0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/608 Thanks! 1 00:00:09,750 --> 00:00:11,819 Today, I'm glad 2 00:00:11,820 --> 00:00:14,729 to have Andrei Kostin here today, 3 00:00:14,730 --> 00:00:16,799 and he studied computer 4 00:00:16,800 --> 00:00:19,199 science in Bucharest and recently 5 00:00:19,200 --> 00:00:21,389 finished his PhD 6 00:00:21,390 --> 00:00:23,070 on security and embedded systems, 7 00:00:24,180 --> 00:00:26,249 and he's done some pretty cool hacks. 8 00:00:26,250 --> 00:00:28,439 Maybe some of you have looked him up 9 00:00:28,440 --> 00:00:30,689 and he's the author of The Toolkit 10 00:00:30,690 --> 00:00:33,569 My Fair Classical Universal Toolkit, 11 00:00:33,570 --> 00:00:35,969 which enables you to crack RFID chips, 12 00:00:35,970 --> 00:00:36,869 basically. 13 00:00:36,870 --> 00:00:38,999 And he will talk about methods 14 00:00:39,000 --> 00:00:41,099 on how to make a large scale security 15 00:00:41,100 --> 00:00:43,379 analysis of embedded devices 16 00:00:43,380 --> 00:00:44,399 possible. 17 00:00:44,400 --> 00:00:46,649 So enjoy it and give a warm welcome 18 00:00:46,650 --> 00:00:47,650 to Andrei. 19 00:00:54,460 --> 00:00:56,649 Hello, everybody, welcome to my talk. 20 00:00:56,650 --> 00:00:58,479 Thank you, Christian, for introducing me 21 00:00:59,770 --> 00:01:01,539 to. My name is Andre Kostin. 22 00:01:01,540 --> 00:01:03,399 I am a recent college graduate from 23 00:01:03,400 --> 00:01:05,139 Eureka in south of France. 24 00:01:05,140 --> 00:01:07,659 And today I'll be presenting you 25 00:01:07,660 --> 00:01:09,789 basically a quick squeeze of 26 00:01:09,790 --> 00:01:11,889 my three years thesis 27 00:01:11,890 --> 00:01:14,139 on security of embedded devices, 28 00:01:14,140 --> 00:01:16,659 film or how to do it fast and furious 29 00:01:16,660 --> 00:01:18,729 of large scale with 30 00:01:18,730 --> 00:01:19,899 some demos. 31 00:01:19,900 --> 00:01:21,849 So a very short film. 32 00:01:21,850 --> 00:01:24,189 I will not go too much, but 33 00:01:24,190 --> 00:01:26,289 in principle I'm interested 34 00:01:26,290 --> 00:01:27,639 in embedded devices 35 00:01:28,750 --> 00:01:30,999 as such, regardless 36 00:01:31,000 --> 00:01:33,189 of the shape we take, 37 00:01:33,190 --> 00:01:35,499 they might take the shape of our RFID 38 00:01:35,500 --> 00:01:37,869 card or a credit card, or they take 39 00:01:37,870 --> 00:01:40,059 shapes of printers or funguses, TV 40 00:01:40,060 --> 00:01:41,679 cameras or even airplanes. 41 00:01:41,680 --> 00:01:43,809 All of these are kind of examples 42 00:01:43,810 --> 00:01:46,119 of embedded devices fit 43 00:01:46,120 --> 00:01:48,579 in different bodies, let's say. 44 00:01:48,580 --> 00:01:50,409 But inside they're embedded devices. 45 00:01:50,410 --> 00:01:52,089 And this is what makes them a little bit 46 00:01:52,090 --> 00:01:53,229 different than normal PCs. 47 00:01:53,230 --> 00:01:54,569 And interesting for me. 48 00:01:55,900 --> 00:01:57,969 So we know that embedded 49 00:01:57,970 --> 00:01:59,829 devices are everywhere, is not something 50 00:01:59,830 --> 00:02:02,019 new. And we are seeing 51 00:02:02,020 --> 00:02:04,269 this where we use them 52 00:02:04,270 --> 00:02:05,379 every day. 53 00:02:05,380 --> 00:02:07,569 We see that embedded with 54 00:02:07,570 --> 00:02:08,589 embedded devices. 55 00:02:08,590 --> 00:02:10,959 We are getting more complex 56 00:02:10,960 --> 00:02:13,239 and smarter because we really want 57 00:02:13,240 --> 00:02:15,369 to do more 58 00:02:15,370 --> 00:02:17,859 useful stuff with them, like writing 59 00:02:17,860 --> 00:02:20,469 a script for them or calling an API 60 00:02:20,470 --> 00:02:22,539 or trying to 61 00:02:22,540 --> 00:02:24,999 TransAm some piece of advanced 62 00:02:25,000 --> 00:02:27,129 software on them, whether it's a smart 63 00:02:27,130 --> 00:02:28,240 home or a smart TV 64 00:02:29,290 --> 00:02:31,419 and of course, embedded devices. 65 00:02:31,420 --> 00:02:33,159 We are also getting on top of that. 66 00:02:33,160 --> 00:02:34,929 They are also getting interconnected in 67 00:02:34,930 --> 00:02:37,059 what's the new buzzword, 68 00:02:37,060 --> 00:02:39,789 Internet of Things Iot and 69 00:02:39,790 --> 00:02:41,859 these layers of complexity, basically 70 00:02:41,860 --> 00:02:44,229 the interconnection of devices 71 00:02:44,230 --> 00:02:46,329 which before are not supposed 72 00:02:46,330 --> 00:02:48,669 to to be connected 73 00:02:48,670 --> 00:02:50,979 combined with new complexity of software 74 00:02:50,980 --> 00:02:53,079 and text and APIs makes a 75 00:02:53,080 --> 00:02:55,269 little bit harder 76 00:02:55,270 --> 00:02:57,399 to actually understand all the security 77 00:02:57,400 --> 00:02:58,329 surfaces. 78 00:02:58,330 --> 00:03:00,429 So it requires a little bit of a 79 00:03:00,430 --> 00:03:02,199 systematic approach. 80 00:03:02,200 --> 00:03:04,809 And all these embedded 81 00:03:04,810 --> 00:03:07,569 devices, they run software 82 00:03:07,570 --> 00:03:08,570 and. 83 00:03:09,340 --> 00:03:11,319 Regardless of their shape, how they look 84 00:03:11,320 --> 00:03:13,869 like their software is 85 00:03:13,870 --> 00:03:15,999 called Fermor because of 86 00:03:16,000 --> 00:03:18,189 historical reasons, so your 87 00:03:18,190 --> 00:03:20,499 smart TV, your smart 88 00:03:20,500 --> 00:03:22,629 meters, your home, rather, and even 89 00:03:22,630 --> 00:03:24,879 your hard drives in your PC 90 00:03:24,880 --> 00:03:26,949 or network cards in your PC 91 00:03:26,950 --> 00:03:29,739 perceiver on these pieces of firmware, 92 00:03:29,740 --> 00:03:31,989 which is kind of a smaller said 93 00:03:31,990 --> 00:03:34,209 software operating system or not 94 00:03:34,210 --> 00:03:36,129 running inside of it. 95 00:03:36,130 --> 00:03:38,869 So there are some observations 96 00:03:38,870 --> 00:03:41,199 that at present that 97 00:03:41,200 --> 00:03:43,269 back in 2014 we've seen, 98 00:03:43,270 --> 00:03:46,119 at least in a part of the Internet, 99 00:03:46,120 --> 00:03:48,369 which is just a small observable part, 100 00:03:48,370 --> 00:03:50,409 but there are hundreds of thousands of 101 00:03:50,410 --> 00:03:52,779 Hilmar packages which we've been able to 102 00:03:52,780 --> 00:03:55,059 to download and partially 103 00:03:55,060 --> 00:03:56,859 to unpack and analyze. 