Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point.

Similar presentations


Presentation on theme: "©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point."— Presentation transcript:

1 ©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point Software Technologies

2 2©2013 Check Point Software Technologies Ltd. Background Who am I? –I like to reverse things – software, hardware, ideas, rules. –I like to find problems and have them fixed (by others…) What do I do? –Run Malware & Security Research at Check Point –Create Responsible Disclosures –Concentrate on little to no-skills needed –Easier to demonstrate and convince

3 3©2013 Check Point Software Technologies Ltd. Example #1: Movie Ticket Kiosk On-site Kiosk Touch Screen Credit Card Reader Ticket Printer No peripherals, No interfaces

4 4©2013 Check Point Software Technologies Ltd. The Attack Improper interface settings allow the opening of menu options. Menus can be used to browse for a new printer.

5 5©2013 Check Point Software Technologies Ltd. A limited Windows Explorer is not restricted enough. A right-click can be used… To open a full, unrestricted Windows Explorer. The Attack

6 6©2013 Check Point Software Technologies Ltd. The Attack Browsing through the file system reveals interesting directory names… And even more interesting file names.

7 7©2013 Check Point Software Technologies Ltd. The Attack Bingo: Credit Card Data (Unencrypted!) Tools of the trade: Notepad We can use the ticket printer to take it home

8 8©2013 Check Point Software Technologies Ltd. The Attack But thats not all: RSA Keys and Certificates are also found on the drive! Which we can print, take home and then use a free OCR software to read…

9 9©2013 Check Point Software Technologies Ltd. The Attack The result: RSA Keys used to bill credit cards.

10 10©2013 Check Point Software Technologies Ltd. Example #1: Summary Device purpose: Print purchased Movie Tickets Data on device: Credit Card data and Encryption Keys Method used to hack: 1 finger

11 11©2013 Check Point Software Technologies Ltd. Example #2: Point-of-Sale Device Point-Of-Sale devices are all around you.

12 12©2013 Check Point Software Technologies Ltd. The Attack PoS Device located outside business during the day At the end of the day, it is locked inside the business

13 13©2013 Check Point Software Technologies Ltd. The Attack But one thing is left outside, in the street:

14 14©2013 Check Point Software Technologies Ltd. The Attack In the past – play hacker/script kiddie with BackTrack. Today: Fire up wireshark, discover IPs of live machines.

15 15©2013 Check Point Software Technologies Ltd. The Attack In the past – play hacker/script kiddie with BackTrack. Today: Fire up wireshark, discover IPs of live machines. Detected IP addresses: – – – – – Confirm by ping (individual and broadcast)

16 16©2013 Check Point Software Technologies Ltd. The Attack Evidence of SMB (plus prior knowledge) leads to the next step: And the response:

17 17©2013 Check Point Software Technologies Ltd. Things to do with an open share #1: Look around –Establish possible attack vectors [Restricted] ONLY for designated groups and individuals

18 18©2013 Check Point Software Technologies Ltd. Things to do with an open share #1: Look around –Establish possible attack vectors #2: Create a file list –Not like stealing data, but very helpful [Restricted] ONLY for designated groups and individuals

19 19©2013 Check Point Software Technologies Ltd. The mystery of [Restricted] ONLY for designated groups and individuals Answers a ping, but no SMB. First guess: the ADSL Modem. Try to access the Web-UI:

20 20©2013 Check Point Software Technologies Ltd. The mystery of Use the full URL: [Restricted] ONLY for designated groups and individuals

21 21©2013 Check Point Software Technologies Ltd. Reminder: We actually had this information. Going for the ADSL router [Restricted] ONLY for designated groups and individuals

22 22©2013 Check Point Software Technologies Ltd. Going for the ADSL router Naturally, there is access control: Want to guess? [Restricted] ONLY for designated groups and individuals

