Internet of Compromised Things - Hack In Paris › data › slides › 2017 ›...
Transcript of Internet of Compromised Things - Hack In Paris › data › slides › 2017 ›...
![Page 1: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/1.jpg)
Internet of Compromised ThingsDamien CauquilHack In Paris, June 22nd, 2017
![Page 2: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/2.jpg)
2
Who am I ?
• R&D director and senior security researcher at CERT-UBIK• Smart Things breaker and reverse-engineer• Special interest in DFIR
![Page 3: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/3.jpg)
3
Agenda
• IoT smart stuff : pirates’ heaven• Mirai !• How tech people investigated the Mirai botnet• Why it is getting worse
• The role of a connected/smart device during an investigation• Digital forensics in the Internet of Things era
• A complex technical environment• Post-mortem analysis : tools and methodologies• Live analysis of connected devices and operational issues• Introducing the Hardware Forensic Database
• Traceability and accountability• Not all devices are concerned• Observed average security level of connected devices• Logging and traceability
• Conclusion
![Page 4: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/4.jpg)
Internet of super-duper dumbIPv4-enabled connected smartthings that may make coffee andmaybe more but that would behacked in less than two minutes
![Page 5: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/5.jpg)
5
IoT smart stuff : pirates’ heaven
![Page 6: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/6.jpg)
6
IoT smart stuff : pirates’ heaven
![Page 7: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/7.jpg)
7
IoT smart stuff : pirates’ heaven
![Page 8: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/8.jpg)
8
IoT smart stuff : pirates’ heaven
• Mirai demonstrated how insecure our smart things are• used to launch DDoS attacks aroung the globe(KrebsOnSecurity, Dyn)
• source code quickly released to hide tracks ...• ... a lot of clones were developed and launched• uses telnet and ssh services to break into cameras, DVRs, etc.
• Why targeting connected devices rather than servers ?• usually not up-to-date• runs proprietary (unsecure) software• difficult to monitor
• It’s getting worse !• new botnets designed to fight against Mirai (Hajime,
BrickerBot)• used to mine Bitcoin, DogeCoin and other crypto-currencies
![Page 9: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/9.jpg)
9
IoT smart stuff : pirates’ heaven
What could possibly go wrong ?
![Page 10: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/10.jpg)
10
IoT smart stuff : pirates’ heaven
• Smart devices are now wide-spread and used• to secure our houses and flats : smartlocks• to detect burglars and intruders : smart alarms, smart CCTV• to make a patient’s life easier : smart insuline pumps, connected
glucose monitoring systems
• What happens if one of those fails ?• Don’t worry, you are covered by your insurance policy !• Are you sure ?• Last but not least, you might be dead.
![Page 11: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/11.jpg)
The role of a connected deviceduring an investigation
![Page 12: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/12.jpg)
12
The role of a connected device during an investigation
• Three major cases :• the device was a victim/target of a crime• the device has been used to commit a crime• the device contains some information related to a crime
![Page 13: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/13.jpg)
13
The role of a connected device during an investigation
Pacemakers, insulin pumps and a lot more devicesmay injure people or cause death
![Page 14: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/14.jpg)
14
The role of a connected device during an investigation
• The victim device may contain• information about how the attack was performed• traces related to the origin of the attacker• artefacts (exploits, malwares, backdoors, ...)
• Required to evaluate the damages and how bad thesituation is !
![Page 15: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/15.jpg)
15
The role of a connected device during an investigationTV5 Monde hack
• In April 2015, TV5 Monde is attacked and its broadcastinginfrastructure shut off.
• The French ANSSI (National IT Security Agency) handled theincident
• They had a hard time figuring out how to forensically extractinformation from some embedded systems
• They asked the vendors about their systems• They had to determine how to extract and preserve the
evidences from these devices• No standard procedure for this particular case
![Page 16: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/16.jpg)
16
The role of a connected device during an investigation
Quadcopters as bomb droppers
![Page 17: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/17.jpg)
17
• The device may contain• Information that may reveal its owner’s identity : serial number,
email address, phone name or number, ...• Geographical information : GPS coordinates, Take off location• Photos, videos, records of previous activity
![Page 18: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/18.jpg)
18
The role of a connected device during an investigation
Amazon’s Alexa device analyzed during an FBI investigation
![Page 19: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/19.jpg)
19
• The device may contain• Information about someone’s activity : GPS coordinates, date
and time of various events, information about surroundingsactive devices (WiFi access points), ...
• Photos, videos• Logs
![Page 20: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/20.jpg)
Digital forensics in the Internet ofThings era
![Page 21: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/21.jpg)
21
Digital forensics in the Internet of Things era
Extracting information from devices may seem an easy task
• Easy-peasy, its Linux-based with known filesystem !• We just need to dump the Flash memory and extracteverything with Encase !