104 00:03:56,860 --> 00:03:59,409 So there might be many more 105 00:03:59,410 --> 00:04:01,539 thousands of FERMA packages, but at 106 00:04:01,540 --> 00:04:02,649 least we know there are hundreds of 107 00:04:02,650 --> 00:04:03,650 thousands of them. 108 00:04:04,540 --> 00:04:06,819 And there's also this interesting 109 00:04:06,820 --> 00:04:10,119 predictions that by 2014, 110 00:04:10,120 --> 00:04:12,309 where there were 14 billion 111 00:04:12,310 --> 00:04:14,379 interconnected objects by 112 00:04:14,380 --> 00:04:16,208 Cisco Internet of Things connection 113 00:04:16,209 --> 00:04:18,569 counter, and the prediction is that 114 00:04:18,570 --> 00:04:20,409 they are well known. 115 00:04:20,410 --> 00:04:22,509 Hype is where by 2020 will 116 00:04:22,510 --> 00:04:24,789 be between 20 and 50 billion of 117 00:04:24,790 --> 00:04:26,110 interconnected devices. 118 00:04:28,300 --> 00:04:31,629 So this basically 119 00:04:31,630 --> 00:04:33,759 brings us to the importance of 120 00:04:33,760 --> 00:04:35,589 embedded devices and their firmware, 121 00:04:36,670 --> 00:04:39,039 because the embedded devices are 122 00:04:39,040 --> 00:04:41,049 ubiquitous, even though they are 123 00:04:41,050 --> 00:04:43,259 invisible, they are essential to 124 00:04:43,260 --> 00:04:43,989 our lives. 125 00:04:43,990 --> 00:04:46,929 Think about pacemaker's think about 126 00:04:46,930 --> 00:04:48,999 using the cars they 127 00:04:49,000 --> 00:04:50,859 can operate for many years, for example, 128 00:04:50,860 --> 00:04:52,779 for smart infrastructure if it's buried 129 00:04:52,780 --> 00:04:55,269 in concrete or is put somewhere 130 00:04:55,270 --> 00:04:57,579 in the out of reach area, 131 00:04:57,580 --> 00:04:59,259 they should operate and they could 132 00:04:59,260 --> 00:05:01,779 operate for years even without getting 133 00:05:01,780 --> 00:05:03,999 no updates or no security updates. 134 00:05:04,000 --> 00:05:06,369 And they have a large or face because 135 00:05:06,370 --> 00:05:08,679 of those devices do not have 136 00:05:08,680 --> 00:05:09,680 normal. 137 00:05:11,550 --> 00:05:13,709 Mouse keyboards, input output 138 00:05:13,710 --> 00:05:16,079 systems like keyboard, mouse 139 00:05:16,080 --> 00:05:17,039 and monitors. 140 00:05:17,040 --> 00:05:19,469 So we need some kind of web interfaces, 141 00:05:19,470 --> 00:05:21,689 networking interfaces and debugging 142 00:05:21,690 --> 00:05:24,599 interfaces so that we are able to 143 00:05:24,600 --> 00:05:26,999 to to operate easily 144 00:05:28,200 --> 00:05:30,449 and is not news that the embedded 145 00:05:30,450 --> 00:05:31,739 devices are insecure. 146 00:05:31,740 --> 00:05:33,569 We've been seeing this trend from, I 147 00:05:33,570 --> 00:05:35,999 guess, 2005 or 2006 148 00:05:36,000 --> 00:05:38,459 when increasingly 149 00:05:38,460 --> 00:05:41,079 more every day there 150 00:05:41,080 --> 00:05:43,229 were examples of embedded devices 151 00:05:43,230 --> 00:05:45,479 being insecure, like a lot 152 00:05:45,480 --> 00:05:47,459 of routers being insecure. 153 00:05:47,460 --> 00:05:49,709 When printers shown to be insecure on 154 00:05:49,710 --> 00:05:51,809 a large scale, then VoIP 155 00:05:51,810 --> 00:05:53,969 phones and VoIP systems used in 156 00:05:53,970 --> 00:05:57,089 offices, cars, 157 00:05:57,090 --> 00:05:59,189 Schoenbeck and even in 158 00:05:59,190 --> 00:06:01,679 present shown to be remotely 159 00:06:01,680 --> 00:06:03,569 hackable and insecure. 160 00:06:03,570 --> 00:06:06,299 Drones, fireworks, 161 00:06:06,300 --> 00:06:08,039 all kinds of p.l.c. 162 00:06:08,040 --> 00:06:10,379 scars are industrial control 163 00:06:10,380 --> 00:06:12,449 systems and the finger can 164 00:06:12,450 --> 00:06:15,239 go on because there's actually no 165 00:06:15,240 --> 00:06:17,519 limit on the type or 166 00:06:17,520 --> 00:06:19,079 application of embedded devices. 167 00:06:19,080 --> 00:06:21,239 And we can go on the blogs 168 00:06:21,240 --> 00:06:23,279 and on their reports and white papers and 169 00:06:23,280 --> 00:06:25,469 see every type of 170 00:06:25,470 --> 00:06:28,529 embedded device have some kind of a flaw. 171 00:06:28,530 --> 00:06:31,549 But what is the observation here is that 172 00:06:31,550 --> 00:06:33,839 most of these white papers or 173 00:06:33,840 --> 00:06:35,939 research was done in 174 00:06:35,940 --> 00:06:38,099 a manual or not 175 00:06:38,100 --> 00:06:39,749 necessarily just in a manual, but it was 176 00:06:39,750 --> 00:06:42,269 like every research research 177 00:06:42,270 --> 00:06:44,429 was done in an individual manner, like 178 00:06:44,430 --> 00:06:46,109 taking a particular device or a 179 00:06:46,110 --> 00:06:48,689 particular embedded Fermor 180 00:06:48,690 --> 00:06:50,849 and analyzing it 181 00:06:50,850 --> 00:06:52,669 heads to end. 182 00:06:52,670 --> 00:06:55,409 And basically it involves a lot of 183 00:06:55,410 --> 00:06:58,199 tedious work, a lot of manual work, 184 00:06:58,200 --> 00:06:59,549 a lot of scripting. 185 00:06:59,550 --> 00:07:02,029 And basically it's it 186 00:07:02,030 --> 00:07:04,199 cannot scale. If you want to understand 187 00:07:04,200 --> 00:07:06,959 what are the security of 50 billions 188 00:07:06,960 --> 00:07:08,849 in security implications of 50 billions 189 00:07:08,850 --> 00:07:11,189 of connected devices or 190 00:07:11,190 --> 00:07:14,029 security flaws in hundreds of thousands 191 00:07:14,030 --> 00:07:15,339 of or images? 192 00:07:15,340 --> 00:07:16,739 We need scalable approaches. 193 00:07:16,740 --> 00:07:18,959 And these approaches where we 194 00:07:18,960 --> 00:07:21,569 do a lot of things manually just 195 00:07:21,570 --> 00:07:22,570 does not scale. 196 00:07:23,400 --> 00:07:26,189 I'll try to give a very quick overview 197 00:07:26,190 --> 00:07:28,349 of how usually very manual 198 00:07:28,350 --> 00:07:30,729 analysis of films 199 00:07:30,730 --> 00:07:32,309 takes place. 200 00:07:32,310 --> 00:07:34,589 And for most of you, maybe it's not 201 00:07:34,590 --> 00:07:36,029 something new and for sure it's not. 202 00:07:38,010 --> 00:07:40,169 But the idea is that there is a 203 00:07:40,170 --> 00:07:42,419 phillimore package, you download 204 00:07:42,420 --> 00:07:44,189 it, you get it on your C.D., you get it 205 00:07:44,190 --> 00:07:46,349 on your USB stick, or you pay hundreds 206 00:07:46,350 --> 00:07:48,509 of euros and get on 207 00:07:48,510 --> 00:07:49,439 a fantastic card. 208 00:07:49,440 --> 00:07:51,660 If it's a card or a system, 209 00:07:52,980 --> 00:07:55,199 you unpack or decrypt. 