Attacking Encrypted USB Keys the Hard(ware) Way

Video Statistics and Information

Video

Captions Word Cloud

Captions

mucho my name is Eddie Boston and today with the help of jean michel and jaime we're going to tell you about how we went about attacking encrypted USB keys so we simply remain a survey and ask people who have a USB key wear this to a corporate data did you ever lost one of them odd is one of them were stolen and then we had thirteen percent of the survey respondents said yes i lost one of those so that means that one way or another someone will get the hand of your data suanne encrypted USB key so that begs a question if i'm using an encrypted key is my data safe am i can i sleep at night or do i have a leak on my hand well to answer this question we need to know ours is encrypted USB key truly secure and the best way to do that hey we are the security conferences to attend ourself because we couldn't find online anywho any good methodology or correct evaluation of the security of those so today in the real spirit of blackhat we're going to show you we attack against real key is that we found during our audit and we want to share with you the journey where we did it the key for our own purposes because we feel it's useful for the community as a whole we also would like your help into making some of the attack working because some of them who are going very very deep into the hardware required love work and the love understanding that we don't necessarily have and we would love to get more people who know the stuff to help us out so we can all have a very nice methodology so we shall use the attack we have will show you what we are and hopefully at the end you will be inspired to work with us and all of us can have a better stronger methodology for those encrypted key that we give to all our user to protect our copyright data sounds good yes thank you okay so to be to be clear we have the key here I've started to calm and you can show you how many of them we broke we revoke the selection of those we'll show you a few demo as well we are even live attacks of free as iam so let's get started by quickly recapping you should we should guys's sorry all right we're going to start with talking to you about how a encrypted USB key looks like from inside ok so this is the diagram of it so you have obviously a USB plug and a PCB where your electronic components are then you have something which we call the controller which is usually a microprocessor which is also in charge of doing the cryptographic operation and ensuring that your key stays secure and of course you have the storage we're used to all your data what the extra price that come from those keys is obviously the controller which contains the crypto and stuff off right and then you have some sort of input mechanism who the controller takes input from to know that you have the right password maybe a fingerprint might be a pin code might be a software might be rfid tag either way the controller is the one who is a gatekeeper of the data so here's a real one same thing right you have the controller in the middle and then you have the storage on the right side exactly what I described to you we also see some keys which are more compact and where they actually baked the controller and the storage into the same systems so it's silicon sorry so it's harder to first to analyze because we can't obviously get out the chips out to the hollow-cheeked the thing on the right side is the fingerprint reader where you can put your thumb and then unlock your key all right so the first question to answer is why the hell are we doing a audit methodology for security key we have the knees right and this health certification for USB key so why we doing something which already exists and is working well let me tell you about the NIST methodology so you can sit for yourself there is two certification the first one is v 140 which is supposed to verify how cryptographic operations are done it's a disclosure process by every vendor which is certified and it's going to be validated by NIST there's another one which is v 197 but basically to say I'm using AES so we're not going to talk about this one so 540 well the twittering why we want something better or actually more comprehensive be clear is because the only interested into the cryptographic operation that the key is doing everything from manufacturing to security of the pin input or everything like that is not covered by certification so there is a lot of room and we will see for attack which are not covered by the certifications that's what we would like and advocating for a certification which is more comprehensive we have another way to explain that sorry before that and we also found we did review those documents orally we spend tons of time looking into every certification and you can see this here's an example of the certifications for the iron key and what it's a little bit concerning for us is as you can see is for the iron key except the documents they were it was the data traveler D 4000 so somehow somewhere is a NIST validation process failed here and they actually have a document which a lot of copy passed and so we not even sure the document is correct and again this is very hard to verify because it's back into the silicon so we would like to have a little bit more sort of verification when document is submitted another way for us to summarize what it needs is for us when we looked at it is this basically if you trust your security needs you are missing a lot of things who would like to cover them today so we come up with a new methodology and we're going to walk through the basic and then what goes to