But wait ...
• What if the device uses a secure boot with military-gradeencryption ?
• What if the device has no filesystem at all ?• What if the device offers no way to access its system toextract live information ?
![Page 22: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/22.jpg)
22
Digital forensics in the Internet of Things era
• It uses various electronic chips to store information• eMMC• SPI Flash• F-RAM• Internal flash memory (System on Chip)• Internal EEPROM
• It stores information at specific unknown locations• It may use proprietary encryption or obfuscation• It offers no easy way to access the information
![Page 23: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/23.jpg)
Post-mortem analysis of a smartdevice
![Page 24: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/24.jpg)
24
Post-mortem analysis of a smart device
We need moar tools !
• Tools to desolder and clean electronic memory chips• Tools to access memory devices and forensically extractinformation
• Tools to reverse-engineer firmwares and find where and howthe information is stored
• Tools to bypass memory protections and other anti-dumptechniques and tools (i.e. exploits !)
![Page 25: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/25.jpg)
25
Post-mortem analysis of a smart device
We need a specific methodology !
• Maximum of information, minimum effort• allowing investigators to quickly extract valuable information• reducing risk of loss of information (when possible) andensuring evidences integrity
![Page 26: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/26.jpg)
26
Post-mortem analysis of a smart device
• Determine if the device has an operating system• Identify the main component• Check the datasheet and development kit• Determine if it usually runs an operating system
• Locate external flash memory chips (SPI Flash, NAND,eMMC)
• Find the corresponding datasheet• Determine how to communicate with the memory chip : SPI,
Parallel Flash, Proprietary protocol• Use the correct adapter/tool to extract the information
• Desolder the memory chip if necessary• Use classic forensic tools on SD cards• Create a bit-stream image of the memory chips• Compute SHA512 and MD5 hashes for each image
• Analyze the images• Look for filesystems if an operating system is used• Look for chip-specific information (depending on the datasheet
and the associated memory map)• Keyword search !
![Page 27: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/27.jpg)
27
Post-mortem analysis of a smart device
Case Study : TheQuickLock padlock
![Page 28: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/28.jpg)
28
Post-mortem analysis of a smart device
1. Open the smartlock
![Page 29: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/29.jpg)
29
Post-mortem analysis of a smart device
![Page 30: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/30.jpg)
30
Post-mortem analysis of a smart device
2. Get your hands on the PCB
![Page 31: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/31.jpg)
31
Post-mortem analysis of a smart device
• Main component : Texas Instruments CC2541• Does it run an OS : NO• No external memory chip : data is stored in the CC2541 SoC• Memory access : We need a CC Debugger to dump the flash
![Page 32: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/32.jpg)
32
Post-mortem analysis of a smart device
3. Access the memory and dump
![Page 33: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/33.jpg)
33
Post-mortem analysis of a smart device
• Where is the interesting information stored ?• No OS, information is stored in Flash• We need to find where the interesting information is stored• It is not a trivial task, but requires some time to figure out
![Page 34: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/34.jpg)
34
Post-mortem analysis of a smart device
4. Extract the PIN code from Flash
![Page 35: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/35.jpg)
35
Post-mortem analysis of a smart device
5. Extract the event log
![Page 36: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/36.jpg)
Live analysis of compromiseddevices
![Page 37: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/37.jpg)
37
Live analysis of compromised devices
• Analysis is often difficult• no easy way to communicate with the device• no system access while the system is active (if we want to keep
it active)• no standard procedure, it’s not a computer !
• Lack of proper tools• We have to deal with U(S)ART or BLE interfaces• Standard DFIR toolkits provide no way to interact with these
protocols
![Page 38: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/38.jpg)
38
Live analysis of compromised devices
• If it’s on, keep it on !• Powering off the device may destroy evidence• The device may provide an easy way to extract valuable
information
• Identify the best way to extract information from thedevice
• Find a working communication channel• Ensure it offers access to valuable information
• Use this communication channel to gather as muchinformation as possible
• Available information depends on the device• The device MUST provide a feature to get valuable information(error codes, logs, ...)
