Physical Computing, Virtual Security

Adding the Arduino microcontroller development environment
to your "security research" toolkit

( follower@rancidbacon.com )

Know your audience

Physical Computing

Arduino

http://arduino.cc/

Blink!

What's in it for you?

Microcontroller vs. Embedded Linux

Size & Cost

Prove it!

Networking

WIZnet W5100 "Hardwired" TCP/IP Stack

• Sockets - 4 H/W or 3 + n software

• MAC level access + ARP + etc

• Telnet, HTTP (+REST), VNC etc

Hardware vulnerabilities?

• Good question

DHCP exhaustion example

• http://code.rancidbacon.com/ProjectArduinoDHCPExhaustion

byte mac[] = {0xDE, 0xAD, 0xBE, 0xEF, 0xFE, 0xED};

...
  for (byte macByte1 = 11; macByte1 <255; macByte1++) {  
    for (byte macByte2 = 0; macByte2 <255; macByte2++) {
      mac[3] = macByte1;
      mac[4] = macByte2;

      if(Dhcp.beginWithDHCP(mac) == 1) {  // begin method returns 1 if successful
         ...
      } 
      ...
    }
  }
...

Public Service Announcement from...

http://hackerspaces.org/

MakerSpace (Wellington)

chchspace (Christchurch)

Now, back to your scheduled programme...

Arduino and USB

V-USB

• Low speed USB implementation in software

• Formerly AVR-USB

• http://www.obdev.at/products/vusb/index.html

• Arduino wrapper: http://code.rancidbacon.com/ProjectLogArduinoUSB

Keyboard emulation

• CapsLocker I & II
• USB Stealth Twiddler
• See also: YubiKey authentication

pyusb + libusb

• http://code.rancidbacon.com/ProjectLogArduinoUSB

from arduino.usbdevice import ArduinoUsbDevice

theDevice = ArduinoUsbDevice(idVendor=0x16c0, idProduct=0x05df)
theDevice.write(0x01)
print theDevice.read()

#include <UsbStream.h>
void setup() {
    UsbStream.begin();
    UsbStream.write(0xff);
}

void loop() {
  UsbStream.refresh();

  if (UsbStream.available() > 0) {
    int data = UsbStream.read();
  }
}

Software protection dongles *

(* Not recommended for production.)

How USB works (reenactment)

• "Hi, I'm a XYZ device"

• "Hi XYZ! Let's play..."

How USB fuzzing works (reenactment)

• "Hi, I'm an ABC device"

• "Hi, I'm a DEF device"

• "Hi, I'm a XYZ device"

• "Hi XYZ! Let's play... Blergh! :("

Does it really work?

Oops indeed.