210 00:07:55,200 --> 00:07:57,179 And if you cannot decrypt is not a 211 00:07:57,180 --> 00:07:58,109 problem, you keep it. 212 00:07:58,110 --> 00:08:00,359 And some day somebody will dump 213 00:08:00,360 --> 00:08:02,159 the key and you will be able to decrypt 214 00:08:02,160 --> 00:08:04,679 it and go back and do the process as if 215 00:08:04,680 --> 00:08:07,349 they're Fillmore's decrypted 216 00:08:07,350 --> 00:08:08,699 unencrypted. 217 00:08:08,700 --> 00:08:10,859 Then there is a very generic 218 00:08:10,860 --> 00:08:13,019 steps like detecting the CPU or the 219 00:08:13,020 --> 00:08:15,179 type of binary Vello 220 00:08:15,180 --> 00:08:17,369 that addresses detecting 221 00:08:17,370 --> 00:08:19,169 and then applying some kind of a static 222 00:08:19,170 --> 00:08:21,449 analysis on the code or the source 223 00:08:21,450 --> 00:08:23,819 code of interpreted files and 224 00:08:23,820 --> 00:08:25,919 dynamic analysis and 225 00:08:25,920 --> 00:08:27,989 then looking for some kinds of 226 00:08:27,990 --> 00:08:30,119 patterns, even in form 227 00:08:30,120 --> 00:08:32,908 of strings or function names or symbols 228 00:08:32,909 --> 00:08:35,009 or just chunks of codes, which people try 229 00:08:35,010 --> 00:08:37,349 to do now with machine learning and 230 00:08:37,350 --> 00:08:38,279 intermediate language. 231 00:08:38,280 --> 00:08:40,709 But that is to try to find this kind of 232 00:08:40,710 --> 00:08:42,869 back doors or debug interfaces or 233 00:08:42,870 --> 00:08:45,509 you are console's or know 234 00:08:45,510 --> 00:08:46,559 obvious wounds. 235 00:08:46,560 --> 00:08:49,019 This can be done statically or usually 236 00:08:49,020 --> 00:08:50,729 can be done also dynamically, but it 237 00:08:50,730 --> 00:08:52,649 requires more effort as will go through. 238 00:08:54,060 --> 00:08:56,039 Then if you didn't have a device, you 239 00:08:56,040 --> 00:08:57,989 have to buy the device. 240 00:08:57,990 --> 00:08:59,789 Some people do it, otherwise they have a 241 00:08:59,790 --> 00:09:02,129 device with no firmware and then 242 00:09:02,130 --> 00:09:04,259 they start as if we started with 243 00:09:04,260 --> 00:09:05,309 FEMA itself. 244 00:09:05,310 --> 00:09:07,589 But in general case, if you want to do 245 00:09:07,590 --> 00:09:09,479 analysis on some devices, you do not want 246 00:09:09,480 --> 00:09:11,669 to buy every device every now and then 247 00:09:11,670 --> 00:09:12,839 just to analyze. 248 00:09:12,840 --> 00:09:14,669 So you want to start as cheap as possible 249 00:09:14,670 --> 00:09:17,099 and start as possible is 250 00:09:17,100 --> 00:09:18,449 getting the feel more free from the 251 00:09:18,450 --> 00:09:19,349 Internet. 252 00:09:19,350 --> 00:09:21,479 And then if you find some indication 253 00:09:21,480 --> 00:09:23,129 that there's vulnerabilities, you will 254 00:09:23,130 --> 00:09:24,719 want to buy the device. 255 00:09:24,720 --> 00:09:26,909 You have to set up the device, meaning 256 00:09:26,910 --> 00:09:29,219 all the cabling, all the network 257 00:09:29,220 --> 00:09:30,809 configurations, all the 258 00:09:32,310 --> 00:09:33,749 drama is right. 259 00:09:33,750 --> 00:09:35,909 And then eventually, if 260 00:09:35,910 --> 00:09:38,039 you need to go even deeper or samples, 261 00:09:38,040 --> 00:09:40,529 abilities might require some physical 262 00:09:40,530 --> 00:09:42,809 intervention, you might need to even go 263 00:09:42,810 --> 00:09:43,979 and disassemble. 264 00:09:43,980 --> 00:09:46,859 So clearly, there are two parts of this 265 00:09:46,860 --> 00:09:49,259 manual analysis process and 266 00:09:49,260 --> 00:09:51,509 we can see what the part of buying 267 00:09:51,510 --> 00:09:53,609 the device, setting up the device and 268 00:09:53,610 --> 00:09:55,779 disassembling it to go to its geotag, 269 00:09:55,780 --> 00:09:57,869 or you are the console or 270 00:09:57,870 --> 00:10:00,479 just hook up on the microprocessors 271 00:10:00,480 --> 00:10:02,729 or flash memory is 272 00:10:02,730 --> 00:10:05,009 is hard to automate because you 273 00:10:05,010 --> 00:10:06,779 don't have so much budget to buy all the 274 00:10:06,780 --> 00:10:08,489 devices. Just go on Amazon and buy at 275 00:10:08,490 --> 00:10:10,619 random devices that you think 276 00:10:10,620 --> 00:10:12,299 might be vulnerable. 277 00:10:12,300 --> 00:10:14,369 And second is not very 278 00:10:14,370 --> 00:10:16,499 easy to to set up all the devices 279 00:10:16,500 --> 00:10:18,479 in uniform unless you have a very smart 280 00:10:18,480 --> 00:10:20,699 robot, maybe in a few years will have 281 00:10:20,700 --> 00:10:22,889 them. And also not very 282 00:10:22,890 --> 00:10:24,779 easy to automatically disassemble the 283 00:10:24,780 --> 00:10:26,849 device and go some robots 284 00:10:26,850 --> 00:10:29,069 to connect to vegetables and you can 285 00:10:29,070 --> 00:10:31,139 find them. There are some steps towards 286 00:10:31,140 --> 00:10:33,599 that direction to automate this with 287 00:10:33,600 --> 00:10:35,919 tabulators and some some movement 288 00:10:35,920 --> 00:10:38,129 moving moving parts 289 00:10:38,130 --> 00:10:39,719 to try to detect these. 290 00:10:39,720 --> 00:10:42,029 You are. But still, it's like a heart 291 00:10:42,030 --> 00:10:44,399 problem is hard to automate. 292 00:10:44,400 --> 00:10:46,469 On our own website, we see 293 00:10:46,470 --> 00:10:48,689 what the first 294 00:10:48,690 --> 00:10:51,149 part is. More or less is automated 295 00:10:51,150 --> 00:10:53,309 because getting the former is 296 00:10:53,310 --> 00:10:54,899 nothing than just going to a download 297 00:10:54,900 --> 00:10:57,059 link that eventually logging 298 00:10:57,060 --> 00:10:58,409 in, if it requires a username and 299 00:10:58,410 --> 00:11:00,869 password, downloading it, 300 00:11:00,870 --> 00:11:02,639 then trying to unpack it. 301 00:11:02,640 --> 00:11:04,889 If it doesn't work with a simple zip, 302 00:11:04,890 --> 00:11:06,959 you can use the brute force method, you 303 00:11:06,960 --> 00:11:09,329 just brute force and I'll show you some 304 00:11:09,330 --> 00:11:11,759 examples and then you just 305 00:11:11,760 --> 00:11:13,049 try to do some juristic. 306 00:11:13,050 --> 00:11:15,329 You detect some things which you might 307 00:11:15,330 --> 00:11:17,429 want to optimize 308 00:11:17,430 --> 00:11:19,049 for your analysis. And when you just do 309 00:11:19,050 --> 00:11:21,059 static and then amik analysis, of course, 310 00:11:21,060 --> 00:11:23,159 there are some caveats for both of 311 00:11:23,160 --> 00:11:24,869 you for all of these steps. 