Download It

Notes:	Hide Notes

Slide 1: Hacking Hardw are Some materials adapted from Sam Bowne Slide 2: Physical access  Lock bumping: see next slides. Don't rely solely on locks: use two-factor authentication – PIN keypad – Fingerprint – Security guard  Cloning access cards: not so easy.  Magstripe vs RFID cards  Open RFID reader, and  a RFID hack reader and writer. Slide 3: Normal Key Slide 4: Bump Key  Every key pin falls to its lowest point  The key is hit with a screwdriver to create mechanical shocks  The key pins move up and briefly pass through the shear line  The lock can be opened at the instant the key pins align on the shear line Slide 5:  Even Medeco locks used in the White House can be bumped Slide 6: Magstripe Cards  ISO Standards specify three tracks of data  There are various standards, but usually no encryption is used Slide 7: Magstripe Card Reader/Writer  USB connector  About $350 Slide 8: Magnetic-Stripe Card Explorer Slide 9: Hacking RFID Cards  RFID cards use radio signals instead of magnetism  Now required in passports  Data can be read at a distance, and is usually unencrypted  Mifare is most widely deployed brand of secure RFID chips (vulnerabilities). Slide 10: Cloning Passports  $250 in equipment  Can steal passport data from a moving car Slide 11: Boston Subw ay Hack  The Massachusetts Bay Transportation Authority claims that they added proprietary encryption to make their MiFare Classic cards secure  But Ron Rivest's students from MIT hacked into it anyway Slide 12: ATA Hardrives  Bypassing ATA password security • Two kinds of ATA (AT Attachment ) interfaces are used • PATA (Parallel ATA) – IDE is now called PATA • SATA (Serial ATA) – Newer and faster than PATA Slide 13: ATA Security  Requires a password to access the hard disk  Virtually every hard drive made since 2000 has this feature  It is part of the ATA specification, and thus not specific to any brand or device.  Does not encrypt the disk, but prevents access  Countermeasures • Don't trust ATA Security • Encrypt the drive with Bitlocker, TrueCrypt, PGP, etc. Slide 14: ATA Passw Virus ord  ATA Security is used on Microsoft Xbox hard drives and laptops  BUT desktop machines' BIOS is often unaware of ATA security  An attacker could turn on ATA security, and effectively destroy a hard drive, or hold it for ransom  The machine won't boot, and no BIOS command can help  This is only a theoretical attack at the moment Slide 15: Bypassing ATA Passw ords  Hot Swap  With an unlocked drive plugged in, enter the BIOS and navigate to the menu that allows you to set a HDD Password  Plug in the locked drive and reset the password  Use factory default master password  Not easy to find  Some examples given in 2600 magazine volume 26 number 1 Slide 16: Bypassing ATA Passw ords  Vogon Password Cracker POD  Changes the password from a simple GUI  Allows law enforcement to image the drive, then restore the original password, so the owner never knows anything has happened  Works by accessing the drive service area  A special area on a disk used for firmware, geometry information, etc.  Inaccessible to the user Slide 17: U3: Softw on a Flash Drive are  Carry your data and your applications in your pocket!  It’s like a tiny laptop! USB drives Slide 18: U3 Launchpad  Just plug it in, and the Launchpad appears  Run your applications on anyone’s machine  Take all data away with you 18 Slide 19: How U3 Works  The U3 drive appears as two devices in My Computer  A “Removable Disk”  A hidden CD drive named “U3”  The CD contains software that automatically runs on computers that have Autorun enabled  For more details, see http://www. everythingusb.com/u3.html 19 Slide 20: Hacking Softw On The Disk are Partition  PocketKnife is a suite of powerful hacking tools that lives on the disk partition of the U3 drive  Just like any other application  You can create a custom file to be executed when a U3 drive is plugged in  Or replace the original CD part by a hack. 20 Slide 21: U3 PocketKnife  Steal passwords  Product keys  Steal files  Kill antivirus software  Turn off the Firewall  And more… Slide 22: Military Bans USB Thumb Drives 22 Slide 23: USB drives Risk Reduction  Traditional  Block all USB devices in Group Policy  Disable AutoRun  Glue USB ports shut (?!?!)  Better Solution: IEEE 1667  Standard Protocol for Authentication in Host Attachments of Transient Storage Devices  USB devices can be signed and authenticated, so only authorized devices are allowed  in Windows 7, Linux. 23 Slide 24: Default Configuration Example: ASUS Eee PC Rooted Out of the Box  The Eee PC 701 shipped with Xandros Linux  The Samba file-sharing service was on by default  It was a vulnerable version, easily rooted by Metasploit Easy to learn, Easy to work, Easy to root Slide 25: Default Passw ords  Many devices ship with default passwords that are often left unchanged  Especially routers (seen before) Slide 26: ATM Passw ords  In 2008, these men used default passwords to reprogram ATM machines to hand out $20 bills like they were $1 bills Slide 27: Bluetooth Attacks  Bluetooth supports encryption, but it's off by default, and the password is 0000 by default Slide 28: Reverse Engineering Hardw are  Mostly an engineering endeavor     Mapping the device Sniffing the bus data firmware reversing JTAG -- testing interface device for printed circuit boards. Read the book for more details.