![Page 39: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/39.jpg)
39
Live analysis of compromised devices
• Use available tools to access the device• Linux’ GATT client to communicate through BLE• screen or minicom to communicate through U(S)ART
• Collect every valuable piece of information, following theOrder of Volatility
• Active memory• Processes list• Active connections• IP Addresses• BD Addresses• Files (or assimilated)• Serial numbers
![Page 40: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/40.jpg)
40
Live analysis of compromised devices
Case Study : Fora Glucose Monitoring System
![Page 41: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/41.jpg)
41
Live analysis of compromised devices
• The device relies on its own protocol over Bluetooth LE• Old serial protocol ported to BLE• Offers a lot of features• May be used to extract information
![Page 42: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/42.jpg)
42
Live analysis of compromised devices
![Page 43: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/43.jpg)
43
Live analysis of compromised devices
• We can then collect• All records stored in the device• Firmware information• Serial Number
• Dedicated tool available in the HFDB• Collect all the measures stored on a device• Features in development : serial number and firmware info
![Page 44: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/44.jpg)
44
Live analysis of compromised devices
$ node diamondmini.js -t XX:XX:XX:XX:XX:XXNumber of records: 1Newest record index is: 0
--- Records ----16/8/16 16:43 - 147 mg/dL
![Page 45: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/45.jpg)
45
Live analysis of compromised devicesOther tools you may need
![Page 46: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/46.jpg)
Introducing the HardwareForensic Database
![Page 47: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/47.jpg)
47
Introducing the Hardware Forensic Database
• Origins• We needed a central place to report the tools/methodologies
required to extract information from various devices• We wanted it to be collaborative as other CERTs may want to
add more information about other devices
• What does it contain ?• Detailed information about various devices (electronics,
available interfaces)• Curated methodologies to investigate each device• Forensically-sound open-source tools to collect information• Known vulnerabilities that may be used to bypass protections
and access information
![Page 48: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/48.jpg)
48
Introducing the Hardware Forensic Database
• Goals• To allow a quick and efficient incident response• To provide all the required materials to investigate a device• To provide the right methodology when handling a device
In short, to speed up investigations !
![Page 49: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/49.jpg)
49
Introducing the Hardware Forensic DatabaseHFDB home page
![Page 50: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/50.jpg)
50
Introducing the Hardware Forensic DatabaseForensic Summaries
![Page 51: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/51.jpg)
51
Introducing the Hardware Forensic DatabaseDetailed methodology for each device
![Page 52: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/52.jpg)
52
Introducing the Hardware Forensic DatabaseOpensource forensic tools
![Page 53: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/53.jpg)
53
Introducing the Hardware Forensic Database
![Page 54: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/54.jpg)
54
Introducing the Hardware Forensic Database
• Only 4 devices listed at this time in this database• We are working with vendors/organisms to publicly disclose
forensic tools related to some other devices (get rid of NDAs)• Other devices are currently investigated, but it takes time !
• The HFDB is still in development• We regularly add content to this database• We hope other CERTs and security researchers will jump in the
band wagon !
![Page 56: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/56.jpg)
Traceability & Accountability
![Page 57: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/57.jpg)
57
Traceability & Accountability
• Traceability & Accountability are important• Who did what and when• Imputability / Non-repudiation
• Not always mandatory at object level• It depends on how the connected/smart thing is used / was
designed• optional for non-critical devices : smart hairbrushes, smart
toothbrushes• mandatory for access control devices and healthcare devices
![Page 58: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/58.jpg)
58
Traceability & Accountability
• Observed average security level of connected devices• Level is low !• Lots of attacks in the news : teddy bears, thermostats,
smartlocks, ...• Difficult to secure the whole chain : servers, communication
protocols and connected objects
![Page 59: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/59.jpg)
59
Traceability & Accountability
• IoT investigation is currently difficult• Many devices simply do not keep logs (not enough memory,
time consuming)• No information on where to find valuable information :
reverse-engineering is mandatory !• We still have to exploit vulnerabilities to retrieve critical
information
• TV5 Monde hack : The French ANSSI investigated theattack
• They had an hard time figuring out how to forensically collectand analyze data from multiple embedded systems
• They had to ask the vendor about the procedure they shoulduse to extract the filesystem
• No standard procedure, vendor did not take into account thefact its device may be hacked ...
![Page 60: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/60.jpg)
60
Traceability & AccountabilitySummary
• Lack of logging and documentation• Unlike computers, embedded systems do not have a standardway to log and keep tracks
• Every vendor does it his way, we have to figure out every oneof them
• Security vs. Forensic investigations• Vendors harden their systems to avoid IP theft or hacking• Since they do not provide a way to securely extract valuable
information, we too need to hack into these systems !
• Still some efforts to do !• Why not use SD cards to log information (if any) ?• Vendors may document their logging mechanisms or• provide tools and features to extract information
![Page 61: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/61.jpg)
Questions ?
![Page 62: Internet of Compromised Things - Hack In Paris › data › slides › 2017 › 2017_Cauquil_Damien_… · Internet of Compromised Things Author: Damien Cauquil Created Date: 6/22/2017](https://reader033.fdocuments.in/reader033/viewer/2022053015/5f1531701aa8887e572e0602/html5/thumbnails/62.jpg)
62
Contact
Websote : www.digitalsecurity.fr
Email : [email protected]
Twitter Digital Security : @iotcert
Twitter Personal account : @virtualabs