312 00:11:24,870 --> 00:11:27,299 But clearly this as a process, 313 00:11:27,300 --> 00:11:30,060 as a as a vote can be automated, 314 00:11:31,290 --> 00:11:32,290 so. 315 00:11:33,460 --> 00:11:35,499 Going from this point forward, we have 316 00:11:35,500 --> 00:11:37,599 this idea to to have a large 317 00:11:37,600 --> 00:11:39,489 scale automated analysis to better 318 00:11:39,490 --> 00:11:41,589 understand and classify and analyze 319 00:11:41,590 --> 00:11:43,839 film or images without 320 00:11:43,840 --> 00:11:45,219 using the devices. What is very 321 00:11:45,220 --> 00:11:47,409 important, because we don't actually 322 00:11:47,410 --> 00:11:49,989 need these devices, because most of them 323 00:11:49,990 --> 00:11:52,569 can be with more or less effort emulated 324 00:11:52,570 --> 00:11:55,029 if we really need to to confirm something 325 00:11:55,030 --> 00:11:56,030 or not. 326 00:11:56,680 --> 00:11:59,039 So there are some challenges, like 327 00:11:59,040 --> 00:12:00,759 the large number of devices, the large 328 00:12:00,760 --> 00:12:02,799 number of Theama files, these are the 329 00:12:02,800 --> 00:12:04,929 challenges which have to 330 00:12:04,930 --> 00:12:06,549 be overcome. 331 00:12:06,550 --> 00:12:07,899 Also of the things that 332 00:12:09,100 --> 00:12:11,459 the Iot and the embedded devices, 333 00:12:11,460 --> 00:12:12,460 they're using 334 00:12:14,080 --> 00:12:15,309 different kinds of architecture. 335 00:12:15,310 --> 00:12:17,549 Of course, the most well known are 336 00:12:17,550 --> 00:12:19,329 and MEPs and PowerPC maybe. 337 00:12:19,330 --> 00:12:20,739 But there's mirrors of our 338 00:12:20,740 --> 00:12:22,599 microcontrollers and microprocessors, 339 00:12:22,600 --> 00:12:25,089 which you really don't know 340 00:12:25,090 --> 00:12:27,009 what they are and also not necessarily 341 00:12:27,010 --> 00:12:28,509 all of them use Linux. 342 00:12:28,510 --> 00:12:30,669 So you would need to know where to 343 00:12:30,670 --> 00:12:32,740 load that bytecode and so on. 344 00:12:34,930 --> 00:12:37,149 And basically, we also have 345 00:12:37,150 --> 00:12:38,859 a highly unstructured data. 346 00:12:38,860 --> 00:12:40,899 Even though you can go and download all 347 00:12:40,900 --> 00:12:42,279 the files on the Internet, you need to 348 00:12:42,280 --> 00:12:44,949 know what is what, because 349 00:12:44,950 --> 00:12:48,099 otherwise you end up in a very 350 00:12:48,100 --> 00:12:49,100 inefficient, 351 00:12:50,410 --> 00:12:52,629 very inefficient brute forcing process. 352 00:12:52,630 --> 00:12:54,369 And you need to be really focused when 353 00:12:54,370 --> 00:12:56,259 you have a lot of data. 354 00:12:56,260 --> 00:12:58,629 So to overcome with these challenges, 355 00:12:58,630 --> 00:13:00,369 we have some solutions. 356 00:13:00,370 --> 00:13:02,439 We propose solutions 357 00:13:02,440 --> 00:13:04,569 such as for a large number 358 00:13:04,570 --> 00:13:06,429 of devices. The first thing we want to 359 00:13:06,430 --> 00:13:07,989 do, no devices analysis. 360 00:13:07,990 --> 00:13:10,759 So we try to do no devices, 361 00:13:10,760 --> 00:13:12,249 a large number of fumer files. 362 00:13:12,250 --> 00:13:14,379 Basically, we need to analyze a lot of 363 00:13:14,380 --> 00:13:16,659 data, OK? We need to devise 364 00:13:16,660 --> 00:13:18,159 a scalable architectures 365 00:13:19,810 --> 00:13:22,569 because the systems are heterogeneous. 366 00:13:22,570 --> 00:13:24,639 We need to devise techniques which 367 00:13:24,640 --> 00:13:26,889 are generic enough, 368 00:13:26,890 --> 00:13:29,259 which do not depend on particular 369 00:13:29,260 --> 00:13:31,419 CPU architecture or 370 00:13:31,420 --> 00:13:32,419 hardware architecture. 371 00:13:32,420 --> 00:13:34,479 We want to be either on the 372 00:13:34,480 --> 00:13:36,639 intermediate level or 373 00:13:36,640 --> 00:13:38,799 have some some some 374 00:13:38,800 --> 00:13:40,659 specialized techniques, but we can from 375 00:13:40,660 --> 00:13:41,679 which we can pivot 376 00:13:42,850 --> 00:13:45,129 when there's a 377 00:13:45,130 --> 00:13:47,469 focus on web and network 378 00:13:47,470 --> 00:13:49,419 interfaces and APIs, because all of these 379 00:13:49,420 --> 00:13:51,369 devices they expose with network 380 00:13:51,370 --> 00:13:53,799 interfaces and APIs and in particular 381 00:13:53,800 --> 00:13:56,049 we expose the web interface as a means 382 00:13:56,050 --> 00:13:58,119 to remote management or remote 383 00:13:58,120 --> 00:13:59,120 access to the device. 384 00:14:00,790 --> 00:14:02,949 Having highly unstructured data, we 385 00:14:02,950 --> 00:14:05,049 propose that you need to 386 00:14:05,050 --> 00:14:07,089 do a large dataset classification, 387 00:14:07,090 --> 00:14:09,339 meaning that you use machine learning 388 00:14:09,340 --> 00:14:11,679 to classify the Fillmore's and so on. 389 00:14:11,680 --> 00:14:13,450 And we'll show some examples of this. 390 00:14:15,250 --> 00:14:17,349 So first, the 391 00:14:17,350 --> 00:14:19,479 first challenge, like FERMA in device 392 00:14:19,480 --> 00:14:20,949 classification. 393 00:14:20,950 --> 00:14:23,529 Why? Why is that the challenge? 394 00:14:23,530 --> 00:14:25,629 We know that, again, there's hundreds 395 00:14:25,630 --> 00:14:27,819 of thousands of Fermor packages. 396 00:14:27,820 --> 00:14:30,099 And of course, I don't see many 397 00:14:30,100 --> 00:14:32,859 volunteers in the room to manually triage 398 00:14:32,860 --> 00:14:35,049 and classify them. 399 00:14:35,050 --> 00:14:37,359 And we basically propose 400 00:14:37,360 --> 00:14:39,339 machine learning. 401 00:14:39,340 --> 00:14:41,739 And we in particular in our case, we used 402 00:14:41,740 --> 00:14:42,789 Saikat learn 403 00:14:43,840 --> 00:14:45,969 Python package and we 404 00:14:45,970 --> 00:14:48,549 try to evaluate our approach. 405 00:14:48,550 --> 00:14:51,159 That is that if you have Fermor files 406 00:14:51,160 --> 00:14:53,259 and these from our files 407 00:14:53,260 --> 00:14:56,159 usually are specific to devices. 408 00:14:56,160 --> 00:14:58,269 So if a device 409 00:14:58,270 --> 00:15:00,629 evades a device which has a particular 410 00:15:00,630 --> 00:15:01,630 number of 411 00:15:03,540 --> 00:15:05,699 megabytes for Flash, 412 00:15:05,700 --> 00:15:07,799 then the Filmer file, if it's a 413 00:15:07,800 --> 00:15:09,929 full update, will have more or less 16 414 00:15:09,930 --> 00:15:11,099 megabytes. Right. 415 00:15:11,100 --> 00:15:12,389 So there is this kind of fear. 416 00:15:12,390 --> 00:15:14,249 More properties like file size, file 417 00:15:14,250 --> 00:15:16,439 entropy, some strings and so on, 418 00:15:16,440 --> 00:15:18,839 which makes those femur's 419 00:15:18,840 --> 00:15:20,999 particular to that device 420 00:15:21,000 --> 00:15:22,709 or what vendor. 