a few attacks ways to illustrate our point so what was the first thing we did is we separated the attackers into three categories so first one we call certainly be tooth attacker is the opportunistic attacker which has many more resources as someone who would find a key on the ground or someone who will grab a key from a desk and have no prior knowledge or it's not very resourceful and will try to plug it and try to do something probably the most common type of attacker the second type of attacker our professional is a for hire or for business the company who tries to go and have in-depth knowledge of how encrypted key works and if there is an attack they will know how to carry it last but not least we have what we call statement or attacker which is a fancy word to say someone who really is after specific data which might be on the encrypted key whether a strike a specific the cryptographic key or a specific document or backup data and they will make a large investment to break a single key and the difference between the professional and the state sponsor is a size control is more interested in to breaking one specific key whereas a professional would be more interested in breaking as many key as possible right so two different mindset we also have three type of impact the first one is weakening the security which is basically it's not a flow by itself but it actually makes our job easier as an attacker the second one is a single drive break so basically the attacker you to break one key and recover some of the data which is in one specific key and the last one is what we call a full break which is like the logical flow inside the key and you can recover the data from every key which have the same model and to the same making so what do we want to cover doing and see audit there is five categories that we would like to cover because we believe those five encompasses most of the attack you can carry out those five our manufacturing sector manufacturing how you manufacture your key such that it's actually more resilient to attack second is input security how do you make sure that the input part of the key is actually safe third is a controller security because obviously you don't want the controller to spill your secret and properly destroy the key third is as NIST force way as in is a cryptographic operation make sure that you use correct crypto and last but not least you want to verify storage where you want to make sure that the data is really important on the storage device all the chips itself all right so we're going now to go to each of those five in turn and show you a bunch of attacks and johnnesha we'll start with talking about defensive manufacturing thanks Eddie so for the manufacturing the goals we had in mind during the investigation and the audit was that it's the first layer of protection you will get because it will mitigate other attacks it will slow down the analysis by hiding the components and preventing people from tampering with the key but it's also the last layer of protection because that's also what will protect your key very advanced attacks such as electromagnetic radiation measurements with tempest like attacks during the audit we discovered some keys which were providing some copper shielding and this copper foil was actually connected to the ground of the USB stick making making the protection effective some other keys were also using some epoxy like this one which basically prevents you from reading what components they are using and it's quite tedious to remove that layer of epoxy we also saw some other keys during the audit like this one and the coating didn't look like real epoxy so I started using a piece of rag with some acetone rubbing into it and the piece of rag was turning into black so it seems to be efficient so I was keeping the key into a bath of acetone over the night and I ended up having a very clean USB stick at the end so be careful to use real epoxy and on this one this key was actually certified by the nest and on the documentation they were actually stated that it was coated in epoxy which means that the NIST valued validation process was failing at seeing it was not real epoxy or validating that it was real epoxy another layer of protection is a leather etching the references of the component even if it means security through obscurity it's really hard to find the data sheets of the USB controller that are used there except when they leak so if you don't have the reference it will be very hard to identify which component they are actually using it's hard to see on the picture but it's not just a black marker it's really milled so the reference is not there anymore but that's an extra cost at the manufacturing line type line so you have to be sure that you use the right service because here they pay the extra for nothing because we can still see the references of the continent another thing that you have to pay attention that manufacturing is about the debug posts that I used to test the USB key at the manufacturing level or during the development process and on this one on the far right side you can see some pins some small solder pads that are there and labeled which are actually used as a debug port and you will see later on an attack leveraging those and so this is how we summarize for each category the different control points that we have they are ordered by the level required for the attacker and then also by the impact that it means and now I will let let me talk to you about the input mechanism thanks Michelle my name is Remy I'm a software engineer at Google and I'll tell you about the security of the input mechanism of the keys we identified two main