Card Centre. From Smart Cards to NFC Smart Phone Security

Remote Access Security

BLACKJACKING: SECURITY THREATS TO BLACKBERRY DEVICES, PDAS, AND CELL PHONES IN THE ENTERPRISE

Student Halls Network. Connection Guide

WHITE PAPER. WEP Cloaking for Legacy Encryption Protection

A More Secure and Cost-Effective Replacement for Modems

Substation Automation Systems. Nicholas Honeth

Application Note 24. Making and receiving GSM Circuit-Switched Data Calls (CSD). Applies to routers with Siemens wireless WAN modules only.

WHITE PAPER Security in M2M Communication What is secure enough?

Bypassing Local Windows Authentication to Defeat Full Disk Encryption. Ian Haken

Gerard Fianen. Copyright 2014 Cypherbridge Systems LLC Page 1

Wireless Threats To Corporate Security A Presentation for ISACA UK Northern Chapter

Executive Summary and Purpose

AMI security considerations

3G Wireless-N Smart Energy Gateway

HMS Industrial Networks

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

MITM Man in the Middle

Transcription:

Machine-to-machine (M2M) security Hunz Zn000h at gmail.com CCC Camp 2011 13.08.2011

Content What's machine-to-machine anyway? Attack vectors Attacks over M2M communication channels Physical attacks on endpoints (embedded devices) Attacking some actual M2M setups Weaknesses Attack Impact Mitigation strategies Summary

What's machine-to-machine? Definition guttenberged from wikipedia: Machine-to-Machine (M2M) refers to technologies that allow both wireless and wired systems to communicate with other devices of the same ability.... This talk with a wider scope: Machine2(Machine Vendor Maker)

M2M communication Vendor Network Machine Machine Machines with embedded systems Focus here: devices with IP communication

Examples Smart grid (smartmeters, etc.) Vending machines Industrial control systems & machines Traffic control Motor vehicles (Entertainment devices (STBs, etc.)) Not really machines But communication is similar

M2M de-mystified M2M is just a fancy buzzword There have been embedded systems with network access for years Example: PayTV STBs had integrated modem and dialup accounts in the firmware Now, there's just a lot more devices Some can do more immediate physical harm than normal PCs and PayTV-decoders

Communication channels Ethernet/Wireless LAN Mobile networks (GSM, 3G) Other (mostly ISM - ZigBee, etc. - not considered in this talk)

Ethernet / Wireless LAN Try usual exploits to compromise the device You know your tools But: Manufacturers know, that anyone can do some (Wireless) LAN hacking Actual data often encrypted (SSL, VPNs,...) Secret keys/certificates stored in devices Physical attacks on devices ( later)

Mobile networks: GSM, 3G Mostly GSM, less 3G yet Circuit-switched (dialin at vendor) SMS-based (for rare events & notifications) Packet-switched (GPRS) Contrary to (Wireless) LAN communication often no extra encryption GSM is already encrypted

Attacking GSM communications Passive sniffing + attacks on crypto GSM (dialup/sms): A5 broken for a while GPRS: see GPRS talk of Karsten Nohl Still, you probably want to send your own data Either to device or network A rogue base station is your friend there's OpenBTS & OpenBSC

Using a rogue BTS Interesting devices can be identified via IMEI Type Allocation Code (TAC) identifies make+model of mobile equipment There's a public TAC database: http://www.mulliner.org/tacdb/ Make the device join your BTS Some devices join foreign networks Spoofing a real network is probably some kind of illegal...

Using a rogue BTS (2) Vendor Network Your Network Machine Device is isolated from real network Machine Attacking the device over the air possible What about the vendor network?

GPRS GPRS network access via Access Point Name (APN) There's the normal internet APN And special APNs for private networks Private Network 1 APN1 Private Network 2 APN2

Mobile operators M2M solutions Authentication for special APNs Via IMSI + GSM auth APN Username/password How to get into the private network? Physical attack on device ( later) MITM w/ rogue BTS and patched cellphone

MITM on GPRS Vendor Network Machine Your Network Machine Original device connected to rogue BTS Build a bridge to original network Probably needs some hardcore Osmocomm hacking Sane GPRS encryption can prevent this

Attacks on endpoints Vendor Network Machine Machine Network can be compromised by rogue devices How to break into a device w/ physical access?