421 00:15:22,710 --> 00:15:25,949 So these are kind of the 422 00:15:25,950 --> 00:15:28,139 properties of the files from 423 00:15:28,140 --> 00:15:29,879 our files, which we use like file size, 424 00:15:29,880 --> 00:15:32,579 entropy value called densities 425 00:15:32,580 --> 00:15:34,649 of the strings inside and unique strings 426 00:15:34,650 --> 00:15:36,239 in each category. 427 00:15:36,240 --> 00:15:38,519 And then we try to use these as features 428 00:15:38,520 --> 00:15:41,069 in machine learning algorithms, 429 00:15:41,070 --> 00:15:42,570 random thoughts and decision trees. 430 00:15:43,650 --> 00:15:46,319 And we did some some sampling 431 00:15:46,320 --> 00:15:48,449 and we found that in our case, 432 00:15:49,950 --> 00:15:52,319 what worked the best was 433 00:15:52,320 --> 00:15:54,959 the random forest. 434 00:15:54,960 --> 00:15:57,149 We've size entropy, 435 00:15:57,150 --> 00:15:59,999 strings and strings, unique features. 436 00:16:00,000 --> 00:16:02,369 And I know it sounds a little bit 437 00:16:02,370 --> 00:16:04,679 too much for this presentation, 438 00:16:04,680 --> 00:16:06,769 but you can find the details in in 439 00:16:06,770 --> 00:16:08,789 the in the papers, which are at the end 440 00:16:08,790 --> 00:16:11,069 of the slides, how these 441 00:16:11,070 --> 00:16:12,419 features were chosen and how they're 442 00:16:12,420 --> 00:16:14,909 generated. But that is what if we, 443 00:16:14,910 --> 00:16:17,279 for example, include another feature 444 00:16:17,280 --> 00:16:20,159 of Fillmore's, which is not very 445 00:16:20,160 --> 00:16:22,349 good when we have the 446 00:16:22,350 --> 00:16:24,419 classification of Fillmore's or detection 447 00:16:24,420 --> 00:16:26,519 of Fillmore's not very 448 00:16:26,520 --> 00:16:27,449 accurate. 449 00:16:27,450 --> 00:16:29,609 So in our case, we've 450 00:16:29,610 --> 00:16:32,789 been able to achieve more than 90 percent 451 00:16:32,790 --> 00:16:35,489 accurate detection of Fermor 452 00:16:35,490 --> 00:16:37,799 by Vandar or by Vandoren product. 453 00:16:37,800 --> 00:16:40,349 So it helps us because we can basically 454 00:16:40,350 --> 00:16:42,539 say from this big number 455 00:16:42,540 --> 00:16:44,669 of Fillmore's, let's 456 00:16:44,670 --> 00:16:47,019 put this in chunks and we have 457 00:16:47,020 --> 00:16:49,049 Fillmore's from vendor or A vendor, B 458 00:16:49,050 --> 00:16:51,149 vendor C and then we can 459 00:16:51,150 --> 00:16:53,519 apply specific unpegging 460 00:16:53,520 --> 00:16:56,039 techniques or specific known exploits 461 00:16:56,040 --> 00:16:57,179 to test the VWs. 462 00:16:58,470 --> 00:17:00,689 Fillmore's are vulnerable or not 463 00:17:00,690 --> 00:17:02,999 because we know it's vendor or B or C. 464 00:17:04,650 --> 00:17:07,439 So this is our local optimum 465 00:17:07,440 --> 00:17:08,399 where I live. 466 00:17:08,400 --> 00:17:10,469 The future is the same as on the 467 00:17:10,470 --> 00:17:11,470 on the slide. 468 00:17:13,230 --> 00:17:14,759 And that is that 469 00:17:16,349 --> 00:17:18,598 I can try to give you 470 00:17:18,599 --> 00:17:21,699 a demo at the end of the presentation. 471 00:17:21,700 --> 00:17:23,789 Uh, so so the next challenge is 472 00:17:23,790 --> 00:17:25,979 the automated static analysis. 473 00:17:25,980 --> 00:17:27,209 So the idea is that. 474 00:17:28,720 --> 00:17:30,819 If you have a large number of 475 00:17:30,820 --> 00:17:32,949 farmers, you want to do more to 476 00:17:32,950 --> 00:17:35,109 do the analysis as quick as possible and 477 00:17:35,110 --> 00:17:37,329 automated as possible, so in 478 00:17:37,330 --> 00:17:40,179 the first instance, what we did, we took 479 00:17:40,180 --> 00:17:42,039 the files, which we crawled the several 480 00:17:42,040 --> 00:17:44,079 hundred thousand farmers. 481 00:17:44,080 --> 00:17:46,479 We put them in a database 482 00:17:46,480 --> 00:17:48,819 and we developed some 483 00:17:50,020 --> 00:17:52,270 processing, unpacking and analysis nodes. 484 00:17:53,320 --> 00:17:55,089 And basically, you can scale it inside 485 00:17:55,090 --> 00:17:56,260 your own 486 00:17:58,450 --> 00:18:00,339 organization or you can scale it to 487 00:18:00,340 --> 00:18:02,529 Amazon Web Services to 488 00:18:02,530 --> 00:18:04,389 whatever number of nodes you need. 489 00:18:04,390 --> 00:18:06,219 And basically these nodes, or they do, 490 00:18:06,220 --> 00:18:07,659 they just receive a few more. 491 00:18:07,660 --> 00:18:09,909 They try to unpack using brainwork 492 00:18:09,910 --> 00:18:12,999 or using binary analysis tool kit. 493 00:18:13,000 --> 00:18:14,799 These are two very awesome tools. 494 00:18:14,800 --> 00:18:17,200 You can combine them or write your own 495 00:18:18,520 --> 00:18:20,049 and then you unpack the files. 496 00:18:20,050 --> 00:18:22,209 You get the file system if you're lucky. 497 00:18:22,210 --> 00:18:24,339 If not, you can write your own compactors 498 00:18:24,340 --> 00:18:26,859 and plug them into brainwork and banner 499 00:18:26,860 --> 00:18:29,079 analysis tool kit and scale 500 00:18:29,080 --> 00:18:31,329 it to many numbers of nodes. 501 00:18:32,710 --> 00:18:34,989 When we do some simple static 502 00:18:34,990 --> 00:18:36,099 analysis like 503 00:18:37,120 --> 00:18:40,149 collecting default 504 00:18:40,150 --> 00:18:42,489 or backdoor passwords or 505 00:18:42,490 --> 00:18:44,799 an unusual password, or 506 00:18:44,800 --> 00:18:46,989 we try to to see very 507 00:18:46,990 --> 00:18:49,539 private certificate's private files 508 00:18:49,540 --> 00:18:51,609 and which are in the film around 509 00:18:51,610 --> 00:18:52,610 should not be there. 510 00:18:53,530 --> 00:18:55,929 Then we also saw this in a film, more 511 00:18:55,930 --> 00:18:57,999 analysis and report database and do some 512 00:18:58,000 --> 00:18:59,589 data management which will come down 513 00:18:59,590 --> 00:19:00,590 later. 514 00:19:01,120 --> 00:19:03,249 So what kinds of static analysis would 515 00:19:03,250 --> 00:19:04,719 perform in the first place? 516 00:19:04,720 --> 00:19:06,819 We do check for Web 517 00:19:06,820 --> 00:19:07,809 server configuration. 518 00:19:07,810 --> 00:19:09,879 We didn't run any static code 519 00:19:09,880 --> 00:19:12,129 analysis because it was our first 520 00:19:12,130 --> 00:19:14,169 experiment. We didn't know what exactly 521 00:19:14,170 --> 00:19:16,479 to expect. What was the percentage of 522 00:19:16,480 --> 00:19:17,469 CPU architecture? 