components the first one is that only all valid users are able to unlock the key and I've access to the data the second one is that we should not be able to add a new user to the key during the audit we had multiple kind of input mechanism on the key we we selected first one is the PIN pad when you enter a number and then you want the key you get access to the data the second is using a badge you swipe the badge and it unlocks the dastar drive then we have the fingerprint reader something you put your finger on the fingerprint sensor it unlocks the drive and last is a software-based so you plug the key and you have a first partition that pops out that gives you a software in which you can enter a password and when you when you type enter it will unlock the key if you gave the right password let me tell you about the first attack we found during the audit it targets a fingerprint based key on which we can replay an analog command the impact of this attack is a fulbright meaning we can actually recover the data of all the key of this model and we rate this attackers by the professional as required a few tools this kind of attack is not new and actually in 2010 another model of key was fun venerable where you could recover the data without knowing the password here is the new model to fingerprint-based is what the finger you and all the key when you open the shell you get this PCB on the left you have the USB controller then on the right you got the fingerprint sensor and then the file right you see see the screen and pins with the label of a debug port so you've got USB if that clock and you also got Rx and TX D which are a serial line so we mapped the PCB and here is the logic diagram of the key the sensor is connected to a fingerprint monitor the finger prick metal reads you thing and played this fingerprint reader is controlled by the USB controller over the serial line and is the USB controller that's responsible for unlocking the storage and decrypting it can see we found a serial design flaw in the serial line because it was not protected and we were able to with what was sent up as a serial line here is a picture of the attack we started we by playing the key on our computer soldering some paint some wire on the debug pins and then worried that to a serial port here disparate and we conducted the attack by simply using the key normally and using the post pirate we read what was going on on the still line when we swiped our involved finger and what we saw was a static command saying which was the number we swiped just a number non finger number zero then we unplugged the key put it back again and using the best pirate to write the exact same command we saw the first time and it would unlock the key let me show you a small video of the attack so on the laptop on the left you see the actual command that you have to send over UART playing the key blue light wiring the best pirate on the right you got the windows top I sang the command and you see the partition got opened on the windows with access to all the data without using the fingerprints during the audit we found another attack which was that the input tag of the USB hard drive could be cloned and the impact of this attack is only a single dry because you cloned the tag of the drive you want to attack and as it also requires some tool we rate the attacker as professional here is the venerable model along with the tag that you have to swipe to unlock the drive when you open the drive you have this PCB with the SATA port that's used to connect to the actual hardware that will be encrypted the RFID call used to read the tag with its little controller and the configuration and to conduct the attack you need an RFID research tool here it's a proxmark and reprogrammable rfid tag it will be used to clone the tag here's a video of the attack here is the oven USB Drive red light means it's locked and we will use the real tag green light it's unlocked using the RFID research tool we read the content of the tag and write the content back into the reprogrammable tag as you can see it's pretty fast and then using our custom tag we swipe it just like the real one and you see green light the drive is unlocked we've got access to all the data summing up for the input I detect area we found the one in bold are the one we actually found attacks against and we models are vulnerable which are the unlock command can be replayed and we found an attack where the input could be cloned summing up with the impact and the kind of attacker that can connect D the attack moving on I'll let Elliot talk to you about the security of the controller in USB keys Thank You Jaime so the third part we want to cover a thermoset is a controller which is kind of a brain of the key and here we have many goals because that's the place where most of the security happen the first one is and it seems obvious but you'll see we have some attack against it is the controller is is supposed to protect your secret which means the controller should never leak your password or the AES key that seems obvious but somehow some people fail at it the second thing is you expect the controller to lock the drive when it's needed meaning if you unplug the drive well the drive should be locked and if you have a glitch on the USB port it should lock itself and so forth and so forth so we expect it to do that we also expect the drive to destroy secrets at least your zero out the AES key so that the drive become unusable when it's under after a few statistics and successful attempt you will imagine again that is something that is granted turns out it's not and last but not least and this is more like wishful thinking we would