[39805.823336] usb 1-2: configuration #1 chosen from 1 choice
[39808.880125] usb 1-2: USB disconnect, address 14
[39810.360083] usb 1-2: new low speed USB device using uhci_hcd and address 15
[39810.538392] usb 1-2: configuration #1 chosen from 1 choice
[39810.584698] usbcore: registered new interface driver usbserial
[39810.584730] USB Serial support registered for generic
[39810.584783] usbcore: registered new interface driver usbserial_generic
[39810.584788] usbserial: USB Serial Driver core
[39810.595661] USB Serial support registered for PocketPC PDA
[39810.595784] ipaq 1-2:1.0: PocketPC PDA converter detected
[39810.599942] usb 1-2: PocketPC PDA converter now attached to ttyUSB0
[39810.599985] usbcore: registered new interface driver ipaq
[39810.599991] ipaq: v0.5:USB PocketPC PDA driver
modem-manager: (ttyUSB0) opening serial device...
[39810.637271] BUG: unable to handle kernel NULL pointer dereference at 0000003c
[39810.637284] IP: [<f847593d>] ipaq_open+0x1fd/0x570 [ipaq]
NetworkManager: <info>  modem manager disappeared
[39810.637307] * pde = 3e20c067 ##
[39810.637313] Oops: 0002 [#1] SMP 
[39810.637320] last sysfs file: /sys/devices/pci0000:00/0000:00:1d.0/usb1/1-2/uevent
NetworkManager: <info>  Trying to start the modem-manager...
[39810.637328] Modules linked in: ipaq usbserial usbhid aes_i586 aes_generic binfmt_misc ppdev snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_pcm_oss snd_mixer_oss snd_pcm uvcvideo snd_seq_dummy iptable_filter snd_seq_oss snd_seq_midi snd_rawmidi joydev snd_seq_midi_event ip_tables eeepc_laptop videodev v4l1_compat snd_seq x_tables snd_timer snd_seq_device snd arc4 ecb ath5k mac80211 led_class psmouse ath soundcore lp atl2 serio_raw cfg80211 snd_page_alloc parport dm_raid45 xor fbcon tileblit font bitblit softcursor usb_storage i915 drm i2c_algo_bit video output intel_agp agpgart
[39810.637424] 
[39810.637431] Pid: 889, comm: modem-manager Not tainted (2.6.31-14-generic #48-Ubuntu) 900
[39810.637438] EIP: 0060:[<f847593d>] EFLAGS: 00010286 CPU: 0
[39810.637451] EIP is at ipaq_open+0x1fd/0x570 [ipaq]
[39810.637456] EAX: 00000000 EBX: e4dd2000 ECX: f6452200 EDX: e4dd4000
[39810.637462] ESI: ef2d9840 EDI: f6452200 EBP: ef1f5de8 ESP: ef1f5da0
[39810.637468]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
[39810.637474] Process modem-manager (pid: 889, ti=ef1f4000 task=ef6225b0 task.ti=ef1f4000)
[39810.637479] Stack:
[39810.637483]  00000003 c07657f0 ef1f5db4 00000292 c07657ec ef1f5dbc c0127c38 ef1f5dd0
[39810.637497] <0> f65785a0 00000064 f69e4000 f6452200 00000100 ef2d9854 00000100 f847cc60
[39810.637511] <0> f6452200 f6452204 ef1f5e20 f805cc3a ef1f5df8 c05708b8 ef1f5e20 c037d9c1
[39810.637526] Call Trace:
[39810.637542]  [<c0127c38>] ? default_spin_lock_flags+0x8/0x10
[39810.637558]  [<f805cc3a>] ? serial_open+0xda/0x130 [usbserial]
[39810.637568]  [<c05708b8>] ? _ spin_lock+0x8/0x10 ##
[39810.637578]  [<c037d9c1>] ? check_tty_count+0x51/0xb0
[39810.637587]  [<c0380a43>] ? __tty_open+0x1a3/0x460
[39810.637594]  [<c0380d1f>] ? tty_open+0x1f/0x40
[39810.637604]  [<c01ea5bd>] ? chrdev_open+0xcd/0x190
[39810.637612]  [<c01e5769>] ? __dentry_open+0xb9/0x230
[39810.637619]  [<c01e59c5>] ? nameidata_to_filp+0x55/0x70
[39810.637627]  [<c01ea4f0>] ? chrdev_open+0x0/0x190
[39810.637636]  [<c01f34fa>] ? do_filp_open+0x53a/0x890
[39810.637647]  [<c01e31bf>] ? __mem_cgroup_commit_charge+0x3f/0x80
[39810.637656]  [<c01ca1a9>] ? do_anonymous_page+0x199/0x200
[39810.637664]  [<c01e5500>] ? do_sys_open+0x50/0x150
[39810.637672]  [<c01e5669>] ? sys_open+0x29/0x40
[39810.637680]  [<c010336c>] ? syscall_call+0x7/0xb
[39810.637684] Code: c0 85 c0 0f 85 12 02 00 00 8b 7d e4 85 db 89 9f a0 00 00 00 0f 84 45 02 00 00 8b 55 e4 8b 82 98 00 00 00 89 d1 8b 92 90 00 00 00 <89> 50 3c 8b 81 a8 00 00 00 8b 91 a0 00 00 00 89 50 3c 8b 81 98 
[39810.637761] EIP: [<f847593d>] ipaq_open+0x1fd/0x570 [ipaq] SS:ESP 0068:ef1f5da0
[39810.637778] CR2: 000000000000003c
[39810.637785] ---[ end trace f88c0740245043a9 ]---

Hey, what happened to my USB?

• And why are you mounting this device when I'm not even logged in yet?

#include <UsbFuzzBase.h>


void setup() {
    UsbFuzzer.setVendorId(0x045e);  // (Microsoft Corp.) 
    UsbFuzzer.setProductId(0x0417); // (Windows Powered Pocket PC 2002)

    UsbFuzzer.begin();
}

void loop() {
  UsbFuzzer.refresh();
  ...
}

More detail...

• usbroken

• USB Attacks: Fun with Plug and 0wn
• Evaluating Security Aspects of the Universal Serial Bus
• USB Device Drivers: A Stepping Stone into your Kernel

python-firmata & Firmata

• http://code.rancidbacon.com/LearningAboutArduinoandPython

>>> import firmata
>>> a = firmata.Arduino('/dev/tty.usbserial-XXXXXXXXXX', baudrate=57600)
>>> a.pin_mode(13, firmata.OUTPUT)
>>> a.digital_write(13, firmata.HIGH) # LED on pin 13 on
>>> a.digital_write(13, firmata.LOW) # LED on pin 13 off
>>> a.serial.close()

Electro-Mechanical assistance

http://l4n.clustur.com/index.php/Nanotron_3000#tucenaber

And everything else...

• RFID
• Bluetooth
• Appliance control
• Social Engineering
• etc

Places to Learn

• http://arduino.cc/

• Forums: http://www.arduino.cc/cgi-bin/yabb2/YaBB.pl

• Playground: http://www.arduino.cc/playground/

Hackerspaces

• http://chchspace.nztech.org/

• http://makerspace.org.nz/

The Valley in Christchurch (TVIC)

• http://nztech.org/tvic/

Planet NZTech

• http://planet.nztech.org/

Arduino in New Zealand

• http://code.rancidbacon.com/ArduinoNewZealand

Me -- Philip J. Lindsay

• http://rancidbacon.com/