523 00:19:17,470 --> 00:19:19,929 What was the percentage of operating 524 00:19:19,930 --> 00:19:22,119 systems? And it's really hard 525 00:19:22,120 --> 00:19:24,369 to have a full set of tools, especially 526 00:19:24,370 --> 00:19:26,529 if you work open source or 527 00:19:26,530 --> 00:19:28,599 free software to to 528 00:19:28,600 --> 00:19:30,969 tackle all of these challenges. 529 00:19:30,970 --> 00:19:32,950 When we also look for credentials, 530 00:19:34,120 --> 00:19:36,219 weak default or hardcoded the need to see 531 00:19:36,220 --> 00:19:38,349 password, or we look 532 00:19:38,350 --> 00:19:40,629 for basically four strings 533 00:19:40,630 --> 00:19:42,849 in the Fillmore and then we try to 534 00:19:42,850 --> 00:19:45,009 map them to 535 00:19:45,010 --> 00:19:47,169 hash hashes 536 00:19:47,170 --> 00:19:48,129 in each password. 537 00:19:48,130 --> 00:19:50,409 And we found like dozens of them, where 538 00:19:50,410 --> 00:19:52,749 the string string inside 539 00:19:52,750 --> 00:19:55,059 the femur is actually 540 00:19:55,060 --> 00:19:57,229 a password for an 541 00:19:57,230 --> 00:19:58,569 we need to see. 542 00:19:58,570 --> 00:20:01,219 We also use the versions and the 543 00:20:01,220 --> 00:20:03,279 keywords, for example, versions are 544 00:20:03,280 --> 00:20:05,679 useful if you want to, to test 545 00:20:05,680 --> 00:20:07,869 statically or dynamically if a particular 546 00:20:07,870 --> 00:20:10,539 open SSL library shipped in a few 547 00:20:10,540 --> 00:20:13,149 is vulnerable or not. 548 00:20:13,150 --> 00:20:14,829 The thing is that just getting the 549 00:20:14,830 --> 00:20:17,199 Fillmore version is not enough 550 00:20:17,200 --> 00:20:19,449 because you never know whether 551 00:20:19,450 --> 00:20:21,979 the library or the software package 552 00:20:21,980 --> 00:20:24,219 was compiled with a particular 553 00:20:24,220 --> 00:20:26,859 set of options or was 554 00:20:26,860 --> 00:20:28,539 privately purchased by the vendor. 555 00:20:28,540 --> 00:20:30,099 And the vulnerability is not there. 556 00:20:30,100 --> 00:20:31,869 So if you have a severe, it might not 557 00:20:31,870 --> 00:20:33,909 work just because of the simple reason, 558 00:20:33,910 --> 00:20:35,769 because they privately purchased it or 559 00:20:35,770 --> 00:20:37,689 compile it in a way, but it doesn't 560 00:20:37,690 --> 00:20:39,699 trigger. So aversion is just an 561 00:20:39,700 --> 00:20:41,499 indication of what you might be looking 562 00:20:41,500 --> 00:20:43,989 for, but it's not like a definite 563 00:20:43,990 --> 00:20:44,919 hit. 564 00:20:44,920 --> 00:20:46,899 And then we also use some correlation, 565 00:20:46,900 --> 00:20:49,179 which I'll show some examples of them. 566 00:20:49,180 --> 00:20:51,429 We use the strings, we use the fuzzy 567 00:20:51,430 --> 00:20:54,099 hashes and private SSL keys. 568 00:20:54,100 --> 00:20:56,289 The fuzzy hash is interesting 569 00:20:56,290 --> 00:20:58,359 thing basically is a 570 00:20:58,360 --> 00:21:01,509 forensic technique which compares files 571 00:21:01,510 --> 00:21:03,579 by their similarity with do not 572 00:21:03,580 --> 00:21:05,679 compare it one by one as 573 00:21:05,680 --> 00:21:07,359 in crypto hashes. 574 00:21:07,360 --> 00:21:09,459 So it gives you an idea if 575 00:21:09,460 --> 00:21:11,979 there is a common file in different 576 00:21:11,980 --> 00:21:14,499 finnemore packages and there's some 577 00:21:14,500 --> 00:21:16,479 small modification between vendors and it 578 00:21:16,480 --> 00:21:18,789 makes it easy to find cross 579 00:21:18,790 --> 00:21:20,859 bugs, as I'll show in in a 580 00:21:20,860 --> 00:21:21,860 second. 581 00:21:22,390 --> 00:21:24,970 So in one example, we have this Fermor 582 00:21:26,050 --> 00:21:28,359 SD card, wi fi 583 00:21:28,360 --> 00:21:30,339 finnemore. So basically these are SD 584 00:21:30,340 --> 00:21:33,069 card, which have a wi fi chips 585 00:21:33,070 --> 00:21:35,379 in them. And there 586 00:21:35,380 --> 00:21:38,169 was a known vulnerability in it 587 00:21:38,170 --> 00:21:40,509 like common injection 588 00:21:40,510 --> 00:21:42,609 and says 589 00:21:42,610 --> 00:21:44,529 we know that this particular file. 590 00:21:44,530 --> 00:21:46,779 But Fermor is vulnerable when 591 00:21:46,780 --> 00:21:50,139 one we do fuzzy hash 592 00:21:50,140 --> 00:21:52,259 analysis, we see that there's 593 00:21:52,260 --> 00:21:54,369 a few other like Fermor two and 594 00:21:54,370 --> 00:21:56,709 feel more free and more five 595 00:21:56,710 --> 00:21:58,989 and feel more full, which have similar 596 00:21:58,990 --> 00:22:01,179 files. And we try to correlate them by 597 00:22:01,180 --> 00:22:03,399 the hash and we see what some 598 00:22:03,400 --> 00:22:05,589 files are similar by 599 00:22:05,590 --> 00:22:07,659 fuzzy hash. So if this 600 00:22:07,660 --> 00:22:10,029 particular file is vulnerable to excess 601 00:22:10,030 --> 00:22:12,309 or remold code 602 00:22:12,310 --> 00:22:14,529 injection, then the 603 00:22:14,530 --> 00:22:17,019 other two, because of their similarity, 604 00:22:17,020 --> 00:22:18,309 they might be as well. 605 00:22:18,310 --> 00:22:20,529 So this is a very good indication that 606 00:22:20,530 --> 00:22:22,539 you should pivot from Phillimore one to 607 00:22:22,540 --> 00:22:24,609 fewer and fewer morphos and 608 00:22:24,610 --> 00:22:26,079 testing for exactly the same 609 00:22:26,080 --> 00:22:27,729 vulnerabilities or exploit. 610 00:22:27,730 --> 00:22:30,129 And the thing is that sometimes 611 00:22:30,130 --> 00:22:32,319 you you get different vendors hit 612 00:22:32,320 --> 00:22:34,419 by the same bug just because it's a 613 00:22:34,420 --> 00:22:36,819 white label product and 614 00:22:36,820 --> 00:22:39,129 they buy an SDK or a development 615 00:22:39,130 --> 00:22:41,319 kit and they use the very same 616 00:22:41,320 --> 00:22:43,749 vulnerable software packages. 617 00:22:43,750 --> 00:22:46,149 Another example which we found 618 00:22:46,150 --> 00:22:48,309 interesting is that we had 619 00:22:48,310 --> 00:22:50,769 the private we had HTP 620 00:22:50,770 --> 00:22:53,079 as certificate's 621 00:22:53,080 --> 00:22:55,599 in the Fillmore's and they had private 622 00:22:55,600 --> 00:22:57,669 keys along with them, which is a mistake. 623 00:22:57,670 --> 00:22:59,829 But OK, whatever you might think that 624 00:22:59,830 --> 00:23:01,929 maybe be the first, but they regenerate 625 00:23:03,460 --> 00:23:05,949 their SSL certificates. 