like to have a few more attestation meaning today there is no guarantees that there is not a way to have a backdoor framework we have no way to attest that the theme we're running to those key is really the one we can owed it because we have no way to have similar stations we would like in the future to have key who are fully attested semi very very similar to the secure Enclave that we start to deploy into India right we would actually something for the key because we can't trust that the key is really operating the same oh we have so hopefully that's going to be the next generations so the way we we do some of the analysis and a little bit of the behind the scenes stuff is we we do a lot of interceptions we'll talk about how we do an intersection between the memory and the contrary little later on so Michel will told you about that but we also do intersection between the key and the computer and which monitor what happened the reason why we do it at the hardware level is because we really want to make sure we see everything happening on the USB bus to make sure we don't miss anything it seems a little bit of a cure but turns out we found a very cool attack that I'm going to demonstrate to you in a second by doing this kind of interception and maybe this to show you what happened in practice this is what it looked like so we have in this blue box is actually a crystal is a dedicated hardware which or you to do interception of USB traffic full-speed event for USB 3 which is very difficult you choose the timing and the speed and it basically has three ports one you connect your keep so that's one of the key we connected to it and then the second cable and the phone goes to the target laptop or take a desktop we use a laptop because it's easier to put on the desk next for desktop sessions and then the cable at the back go to our desktop station where we do the recording and we do the analysis and we use custom software for that so that's what our interception platform look like and we've been running it on every key we have all the debt to make sure that we understand exactly how the communication between the pages the computer and the key are happening and making sure everything is square and fair turned out it's not and it gave me what is my favorite attack of the talk because I think this is the most mind-boggling one this is also the one we do feature and we share on social media because we really feel it so I guess how dangerous this thing can be we so again so finger print key this is one of those and we were actually wondering how many of those were having this program so we bought a few other brand which we were be living having the same chipset internet which are all vulnerable we have this one and we have a bunch of others we're here actually if you would like to see the demo live after the talk please come on here or on the web forum and we'll show you lies the attack show you how easy it is so it's attacking the fingerprint keys we do meet a food break and even a certain bitches attackers know how to do it when you know what to look for and this is as insane as you can recover the master password so do you want to say it in life yes okay so the key unplug it that took like this nothing to see except the fingerprint reader nothing to see right you're looking between the controller so here's how it goes we made this one very nice because our demos real so you have someone on the coffee shop which is living and the attacker is spotting a key so it's going to steal the key right and the key has a fingerprint reader on it and so later when he's back to his lair he's going to try to look for the key and obviously you can't right because the fingerprint reader do work as intended so you got and then you really sell but turns out there is a secret USB common which were you to recover the master password and that's how fast it is so what all you have to do really is you say oh I'm an admin here is my master password please do unroll my fingerprint and then you add a new user let's call it well I don't know a VM user and then you click on next and you start to tap in your finger and a moment later you will have a your fingerprint on growlithe illegitimate user into the key that's how bad it is so any of those key are definitively broken because you can extract the password from the controller yeah I still have people chickens ahead yep that sucks I don't I can't imagine how someone designed secret project could do that but actually they do which is why we need to edit all of them and make sure we verify clearly the spec even if you think it's obvious actually turns out some people may still make mistakes and we're here to protect our users so another one you would assume a controller will not will you know lock after like five or six attempt that seems obvious righty you should not keep doing it it turned out that one why do we did our audit of a encrypted hard drive who use RFID badge we found out that's not the case so we limit again a full break and also only produced attacker can do it because that is again very easy to do so here's a badge so you can use them or use like a proxmark to start to do the brute force it turns out they do lock the hard drive after six attempt the only problem is when you power off and on contract goes back to zero so you know with a simple electronic manipulation which are not the voltage will turn on to disk put forth enough you can put force it as much as you want and so basically is completely useless anyway so we try to sum up well the Weisse should burn after unsuccessful attempt and you should not be able to reset the counter obtuse but important and the password in ASCII