Offensive Embedded Exploitation : Getting hands dirty with IOT/Embedded Device Security Testing.
The world is moving towards smart culture everything nowadays is smart, and mostly all are those smart devices are basically embedded devices with internet connectivity or some provision to connect with the internet. Since these devices are booming in market this also tempting lots of people/groups for hacking.
In this 4 hours training we will discuss how to test the embedded/IoT devices, it would give you a methodology for assessment, how to perform firmware analysis, identifying vulnerable components, basic approach for reverse engineering the binaries to discover potential remote code execution, memory corruption vulnerabilities by looking for native vulnerable functions in C or bad implementation of functions like System, popen, pclose etc.
After conducting static analysis,firmware analysis we will move towards dynamic testing approch which include web application testing, Underlying OS security testing, identifying vulnerabilities and misconfiguration in device. At last we will move towards fuzzing the device via web application parameters and installing aproppriate debugger on device to identify memory corruption vulnerabilities.
TARGET AUDIENCE
- Learner
- Electronics/Embedded/IoT Security enthusiast
- Cyber Security Enthusiast
- Anyone who is looking to Kick Start Career in Device/IoT Security
DELIVERABLES
- Testing Firmware and POC for the CVE-2018-19524
- Methodology for testing embedded devices
- Deep dive into device security testing from beginner level to developing exploit
- And At last, a good intro into how to break known security boundary of embedded/IoT devices by knowing its weakness and thereby securing it
REQUIREMENTS
- Updated kali-Rolling on base/virtual machine with root privileges
- Laptop should have atleast 8GB RAM & 100 GB disk space for smooth experiance
Preparing the Arsenal
Setting up testing machine for embedded system testing with required tools Identifying the physical entry point of the devices Eg. Jtag,Uart,SPI,USB,Console,Minicom. Identifying the logical entry points like network(WiFi,ethernet),Zigbee,Zwave,Bluetooth or other RF.
Reconnaissance (Interactive)
Understanding the device chipset,FCCID,Supported protocols, Communication by device. Getting every possible details from the documents provided,avaiable. Active device scanning to figure out OS,Arch,Services,ports running on device. Identifying the Attack surface on device.
Firmware Analysis(Live Demo):
In this section we will find out multiple ways to get that .bin file by some osint or intercepting the upgrade of device or from the official vendor website, then will look for types of file system for devices. once we understand the file system we will move forward for extracting fimrware with the help multiple tools like hex editor dd,binwalk,string. After successful extraction we will perform binary,library,code analysis to identify the potential vulnerabilities to pwn the shell.
Sys internal Testing(Live Demo):
As mentioned in the previous section going through the process we would explore potential vulnerabilities in the device now further we would exploit the same to gain the shell or persistent access to the device by abusing the permissions or cronjobs or executing the privilege code to maintain the persistent access of device for further testing and to cover most of the vulnerabilities.
Basic Binary Analysis(Partial Live Demo):
Now as mentioned above we would have an persistent access to device, moving ahead we can download those code or the binaries to our system for further analysis and by reversing the binaries we would identify the improper implementation of native vulnerable functions like system,popen,pclose,printf and some others to get the real critical vulnerabilities which could get fuzz in next section to develop the exploit.
Fuzzing(Live-Demo):
Now as we have an idea about the potential vulnerable area of the device now we will find out the suitable debugger for our device and ways to run the debugger and to attach the process for debugging and will fuzz the potential vulnerable parameters to identify the crash and access to registers in order to develop an exploit. this process will take a while to identify exact payload to exploit the device.
Closing notes:
Here we summarize all the analysis which we have gone through in the above mention highlights and vulnerabilities make a perfect testing report. Question and answers, Some extra tips for testing.
What Shouldn’t be expected
- You will become @devttyS0 just by attending this 3 Hours training
- You can hack a city/Sattelite/Power Station etc etc.
- You will become Marcus Holloway
- You will become siddarth from Kee (Kee Tamil Film 2019)
About Trainer :
Kaustubh is an Embedded system security researcher and Device security Assurance Manager at Reliance Jio Infocomm limited, his main work include Securing JIO’s Cutting Edge Enterprise, Consumer, and SMB(small,Medium,Big) business products. His main area of interest is Device security,Reverse engineering, discovering RCE,Priv-esc bugs in proprietary or close source devices. He was Null champion, He had deliver more than dozens of talk in null meet and he was champion for 3 years in null community. Some of his works are published in SecurityWeek, ExploitDB, 0day.today and have more than Dozens of CVE, Recently he was the winner of SCADA CTF @ nullcon 2019.