626 00:23:05,950 --> 00:23:08,229 Oh, we look it up in our 627 00:23:08,230 --> 00:23:10,329 database. We see that this 628 00:23:10,330 --> 00:23:12,489 particular SSL certificate 629 00:23:12,490 --> 00:23:14,829 corresponds to assistive event 630 00:23:14,830 --> 00:23:16,929 or a and we actually found some 631 00:23:16,930 --> 00:23:19,059 vulnerabilities in this vendor wait 632 00:23:19,060 --> 00:23:20,589 out going forward. 633 00:23:20,590 --> 00:23:22,779 We take them up outputs 634 00:23:22,780 --> 00:23:25,089 and they have their 635 00:23:25,090 --> 00:23:27,189 HP Cisco Systems come. 636 00:23:27,190 --> 00:23:29,349 What we do, we try to correlate the same 637 00:23:29,350 --> 00:23:31,479 with the fingerprint of Certificate's 638 00:23:31,480 --> 00:23:33,849 in the IP for 639 00:23:33,850 --> 00:23:34,850 fingerprints. 640 00:23:35,620 --> 00:23:37,509 And we find that actually the same 641 00:23:37,510 --> 00:23:39,729 fingerprint, which is 642 00:23:39,730 --> 00:23:41,709 from the certificate and a few more 643 00:23:41,710 --> 00:23:43,629 files, is found online. 644 00:23:43,630 --> 00:23:46,359 And by random sampling, 645 00:23:46,360 --> 00:23:48,639 we found that some of these 646 00:23:48,640 --> 00:23:51,099 online devices which use the EPA 647 00:23:51,100 --> 00:23:53,439 certificate, they actually 648 00:23:53,440 --> 00:23:55,269 come from a vanderbeek. 649 00:23:55,270 --> 00:23:57,459 And the conclusion is 650 00:23:57,460 --> 00:23:59,499 that most likely these two vendors are 651 00:23:59,500 --> 00:24:00,909 affected by the same vulnerability we 652 00:24:00,910 --> 00:24:02,709 found in the first place by analyzing the 653 00:24:02,710 --> 00:24:04,779 filmer. And you can go and pivot 654 00:24:04,780 --> 00:24:06,909 from vendor A and basically go 655 00:24:06,910 --> 00:24:08,710 and exploit vendor BS 656 00:24:10,060 --> 00:24:11,769 devices which are online. 657 00:24:11,770 --> 00:24:14,440 And one example of this is. 658 00:24:15,850 --> 00:24:18,189 I'll just show you 659 00:24:18,190 --> 00:24:20,529 this is this particular example 660 00:24:20,530 --> 00:24:22,540 so you can see what it is. 661 00:24:23,830 --> 00:24:26,079 A a sentry, it's 662 00:24:26,080 --> 00:24:28,149 a CCTV camera, and you can 663 00:24:28,150 --> 00:24:30,309 see that it's a probably sentry, right. 664 00:24:30,310 --> 00:24:32,499 And what's that particular example 665 00:24:32,500 --> 00:24:33,369 I was talking about? 666 00:24:33,370 --> 00:24:35,349 But when you see the SSL certificate, 667 00:24:35,350 --> 00:24:38,079 it's Brecon, and I'll show your 668 00:24:38,080 --> 00:24:40,299 dynamic analysis of one device 669 00:24:40,300 --> 00:24:42,249 and how we do it. 670 00:24:42,250 --> 00:24:43,149 So there it is. 671 00:24:43,150 --> 00:24:45,789 But if you have these kind of situations 672 00:24:45,790 --> 00:24:48,039 where you have devices 673 00:24:48,040 --> 00:24:50,229 labeled by different vendors but 674 00:24:50,230 --> 00:24:51,849 have vulnerabilities which you don't 675 00:24:51,850 --> 00:24:54,039 know, you will not know if you don't do 676 00:24:54,040 --> 00:24:56,199 it at a large scale, you'll just focus on 677 00:24:56,200 --> 00:24:57,909 the Brixham devices and you'll think only 678 00:24:57,910 --> 00:24:59,200 brick home is, uh, 679 00:25:00,280 --> 00:25:01,509 is vulnerable. 680 00:25:01,510 --> 00:25:03,729 And to give you an idea is that I have 681 00:25:03,730 --> 00:25:05,379 a virtual machine. 682 00:25:05,380 --> 00:25:07,569 Uh, you can see that I 683 00:25:07,570 --> 00:25:09,639 have, uh, the 684 00:25:09,640 --> 00:25:11,619 same IP, but different parts, three zero 685 00:25:11,620 --> 00:25:13,929 eight zero four zero zero and 686 00:25:13,930 --> 00:25:14,829 two zero eight zero. 687 00:25:14,830 --> 00:25:16,899 So I started with a brick home 688 00:25:16,900 --> 00:25:18,819 and you see that embedded virtual 689 00:25:18,820 --> 00:25:20,889 machine. I am running a 690 00:25:20,890 --> 00:25:23,169 simulated fumer, which 691 00:25:23,170 --> 00:25:24,939 I'll explain a little bit later. 692 00:25:24,940 --> 00:25:26,739 But what I want to say is that 693 00:25:28,360 --> 00:25:29,710 once we have a 694 00:25:31,270 --> 00:25:33,549 vendor, a let's say, breckon phillimore, 695 00:25:33,550 --> 00:25:36,009 and we can do dynamic analysis, we can 696 00:25:36,010 --> 00:25:37,929 emulate it and find vulnerabilities 697 00:25:37,930 --> 00:25:40,039 inside, we can easily find 698 00:25:40,040 --> 00:25:42,099 automated exploits and use them against 699 00:25:42,100 --> 00:25:43,779 VanDerBeek and. 700 00:25:45,720 --> 00:25:47,819 We can do admin, admin, and you 701 00:25:47,820 --> 00:25:50,609 can see that this is basically 702 00:25:50,610 --> 00:25:53,369 an automated simulated system 703 00:25:53,370 --> 00:25:55,889 which simulates automatically this Fermor 704 00:25:55,890 --> 00:25:58,559 from this particular system vendor, 705 00:25:58,560 --> 00:26:00,689 and you can do pretty 706 00:26:00,690 --> 00:26:02,759 much in our case, we focused on 707 00:26:02,760 --> 00:26:05,369 the Web interfaces, and I'll go 708 00:26:05,370 --> 00:26:07,379 into details a little bit later. 709 00:26:07,380 --> 00:26:09,689 But I want to show you that 710 00:26:09,690 --> 00:26:11,669 it's possible to do dynamic analysis as 711 00:26:11,670 --> 00:26:13,859 well, not just looking for 712 00:26:13,860 --> 00:26:16,169 SSL certificates and do this in our 713 00:26:16,170 --> 00:26:17,429 automated manner. 714 00:26:17,430 --> 00:26:19,529 And you can see what the Web 715 00:26:19,530 --> 00:26:21,389 interface is pretty responsive. 716 00:26:21,390 --> 00:26:23,399 And you can do. 717 00:26:23,400 --> 00:26:24,400 You can. 718 00:26:25,200 --> 00:26:27,539 Yeah. You see, I mean, this is 719 00:26:27,540 --> 00:26:29,319 really awesome. You find bugs like that, 720 00:26:29,320 --> 00:26:30,609 right? And 721 00:26:31,800 --> 00:26:34,049 but that's the thing that you can 722 00:26:35,880 --> 00:26:38,249 start penetration testing tools like 723 00:26:38,250 --> 00:26:39,330 Arachne, like 724 00:26:40,710 --> 00:26:42,869 W Fresia for your 725 00:26:42,870 --> 00:26:44,189 preferred commercial tool. 726 00:26:44,190 --> 00:26:46,889 And we will easily find the excesses 727 00:26:46,890 --> 00:26:48,959 and remote code injections 728 00:26:48,960 --> 00:26:50,759 and a remote command injections and 729 00:26:50,760 --> 00:26:53,009 Pascual's whatever the interface 730 00:26:53,010 --> 00:26:54,010 might have. 731 00:26:54,930 --> 00:26:56,999 OK, so it was a small 732 00:26:57,000 --> 00:26:58,000 parenthesis. 