should not be able requested from the Singh we also have a bunch of stuff like the SPS kid needs to be regenerated and so forth and those are more technical things they will be into slide and later on we'll publish the four methodology on github so you can actually download it and help us to make it even better so moving on to the fourth part which is cryptography we don't have much to say because of course we know we want one they had to be properly encrypted and we want the encryption key to be truly one done which mean you should not use the same key over many many device and you want to kid to be truly random meaning we can't guess what the key is for a given device we did see that for example in Wi-Fi routers a while back where they were deriving the key from the MAC address hopefully don't do that for USB key so problem is the the cryptography is literally backed into the silicon which makes you audit by very very difficult and almost impossible if you don't have the correct back so we feel that the tests are too expensive for us to do so we can skip all of them and we hope to show that not by going our selves in the yard where audit but instead having a better certification process and having manufacturers disclose more information so that being said we did find a few oddities and when you see just mention a few of those people use outdated crypto in certain keys we found one key who use our RSA 512 don't do that because you have been able to factoring attack and we also found some key who are doing file by file encryption who are using elsif or of course fc4 is considered broken ciphers so they should use I don't know yes and they don't also you can use any stream cipher that churchill2020 or something like that but it still use very outdated crypto so we come across a few scenes where even by just doing the audit normal did we found some oddities but for the very hardcore and in-depth analysis of a crypto we believe it should be done at the certification level so here's a bunch of recap about what we think should happen encryption key should be unique there is no recovery master key so no backdoor and they died is encrypted using errors and you worst under that would be so three main things and then we have a bunch of technical requirement that we think are useful to improve the security of the key all right for the last part and which is the most experimental part of the talk and you have no video there would be how we attack storage so Misha will walk use to that thanks so the goal we had in mind for the storage audit was obviously what you expect from me encrypted USB key which means doing a full disk encryption but also providing you with some integrated check so that if someone tries to tamper with the data it will be detected and prevented extracting the content of the storage chip appears to be not easy at all first you have to do the chip removal which means potentially go through the layer of epoxy and here you get access to the component then remove the component from the PCB then you have to dump the content of the memory because of the nen the way the technique the memory technology the flash technology works you also have some algorithm to compensate for the error the reels that you will have and you have to understand that algorithm to recover to emulate it and recover the real data then you have to exhaust rambling algorithm that is more mainly used by people by manufacturer this is not a security feature is just to optimize the lifespan of the flash memory same thing for the next step you have to interleave blocks the right way it's just for the life span of the the chip then you have to undo the file translation layer if you're familiar with familiar with the x86 architecture it's like the mapping between the physical memory pages and the virtual memory pages so you have some area some storing some metadata on the flash and it will explain to you or to reorder the page the memory pages in the right order to get the file system back once this is done you have to straightaway the metadata you just used and finally you have to decrypt the file system don't worry we'll go through the steps with something more visual soon we discovered during the audit some bun some families of keys which were using the serum partition to store the tools to unlock the key for those who are providing a password protected USB key it's used for convenience at least it's a read-only partition from the operating system point of view and it also provides you with the autorun feature which will prompt you for the password as soon as you plug the USB key so this is the key one of the key that was vulnerable to this kind of attack we already saw that this is not epoxy then you remove the chip you put the chip in an end reader to be able to extract the content and that's basically what you have so if you look at that you may think it's properly encrypted nothing appears in clear that's just the effect of the exhaust primer so if you look at the data turning the bits into pixels you start seeing some patterns appearing you see some scrambled data and you can see the artifact of the solid exhaust trembler with the sort of diagonal stripes that appears on those blocks then you have some metadata because they don't change a lot and that's what will tell you how to reorder the lines on those pixels then a bunch of bar of bits that are looking like noise and that's the ECC correction and then you go again on the scramble data and over and over if you undo the exhaust rambling that's what the patterns will look like at the end and if you look at the eggs dump it's even clearer that's you and you haven't done successfully the exhaust