Physical Computing, Virtual Security
Adding the Arduino microcontroller development environment to your "security research" toolkit ( follower@rancidbacon.com )
Know your audience
Physical Computing
Arduino
Blink!
What's in it for you?
Microcontroller vs. Embedded Linux
Size & Cost
Prove it!
Networking
WIZnet W5100 "Hardwired" TCP/IP Stack
- Sockets - 4 H/W or 3 + n software
- MAC level access + ARP + etc
- Telnet, HTTP (+REST), VNC etc
Hardware vulnerabilities?
- Good question
DHCP exhaustion example
byte mac[] = {0xDE, 0xAD, 0xBE, 0xEF, 0xFE, 0xED}; ... for (byte macByte1 = 11; macByte1 <255; macByte1++) { for (byte macByte2 = 0; macByte2 <255; macByte2++) { mac[3] = macByte1; mac[4] = macByte2; if(Dhcp.beginWithDHCP(mac) == 1) { // begin method returns 1 if successful ... } ... } } ...
Public Service Announcement from...
MakerSpace (Wellington)
chchspace (Christchurch)
Now, back to your scheduled programme...
Arduino and USB
V-USB
- Low speed USB implementation in software
- Formerly AVR-USB
- Arduino wrapper: http://code.rancidbacon.com/ProjectLogArduinoUSB
Keyboard emulation
- CapsLocker I & II
- USB Stealth Twiddler
- See also: YubiKey authentication
pyusb + libusb
from arduino.usbdevice import ArduinoUsbDevice theDevice = ArduinoUsbDevice(idVendor=0x16c0, idProduct=0x05df) theDevice.write(0x01) print theDevice.read()
#include <UsbStream.h> void setup() { UsbStream.begin(); UsbStream.write(0xff); } void loop() { UsbStream.refresh(); if (UsbStream.available() > 0) { int data = UsbStream.read(); } }
Software protection dongles *
(* Not recommended for production.)
How USB works (reenactment)
- "Hi, I'm a XYZ device"
- "Hi XYZ! Let's play..."
How USB fuzzing works (reenactment)
- "Hi, I'm an ABC device"
- "Hi, I'm a DEF device"
- "Hi, I'm a XYZ device"
- "Hi XYZ! Let's play... Blergh! :("
Does it really work?
Oops indeed.
[39805.823336] usb 1-2: configuration #1 chosen from 1 choice [39808.880125] usb 1-2: USB disconnect, address 14 [39810.360083] usb 1-2: new low speed USB device using uhci_hcd and address 15 [39810.538392] usb 1-2: configuration #1 chosen from 1 choice [39810.584698] usbcore: registered new interface driver usbserial [39810.584730] USB Serial support registered for generic [39810.584783] usbcore: registered new interface driver usbserial_generic [39810.584788] usbserial: USB Serial Driver core [39810.595661] USB Serial support registered for PocketPC PDA [39810.595784] ipaq 1-2:1.0: PocketPC PDA converter detected [39810.599942] usb 1-2: PocketPC PDA converter now attached to ttyUSB0 [39810.599985] usbcore: registered new interface driver ipaq [39810.599991] ipaq: v0.5:USB PocketPC PDA driver modem-manager: (ttyUSB0) opening serial device... [39810.637271] BUG: unable to handle kernel NULL pointer dereference at 0000003c [39810.637284] IP: [<f847593d>] ipaq_open+0x1fd/0x570 [ipaq] NetworkManager: <info> modem manager disappeared [39810.637307] * pde = 3e20c067 ## [39810.637313] Oops: 0002 [#1] SMP [39810.637320] last sysfs file: /sys/devices/pci0000:00/0000:00:1d.0/usb1/1-2/uevent NetworkManager: <info> Trying to start the modem-manager... [39810.637328] Modules linked in: ipaq usbserial usbhid aes_i586 aes_generic binfmt_misc ppdev snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_pcm_oss snd_mixer_oss snd_pcm uvcvideo snd_seq_dummy iptable_filter snd_seq_oss snd_seq_midi snd_rawmidi joydev snd_seq_midi_event ip_tables eeepc_laptop