©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point

©2013 Check Point Software Technologies Ltd.

Physical (In)security:

It’s not all about Cyber…

Inbar RazMalware & Security Research ManagerCheck Point Software Technologies

2©2013 Check Point Software Technologies Ltd.

Background

Who am I?– I like to reverse things – software, hardware, ideas, rules.– I like to find problems and have them fixed (by others…)

What do I do?– Run Malware & Security Research at Check Point– Create Responsible Disclosures– Concentrate on “little to no-skills needed”

– Easier to demonstrate and convince


Example #1: Movie Ticket Kiosk

On-site Kiosk

Touch Screen

Credit CardReader

Ticket Printer

No peripherals,No interfaces

http://www.k-kiosks.com/?view=products&id=522784


The Attack

Improper interface settingsallow the opening of menuoptions.

Menus can be used tobrowse for a new printer.


A limited Windows Exploreris not restricted enough.

A right-click can be used…

To open a full, unrestrictedWindows Explorer.

The Attack


The Attack

Browsing through thefile system revealsinteresting directory names…

And even more interestingfile names.


The Attack

Bingo: Credit Card Data(Unencrypted!)

Tools of the trade: Notepad

We can use the ticketprinter to take it home


The Attack

But that’s not all:RSA Keys and Certificatesare also found on the drive!

Which we can print, takehome and then use afree OCR software to read…


The Attack

The result:

RSA Keys used tobill credit cards.


Example #1: Summary

Device purpose: Print purchased Movie Tickets

Data on device: Credit Card data and Encryption Keys

Method used to hack: 1 finger


Example #2: Point-of-Sale Device

Point-Of-Sale devicesare all around you.


The Attack

PoS Device located outside business during the day

At the end of the day, it is locked inside the business


The Attack

But one thing is left outside, in the street:


The Attack

In the past – play hacker/script kiddie with BackTrack.

Today: Fire up wireshark, discover IPs of live machines.


The Attack

In the past – play hacker/script kiddie with BackTrack.

Today: Fire up wireshark, discover IPs of live machines.

Detected IP addresses:– 192.168.0.1– 192.168.0.2– 192.168.0.4– 192.168.0.250– 192.168.0.254

Confirm by ping (individual and broadcast)


The Attack

Evidence of SMB (plus prior knowledge) leads to the next step:

And the response:

17©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals

Things to do with an open share

#1: Look around– Establish possible attack vectors


Things to do with an open share

#1: Look around– Establish possible attack vectors

#2: Create a file list– Not like stealing data, but very helpful


The mystery of 192.168.0.250

Answers a ping, but no SMB.

First guess: the ADSL Modem.

Try to access the Web-UI:


The mystery of 192.168.0.250

Use the full URL:


Reminder: We actually had this information.

Going for the ADSL router


Going for the ADSL router

Naturally, there is access control:

Want to guess?


Example #2: Summary

Device purpose: Cash Register and Local Server

Data on device: Credit Card data, Customer Database

Method used to hack: MacBook Pro, Free Software


Other opportunities

A Medical Clinic in Tel-Aviv– Complete disregard for

attendance systems


Other opportunities

A Hospital in Tel-Aviv


Other opportunities

An ATM at a shopping mall


Example #3: Hospital Smart TV

Features– Watch TV– Listen to music– VOD– Browse the Internet

Peripherals:– Touch Screen– Credit Card Reader– Earphones

And…

– USB…


The Attack

Start with a USB Keyboard– Numlock works– Nothing else does

Power off, Power on, F11


Our options are opening up.

Let’s boot something else

BackTrack (kali):Never leave homewithout it


Even though I’m set to DHCP, I have no IP address.

An examination of the config files reveals the problem:

But I’m facing a problem

# The loopback interface, this is the default configuration:auto loiface lo inet loopback

pre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autoneg offpre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autoneg off

# The first network interface.# In this case we want to receive an IP-address through DHCP:auto eth0iface eth0 inet dhcp

# In this case we have a wired network:wpa-driver wired

# Tell the system we want to use WPA-Supplicant # with our configuration file:wpa-conf /etc/wpa_supplicant.confpre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autoneg off



An examination of the config files reveals the problem.

But this is linux, everything is in text files


network={ key_mgmt=IEEE8021X eap=TTLS MD5 identity="a*****c“ anonymous_identity="a*****c“ password=“*****“ phase1="auth=MD5“ phase2="auth=PAP password=*****“ eapol_flags=0}



An examination of the config files reveals the problem.

But this is linux, everything is in text files

I copy the files, and try again.



What next?

Find out where we are (external IP)

Proof-of-Concept: Open reverse shell


Further analysis of files reveals a lead:

http://192.168.0.250/client/

This is the actual User Interface:

But it’s not enough…


So the next logical step is…


So what’s next?

We lost access to the devices– At least easy access

Complete the report and go for disclosure

However…

Turns out other hospitals have the same device– So now we wait for someone to get sick…


Example #3: Summary

Device purpose: Smart TV for Hospital Patients

Data on device: Network Encryption Keys, Possible access to other networks

Method used to hack: USB Drive, Free Software, Keyboard, Mouse


Questions?

Documents

©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber… Inbar Raz Malware & Security Research Manager Check Point