©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber…...

Physical (In)security:

It’s not all about Cyber…

Inbar RazMalware & Security Research ManagerCheck Point Software Technologies

Background

Who am I?– I like to reverse things – software, hardware, ideas, rules.– I like to find problems and have them fixed (by others…)

What do I do?– Run Malware & Security Research at Check Point– Create Responsible Disclosures– Concentrate on “little to no-skills needed”

– Easier to demonstrate and convince

Example #1: Movie Ticket Kiosk

On-site Kiosk

Touch Screen

Credit CardReader

Ticket Printer

No peripherals,No interfaces

The Attack

Improper interface settingsallow the opening of menuoptions.

Menus can be used tobrowse for a new printer.

A limited Windows Exploreris not restricted enough.

A right-click can be used…

To open a full, unrestrictedWindows Explorer.

The Attack

Browsing through thefile system revealsinteresting directory names…

And even more interestingfile names.

The Attack

Bingo: Credit Card Data(Unencrypted!)

Tools of the trade: Notepad

We can use the ticketprinter to take it home

The Attack

But that’s not all:RSA Keys and Certificatesare also found on the drive!

Which we can print, takehome and then use afree OCR software to read…

The Attack

The result:

RSA Keys used tobill credit cards.

Example #1: Summary

Device purpose: Print purchased Movie Tickets

Data on device: Credit Card data and Encryption Keys

Method used to hack: 1 finger

Example #2: Point-of-Sale Device

Point-Of-Sale devicesare all around you.

The Attack

PoS Device located outside business during the day

At the end of the day, it is locked inside the business

The Attack

But one thing is left outside, in the street:

The Attack

In the past – play hacker/script kiddie with BackTrack.

Today: Fire up wireshark, discover IPs of live machines.

The Attack

In the past – play hacker/script kiddie with BackTrack.

Today: Fire up wireshark, discover IPs of live machines.

Detected IP addresses:– 192.168.0.1– 192.168.0.2– 192.168.0.4– 192.168.0.250– 192.168.0.254

Confirm by ping (individual and broadcast)

The Attack

Evidence of SMB (plus prior knowledge) leads to the next step:

And the response:

Things to do with an open share

#1: Look around– Establish possible attack vectors

Things to do with an open share

#1: Look around– Establish possible attack vectors

#2: Create a file list– Not like stealing data, but very helpful

The mystery of 192.168.0.250

Answers a ping, but no SMB.

First guess: the ADSL Modem.

Try to access the Web-UI:

The mystery of 192.168.0.250

Use the full URL:

Reminder: We actually had this information.

Going for the ADSL router

Naturally, there is access control:

Want to guess?

Example #2: Summary

Device purpose: Cash Register and Local Server

Data on device: Credit Card data, Customer Database

Method used to hack: MacBook Pro, Free Software

Other opportunities

A Medical Clinic in Tel-Aviv– Complete disregard for

attendance systems

Other opportunities

A Hospital in Tel-Aviv

Other opportunities

An ATM at a shopping mall

Example #3: Hospital Smart TV

Features– Watch TV– Listen to music– VOD– Browse the Internet

Peripherals:– Touch Screen– Credit Card Reader– Earphones

And…

– USB…

The Attack

Start with a USB Keyboard– Numlock works– Nothing else does

Power off, Power on, F11

Our options are opening up.

Let’s boot something else

BackTrack (kali):Never leave homewithout it

Even though I’m set to DHCP, I have no IP address.

An examination of the config files reveals the problem:

But I’m facing a problem

# The loopback interface, this is the default configuration:auto loiface lo inet loopback

pre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autoneg offpre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autoneg off

# The first network interface.# In this case we want to receive an IP-address through DHCP:auto eth0iface eth0 inet dhcp

# In this case we have a wired network:wpa-driver wired

# Tell the system we want to use WPA-Supplicant # with our configuration file:wpa-conf /etc/wpa_supplicant.confpre-up /usr/sbin/ethtool -s eth0 speed 100 duplex full autoneg off

An examination of the config files reveals the problem.

But this is linux, everything is in text files

network={ key_mgmt=IEEE8021X eap=TTLS MD5 identity="a*****c“ anonymous_identity="a*****c“ password=“*****“ phase1="auth=MD5“ phase2="auth=PAP password=*****“ eapol_flags=0}

An examination of the config files reveals the problem.

But this is linux, everything is in text files

I copy the files, and try again.

What next?

Find out where we are (external IP)

Proof-of-Concept: Open reverse shell

Further analysis of files reveals a lead:

http://192.168.0.250/client/

This is the actual User Interface:

But it’s not enough…

So the next logical step is…

So what’s next?

We lost access to the devices– At least easy access

Complete the report and go for disclosure

However…

Turns out other hospitals have the same device– So now we wait for someone to get sick…

Example #3: Summary

Device purpose: Smart TV for Hospital Patients

Data on device: Network Encryption Keys, Possible access to other networks

Method used to hack: USB Drive, Free Software, Keyboard, Mouse

Questions?

©2013 Check Point Software Technologies Ltd. Physical (In)security: Its not all about Cyber…...

Documents

Comunicación check point

Check Point #17

Patina collection inbar shahak

check point 3

DIGIPASS Authentication for Check Point Connectra … · DIGIPASS Authentication for Check Point Connectra ... DIGIPASS Authentication for Check Point Connectra - Integration Guideline

Efraim Inbar - besacenter.orgbesa.center@mail.biu.ac.il Israel Is Not Isolated Efraim Inbar 99

Check Point 4000 Appliances · PDF filemailto:cp_techpub_feedback@checkpoint.com?subject=Feedback on Check Point 4000 Appliances Getting Started Guide. Safety, ... Check Point 4000

Check Point Appdome Solutions Brief...Title Check Point Appdome Solutions Brief Author Check Point Software Technologies Subject Appdome for Check Point SandBlast App Protect eliminates

inbar&restaurant 5 2009

CHECK POINT APPLIANCES · PDF fileCheck Point Appliances | Brochure GAIA ... Check Point GAiA™ is the next generation Secure Operating System for all Check Point Appliances,

inbar&restaurant 3 2009

Check point Soluciones

Inbar Plaschkes , M.Sc

INBAR - metzer-group.es

CHECK POINT SANDBLAST ZERO-DAY PROTECTION… · ©2015 Check Point Software Technologies Ltd. ... Check Point SandBlast Zero-Day Protection | White Paper 1 CHECK POINT SANDBLAST ZERO-DAY

CHECK POINT - CheckFirewalls.com · Check Point Security Gateway R75—SmartDashboard The Firewall Software Blade—with award-winning Check Point FireWall-1

Inbar Spector SS09

©2015 Check Point Software Technologies Ltd. 1 WINNING WITH CHECK POINT MOBILE THREAT PREVENTION WINNING WITH CHECK POINT MOBILE THREAT PREVENTION

CHECK POINT YOUNG

inbar&restaurant 6 2010