videodev v4l1_compat snd_seq x_tables snd_timer snd_seq_device snd arc4 ecb ath5k mac80211 led_class psmouse ath soundcore lp atl2 serio_raw cfg80211 snd_page_alloc parport dm_raid45 xor fbcon tileblit font bitblit softcursor usb_storage i915 drm i2c_algo_bit video output intel_agp agpgart [39810.637424] [39810.637431] Pid: 889, comm: modem-manager Not tainted (2.6.31-14-generic #48-Ubuntu) 900 [39810.637438] EIP: 0060:[<f847593d>] EFLAGS: 00010286 CPU: 0 [39810.637451] EIP is at ipaq_open+0x1fd/0x570 [ipaq] [39810.637456] EAX: 00000000 EBX: e4dd2000 ECX: f6452200 EDX: e4dd4000 [39810.637462] ESI: ef2d9840 EDI: f6452200 EBP: ef1f5de8 ESP: ef1f5da0 [39810.637468] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [39810.637474] Process modem-manager (pid: 889, ti=ef1f4000 task=ef6225b0 task.ti=ef1f4000) [39810.637479] Stack: [39810.637483] 00000003 c07657f0 ef1f5db4 00000292 c07657ec ef1f5dbc c0127c38 ef1f5dd0 [39810.637497] <0> f65785a0 00000064 f69e4000 f6452200 00000100 ef2d9854 00000100 f847cc60 [39810.637511] <0> f6452200 f6452204 ef1f5e20 f805cc3a ef1f5df8 c05708b8 ef1f5e20 c037d9c1 [39810.637526] Call Trace: [39810.637542] [<c0127c38>] ? default_spin_lock_flags+0x8/0x10 [39810.637558] [<f805cc3a>] ? serial_open+0xda/0x130 [usbserial] [39810.637568] [<c05708b8>] ? _ spin_lock+0x8/0x10 ## [39810.637578] [<c037d9c1>] ? check_tty_count+0x51/0xb0 [39810.637587] [<c0380a43>] ? __tty_open+0x1a3/0x460 [39810.637594] [<c0380d1f>] ? tty_open+0x1f/0x40 [39810.637604] [<c01ea5bd>] ? chrdev_open+0xcd/0x190 [39810.637612] [<c01e5769>] ? __dentry_open+0xb9/0x230 [39810.637619] [<c01e59c5>] ? nameidata_to_filp+0x55/0x70 [39810.637627] [<c01ea4f0>] ? chrdev_open+0x0/0x190 [39810.637636] [<c01f34fa>] ? do_filp_open+0x53a/0x890 [39810.637647] [<c01e31bf>] ? __mem_cgroup_commit_charge+0x3f/0x80 [39810.637656] [<c01ca1a9>] ? do_anonymous_page+0x199/0x200 [39810.637664] [<c01e5500>] ? do_sys_open+0x50/0x150 [39810.637672] [<c01e5669>] ? sys_open+0x29/0x40 [39810.637680] [<c010336c>] ? syscall_call+0x7/0xb [39810.637684] Code: c0 85 c0 0f 85 12 02 00 00 8b 7d e4 85 db 89 9f a0 00 00 00 0f 84 45 02 00 00 8b 55 e4 8b 82 98 00 00 00 89 d1 8b 92 90 00 00 00 <89> 50 3c 8b 81 a8 00 00 00 8b 91 a0 00 00 00 89 50 3c 8b 81 98 [39810.637761] EIP: [<f847593d>] ipaq_open+0x1fd/0x570 [ipaq] SS:ESP 0068:ef1f5da0 [39810.637778] CR2: 000000000000003c [39810.637785] ---[ end trace f88c0740245043a9 ]---
Hey, what happened to my USB?
- And why are you mounting this device when I'm not even logged in yet?
#include <UsbFuzzBase.h> void setup() { UsbFuzzer.setVendorId(0x045e); // (Microsoft Corp.) UsbFuzzer.setProductId(0x0417); // (Windows Powered Pocket PC 2002) UsbFuzzer.begin(); } void loop() { UsbFuzzer.refresh(); ... }
More detail...
- USB Attacks: Fun with Plug and 0wn
- Evaluating Security Aspects of the Universal Serial Bus
- USB Device Drivers: A Stepping Stone into your Kernel
python-firmata & Firmata
>>> import firmata >>> a = firmata.Arduino('/dev/tty.usbserial-XXXXXXXXXX', baudrate=57600) >>> a.pin_mode(13, firmata.OUTPUT) >>> a.digital_write(13, firmata.HIGH) # LED on pin 13 on >>> a.digital_write(13, firmata.LOW) # LED on pin 13 off >>> a.serial.close()
Electro-Mechanical assistance
http://l4n.clustur.com/index.php/Nanotron_3000#tucenaber
And everything else...
- RFID
- Bluetooth
- Appliance control
- Social Engineering
- etc
Places to Learn
- Playground: http://www.arduino.cc/playground/