Embedded devices Often proprietary devices, less complex than PCs Design goals: low price, fast time2market, availability, safety, low-power Security features from the 80s or so DEP? That's some fancy new shit! New problem: Hardware security Hardware security is difficult

Embedded devices JTAG RS-232 Microcontroller (MCU) Flash RAM Attack points: Debug interfaces (JTAG, RS-232) External memory Peripherals Flash RAM Peripherals

Embedded devices: Debug interfaces Debug access Bootloader or OS often has RS-232 access enabled JTAG can be used to access the system There was a nice talk at the 26C3

Embedded devices: External memories External memory can be dumped/modified Most Flash-ICs can be read with a MMC-reader Otherwise a tiny microcontroller will do in most cases Look for other talks that cover hacking of embedded devices (too much for this talk)

Embedded devices: Peripherals MCU RS-232 USB GSM module ISO7816 SIM Example: GSM module GSM/GPRS encryption done in GSM-module Communication between MCU, module and SIM not encrypted sniffing & MITM possible

Fun with a M2M device Smartmeter Uses Ethernet w/ SSL end-to-end crypto needs some secret key storage I can haz keys?

A closer look Physically disassembled the thing Traced RS-232 wires, connected a PC But: nothing to see here Found boot parameters in a serial EEPROM by sniffing the I²C bus (used a Bus pirate) Enabled serial console there Got U-Boot prompt Ohai Linux! init=/bin/sh, cat privatekeys KTHXBYE

Roundup of this analysis Weaknesses Unencrypted Flash memory in device No internal Flash RS-232 debug was easy to reactivate Attack Reactivate RS-232 debug interface Dump secret keys Impact: limited Single device compromised (secret keys dumped) No VPN access just SSL to server

Fun with another M2M device GSM-based M2M module from some motor vehicle Bought via ebay Had a closer look at this thing similar GSM module (image source)

A closer look SIM card present, but PIN-protected However, device sends PIN to SIM when powered up So I sniffed it :-) Easy to do with a simple microcontroller or SIMtrace Used SIM in a phone with firmware patched to IMEI of M2M module Made a phone call with that SIM SIM still active :-)

A closer look (2) Hooked the original GSM module w/ original SIM up to a PC via USB AT-command interface via USB (/dev/ttyacm*) AT+CGDCONT? to show APN special-maker-apn

A closer look (3) IP interface activate! (normal PPP stuff) Private IP range, no Internet access Started pinging some IPs... Some IPs w/ rtt of several seconds Huge rtt variations Suggests those IPs are of moving vehicles!??

Roundup of this analysis Weaknesses Device side: PIN number can be sniffed Network side: Generous packetfilter configuration No rogue device detection? Attack Use M2M module with PC Connect to vendor network Impact: frightening Extensive access to vendor network

Mitigation strategies Hacker Space Program needs sane M2M security! Based on previous findings: What can be done? Two attack vectors: Attacks over communication channels Physical attacks on devices

Securing communication channels This one is easy at least in theory: Never trust the communication channel Always use extra + sound (well-reviewed) encryption + authentication Secret data needs to be stored in the devices Here, things get more complicated

Securing embedded devices Basic idea: Protect the secret data Disable debug interfaces Internal memory of microcontroller for secret data No unencrypted secret data over external busses! Tamper-detection

Rogue devices Hardware security (expensive?) Still: accept that devices will be compromised Early detection of rogue devices Behavior profiling Easy to realize: Well-defined action profiles Limit impact of rogue devices Easy to realize: Well-defined action profiles Whom do they need to talk to? paketfilters Device-individual secret data (=keys)!

Summary Currently: M2M security? Hard to find! Problems identified Some mitigation strategies provided What needs to be done Manufacturers need to consider security Network operators should provide some M2M security guidelines to their customers M2M security initiatives? Awareness?

Thanks for your attention!

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information