Embed Size (px)
DESCRIPTION
Citation preview
©2013 Check Point Software Technologies Ltd.
Physical (In)security
Inbar RazMalware & Security ManagerCheck Point Software Technologies
2©2013 Check Point Software Technologies Ltd.
Types of Vulnerability Disclosures
Responsible Disclosure:– Contact the vendor only and inform them of the vulnerability– If asked, work with the vendor– After 3-6 months, proceed to Full Disclosure
Full Disclosure:– Publish all information, including POC– Sometimes – only a video of POC
3©2013 Check Point Software Technologies Ltd.
Disclosure #1
Vendor: An Online Movie Ticket Service
Field: Online shopping and entertainment
Affected Product: On-site Ticket Kiosk
Vulnerability: Multiple vulnerabilities cause the compromise of both customer and company data
4©2013 Check Point Software Technologies Ltd.
Disclosure Details
On-site Kiosk
Touch Screen
Credit CardReader
Ticket Printer
No peripherals,No interfaces
And the journey begins…
5©2013 Check Point Software Technologies Ltd.
Disclosure Details
Improper interface settingsallow the opening of menuoptions.
Menus can be used tobrowse for a new printer.
6©2013 Check Point Software Technologies Ltd.
Disclosure Details
A limited browser is notrestricted enough.
A right-click can be used…
To open a full, unlimitedWindows Explorer.
Now the sky is the limit…
7©2013 Check Point Software Technologies Ltd.
Disclosure Details
Browsing through thefile system revealsindicative directory names…
And even more indicativefile names.
8©2013 Check Point Software Technologies Ltd.
Disclosure Details
Bingo: Credit Card Data(Unencrypted!)
Tools of the trade: Notepad
We can use the ticketprinter to take it home
9©2013 Check Point Software Technologies Ltd.
Disclosure Details
But that’s not all:RSA Keys and Certificatesare also found on the drive!
Which we can print, takehome and then use afree OCR software to read…
10©2013 Check Point Software Technologies Ltd.
Disclosure Details
The result:
RSA Keys used tobill credit cards.
11©2013 Check Point Software Technologies Ltd.
Disclosure #2
Vendor: Point-of-Sale Manufacturer and Users
Field: Network Security
Vulnerability: Improper physical security allows access to insecure PoS devices during afterhours.
12©2013 Check Point Software Technologies Ltd.
Disclosure Details
Point-Of-Sale devicesare all around you.
13©2013 Check Point Software Technologies Ltd.
Disclosure Details
Location: A bar in Tel-Aviv
During working hours – tables, chair and PoS outside
During afterhours – everything is locked inside the facility
But the Ethernet port remains hot– In public space…
14©2013 Check Point Software Technologies Ltd.
Attack Vector
In the past – play hacker/script kiddie with BackTrack.
Today: Fire up wireshark, discover IPs of live machines.
15©2013 Check Point Software Technologies Ltd.
Attack Vector
In the past – play hacker/script kiddie with BackTrack.
Today: Fire up wireshark, discover IPs of live machines.
Detected IP addresses:– 192.168.0.1– 192.168.0.2– 192.168.0.4– 192.168.0.250– 192.168.0.254
Confirm by ping (individual and broadcast)
16©2013 Check Point Software Technologies Ltd.
Attack Vector
Evidence of SMB (plus prior knowledge) lead to the next step:
And the response:
17©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Things to do with an open share
#1: Look around
18©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Things to do with an open share
#1: Look around
#2: Create a file list
19©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
The mystery of 192.168.0.250
Answers a ping, but no SMB.
First guess: the ADSL Modem.
Try to access the Web-UI:
20©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
The mystery of 192.168.0.250
Use the full URL:
21©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Reminder: We actually had this information.
Going for the ADSL router
22©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Going for the ADSL router
Naturally, there is access control:
Want to guess?
23©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
Unlocked Achievements
Best for me, worst for them: Credit card data.
Database files (yet to be analyzed).
The program files of the billing system.
Potential attack through the internet.
24©2013 Check Point Software Technologies Ltd.
Next Steps
Create a Responsible Disclose document for the PoS manufacturer
Send an Advisory to businesses
25©2013 Check Point Software Technologies Ltd.[Restricted] ONLY for designated groups and individuals
IMPORTANT NOTICE
The bar operation was with full cooperation and consent.
DOING THIS ON YOUR OWN IS ILLEGAL.
![©2012 Check Point Software Technologies Ltd. KillBot: Conspiracy Theories Inbar Raz hack.lu lightning talk 25 October 2012 [Protected] For public distribution](https://img.pdfslide.net/doc/110x75/56649de75503460f94ae154f/2012-check-point-software-technologies-ltd-killbot-conspiracy-theories.jpg)
![CODE BLUE 2014 : [物理セキュリティ]サイバーセキュリティがすべてではない by インバー・ラズ INBAR RAZ](https://img.pdfslide.net/doc/110x75/55c4ab95bb61ebfd5a8b4612/code-blue-2014-.jpg)
![CODE BLUE 2014 : Physical [In]Security: It’s not ALL about Cyber by Inbar Raz](https://img.pdfslide.net/doc/110x75/55cdebdbbb61ebd1048b4810/code-blue-2014-physical-insecurity-its-not-all-about-cyber-by-inbar.jpg)