Rambler because you can see some clear text this is the parameter of the USB stick which contains some parameter like some strings and vendo ID for the USB and stuff like that if you go a bit later once you under the once you've undone properly the file translation layer you will see the serum partition and if you continue a bit down on the memory you will see the P file that allows you to enter the password and lock the key which means the serum partition was not encrypted at all but how do you begged all that thing well remember the graph you have to go the other way around so you patch the IG's if i'll with the savetti can leak the password of the user when you will enter it then you have to reapply the exhaust scrambler before computing again the error correction code and update it and then you have to rewrite the memory chip solder it back and reverb the key so that it looks stealthy sometimes the manufacturer will help you because no solder ring skills needed it's just a microSD card on the rears you just have to press it and extract the SD card and read it with a card reader but the thing is where all the secrets told it's an encrypted USB key most of the USB key will use AES and they need this key to be there it turns out that we had to build a platform to be able to look where the is key could be stored and it was a quite difficult task so this is the overview of the platform we have so after this all during the the chip we connected to with individual wires the USB key with an FPGA the FPGA will emulate the memory and will basically act as a proxy between the researchers workstation which contains the the data and we will see the comment through we can tamper with the data and see what happens and in parallel we connect also a logic analyzer which will just analyze what's happening on the wire to ensure that our emulator is working properly this is a simplified view of the platform and physically that looks like that so here you have the key with the memory chip being removed connected to custom PCBs that we design and the FPGA sitting in the middle to emulate the memory chip and on the top you have the logic analyzer that will give you the view of the lines zooming a bit on the on the way we you have to wire the USB key to the to the custom PCB this is again the USB key the custom PCB which is a breakout board and those are individual very thin wires and if you look on the USB key this is what it looks like and we had to use some duct tape to release the strength does the stress from the wires because it so learn on very thin pads and we broke some keys during the audit here you have the view of the logic analyzer which will give you the digital channels in gray in blue you will have the analog view of the channels which happens to be very useful because sometime you have some glitch artifact on the line that will switch on the digital view is 0 to 1 and you don't understand why as an overlay you can have also your protocol being automatically decoded by the software and on the right you have the measurement panel why were you were we using the FPGA for that is because the MMC protocol appears to be a high-speed protocol with very strict timings and emulating it in software was not possible because just the runtime trip between the software emulator and the USB key was going a way of the tolerance of the timings so we had to build it with the FPGA and this is the output we have on the system you can see all the command the fact that the comments are going from the host to the device if the CRC is correct the arguments and stuff like that so can das CD recovered well that's basically the part that is still working a work in progress it's very complicated and we are looking forward to collaborate on that to get some more resources on that this is the summary of the storage audit criteria the most important thing is as we said ensure that the data is actually encrypted and all the data including the 0 and polishin and obviously that some secrets should not be stored in clear in the memory chip the takeaways from the talk is that the certification is very important because that's the only way we can audit some the the cryptographic the way the cryptography is implemented on the USB key but on another hand it's not enough because it only focuses on the cryptography and it it misses four other points that we covered during our methodology another point we discovered is that not all the manufacturers and more important not all the models from a given manufacturer are equal regarding the of the security implementation which means that you cannot trust the reputation of a manufacturer and just look at the package and pick your key you have to actually audit the key you're going to pick for your company as the next step we encourage you to use secure encrypted USB key because at some point as we saw on the survey at the beginning an employee is going to lose a key containing company data on it we also have to ask for more transparency from the manufacturers so that it's not that hard to audit those USB keys and because the such audit is very time consuming and requires a lot of effort we believe that crowdsourcing the effort and make it a community effort will be will be the best for the community one and I think we have time for a couple of questions so please use the mic thank you

Info

Channel: Black Hat

Views: 18,198

Rating: 4.9264708 out of 5

Keywords: BHUSA, InfoSec, Black Hat, Information Security, Black Hat 2017, Black Hat USA, Black Hat USA 2017, Reverse Engineering, AES Hardward

Id: jVKl3GuazEs

Channel Id: undefined

Length: 37min 48sec (2268 seconds)

Published: Tue Dec 19 2017

Reddit Comments