23 23©2013 Check Point Software Technologies Ltd. Example #2: Summary Device purpose: Cash Register and Local Server Data on device: Credit Card data, Customer Database Method used to hack: MacBook Pro, Free Software [Restricted] ONLY for designated groups and individuals

24 24©2013 Check Point Software Technologies Ltd. Other opportunities A Medical Clinic in Tel-Aviv –Complete disregard for attendance systems [Restricted] ONLY for designated groups and individuals

25 25©2013 Check Point Software Technologies Ltd. Other opportunities A Hospital in Tel-Aviv [Restricted] ONLY for designated groups and individuals

26 26©2013 Check Point Software Technologies Ltd. Other opportunities An ATM at a shopping mall [Restricted] ONLY for designated groups and individuals

27 27©2013 Check Point Software Technologies Ltd. Example #3: Hospital Smart TV Features –Watch TV –Listen to music –VOD –Browse the Internet Peripherals: –Touch Screen –Credit Card Reader –Earphones And… –USB…

28 28©2013 Check Point Software Technologies Ltd. The Attack Start with a USB Keyboard –Numlock works –Nothing else does Power off, Power on, F11 [Restricted] ONLY for designated groups and individuals

29 29©2013 Check Point Software Technologies Ltd. Our options are opening up. Lets boot something else BackTrack (kali): Never leave home without it [Restricted] ONLY for designated groups and individuals

30 30©2013 Check Point Software Technologies Ltd. Even though Im set to DHCP, I have no IP address. An examination of the config files reveals the problem: But Im facing a problem [Restricted] ONLY for designated groups and individuals # The loopback interface, this is the default configuration: auto lo iface lo inet loopback pre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autoneg off pre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autoneg off # The first network interface. # In this case we want to receive an IP-address through DHCP: auto eth0 iface eth0 inet dhcp # In this case we have a wired network: wpa-driver wired # Tell the system we want to use WPA-Supplicant # with our configuration file: wpa-conf /etc/wpa_supplicant.conf pre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autoneg off

31 31©2013 Check Point Software Technologies Ltd. Even though Im set to DHCP, I have no IP address. An examination of the config files reveals the problem. But this is linux, everything is in text files But Im facing a problem [Restricted] ONLY for designated groups and individuals network={ key_mgmt=IEEE8021X eap=TTLS MD5 identity="a*****c anonymous_identity="a*****c password=***** phase1="auth=MD5 phase2="auth=PAP password=***** eapol_flags=0 }

32 32©2013 Check Point Software Technologies Ltd. Even though Im set to DHCP, I have no IP address. An examination of the config files reveals the problem. But this is linux, everything is in text files I copy the files, and try again. But Im facing a problem [Restricted] ONLY for designated groups and individuals

33 33©2013 Check Point Software Technologies Ltd. What next? Find out where we are (external IP) Proof-of-Concept: Open reverse shell [Restricted] ONLY for designated groups and individuals

34 34©2013 Check Point Software Technologies Ltd. Further analysis of files reveals a lead: This is the actual User Interface: But its not enough… [Restricted] ONLY for designated groups and individuals

35 35©2013 Check Point Software Technologies Ltd. So the next logical step is… [Restricted] ONLY for designated groups and individuals

36 36©2013 Check Point Software Technologies Ltd. So whats next? We lost access to the devices –At least easy access Complete the report and go for disclosure However… Turns out other hospitals have the same device –So now we wait for someone to get sick… [Restricted] ONLY for designated groups and individuals

37 37©2013 Check Point Software Technologies Ltd. Example #3: Summary Device purpose: Smart TV for Hospital Patients Data on device: Network Encryption Keys, Possible access to other networks Method used to hack: USB Drive, Free Software, Keyboard, Mouse [Restricted] ONLY for designated groups and individuals

38 38©2013 Check Point Software Technologies Ltd. Questions? [Restricted] ONLY for designated groups and individuals


Download ppt "©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point."

Similar presentations


Ads by Google