733 00:26:58,920 --> 00:27:01,349 So in that case of these broken 734 00:27:01,350 --> 00:27:03,480 cameras, we found one certificate. 735 00:27:04,560 --> 00:27:06,749 We one we found one vulnerability 736 00:27:06,750 --> 00:27:08,839 which was important, and we 737 00:27:08,840 --> 00:27:11,519 correlated to two vendors 738 00:27:11,520 --> 00:27:14,429 and correlated to a total of 35000 739 00:27:14,430 --> 00:27:16,619 online devices. And we have at 740 00:27:16,620 --> 00:27:18,719 that time, back in 2014, we had 741 00:27:18,720 --> 00:27:21,389 109 private RSA 742 00:27:21,390 --> 00:27:23,789 keys which were without passphrase. 743 00:27:23,790 --> 00:27:26,279 And we can skim the fingerprints 744 00:27:26,280 --> 00:27:28,409 and go look around on the Internet 745 00:27:28,410 --> 00:27:31,349 using Shodan or Sense's 746 00:27:31,350 --> 00:27:33,629 or whatever your system 747 00:27:33,630 --> 00:27:35,849 is. So as as a first 748 00:27:35,850 --> 00:27:38,249 result from that very simple, not 749 00:27:38,250 --> 00:27:40,589 not very complex technologies 750 00:27:40,590 --> 00:27:42,689 like no called static analysis, 751 00:27:42,690 --> 00:27:44,789 we found 38 new vulnerabilities like 752 00:27:44,790 --> 00:27:46,859 existences. Back doors 753 00:27:46,860 --> 00:27:49,019 are nontrivial default 754 00:27:49,020 --> 00:27:51,239 or hardcoded passwords, which 755 00:27:51,240 --> 00:27:53,249 affect around 700 more images. 756 00:27:53,250 --> 00:27:55,349 And we correlated some of these 757 00:27:55,350 --> 00:27:57,839 vulnerabilities to around 140 758 00:27:57,840 --> 00:28:00,569 online devices using Shodan 759 00:28:00,570 --> 00:28:01,570 and Google Docs. 760 00:28:02,730 --> 00:28:05,129 So the last challenge we had 761 00:28:05,130 --> 00:28:07,619 or we tried to 762 00:28:07,620 --> 00:28:09,479 to tackle is the automated dynamic 763 00:28:09,480 --> 00:28:11,519 analysis, like a sneak peak. 764 00:28:11,520 --> 00:28:13,769 What I have shown you on the Fenmore 765 00:28:13,770 --> 00:28:15,479 emulation of broken cameras. 766 00:28:16,770 --> 00:28:18,959 So the idea is that we have 767 00:28:18,960 --> 00:28:21,119 with Ampex fewer, more sources or 768 00:28:21,120 --> 00:28:22,499 you might have tons of them. 769 00:28:22,500 --> 00:28:24,479 ARMPAC, let's say, when you want to 770 00:28:24,480 --> 00:28:26,579 select some of them to 771 00:28:26,580 --> 00:28:28,769 do dynamic analysis, your 772 00:28:28,770 --> 00:28:30,209 selection criteria might very well. 773 00:28:30,210 --> 00:28:32,279 In our case, we selected the ones which 774 00:28:32,280 --> 00:28:35,189 had clearly a web interface inside 775 00:28:35,190 --> 00:28:37,289 and we could start the Web interface 776 00:28:37,290 --> 00:28:39,569 because usually the Web interface 777 00:28:39,570 --> 00:28:41,669 is the first thing which ends up on 778 00:28:41,670 --> 00:28:43,679 the Internet when you plug your device to 779 00:28:43,680 --> 00:28:45,839 your outer or to your direct connection. 780 00:28:45,840 --> 00:28:47,849 And this is the thing you usually want to 781 00:28:47,850 --> 00:28:50,039 access to manage your device 782 00:28:50,040 --> 00:28:52,259 remotely unless you use 783 00:28:52,260 --> 00:28:54,299 some smartphone application, but which 784 00:28:54,300 --> 00:28:56,429 basically does the same for the cloud and 785 00:28:56,430 --> 00:28:58,559 piggybacks on some connection to 786 00:28:58,560 --> 00:29:01,409 your to your device. 787 00:29:01,410 --> 00:29:03,569 So we selected these we 788 00:29:03,570 --> 00:29:05,909 do some filesystem preparation because 789 00:29:05,910 --> 00:29:08,549 if you did a lot of Fermor unpacking, 790 00:29:08,550 --> 00:29:10,649 you will know how it is, 791 00:29:10,650 --> 00:29:12,419 and especially when you have hundreds of 792 00:29:12,420 --> 00:29:13,589 thousands of files 793 00:29:14,820 --> 00:29:17,369 or very diverse, then automatically 794 00:29:17,370 --> 00:29:19,019 unpacking and extracting, you'll get a 795 00:29:19,020 --> 00:29:21,329 lot of false positives, a lot of junk 796 00:29:21,330 --> 00:29:22,679 data, a lot of 797 00:29:23,850 --> 00:29:25,469 broken files. 798 00:29:25,470 --> 00:29:27,609 Just because vampyre 799 00:29:27,610 --> 00:29:29,789 was brute forcing too much or 800 00:29:29,790 --> 00:29:30,869 maybe just because 801 00:29:32,550 --> 00:29:34,739 they used slightly different settings 802 00:29:34,740 --> 00:29:36,899 of Packer 803 00:29:36,900 --> 00:29:39,599 for their, for example, for affairs 804 00:29:39,600 --> 00:29:41,729 or for Jeffares to 805 00:29:41,730 --> 00:29:44,009 values Biggenden little, then 806 00:29:44,010 --> 00:29:45,989 we with some specific options and then 807 00:29:45,990 --> 00:29:47,939 vampyres the default on peckers do not 808 00:29:47,940 --> 00:29:48,869 work out of a book. 809 00:29:48,870 --> 00:29:51,239 So the system sometimes are broken 810 00:29:51,240 --> 00:29:53,429 and you need some your risks to broker 811 00:29:53,430 --> 00:29:54,959 some links. You need some of your risks 812 00:29:54,960 --> 00:29:57,179 to to find with some files are not 813 00:29:57,180 --> 00:29:59,339 properly there and try to make 814 00:29:59,340 --> 00:30:01,589 them as good 815 00:30:01,590 --> 00:30:03,809 as possible so that your 816 00:30:03,810 --> 00:30:06,329 emulation will be successful. 817 00:30:06,330 --> 00:30:08,519 Then what you do, you also try 818 00:30:08,520 --> 00:30:11,039 to do it scalable, 819 00:30:11,040 --> 00:30:12,779 like the static analysis you want to do 820 00:30:12,780 --> 00:30:14,159 with the name analysis as well. 821 00:30:14,160 --> 00:30:16,559 It's a little bit slower because 822 00:30:16,560 --> 00:30:18,819 it involves both emulation on a much 823 00:30:18,820 --> 00:30:21,269 slower emulator 824 00:30:21,270 --> 00:30:23,609 and then also involves dynamic 825 00:30:23,610 --> 00:30:25,739 analysis tools, basically, which are 826 00:30:25,740 --> 00:30:27,959 phasers or penetration testing tools, 827 00:30:27,960 --> 00:30:29,849 which send a lot of input. 828 00:30:31,890 --> 00:30:34,319 And we perform with dynamic 829 00:30:34,320 --> 00:30:35,320 analysis 830 00:30:37,770 --> 00:30:38,849 using Corrimal. 831 00:30:38,850 --> 00:30:41,369 We collect the results and we use it for 832 00:30:41,370 --> 00:30:42,719 machine learning and for improving the 833 00:30:42,720 --> 00:30:45,419 analysis or analyzing why the particular. 834 00:30:45,420 --> 00:30:48,149 Emulation or failed, 835 00:30:48,150 --> 00:30:50,549 maybe there was a kernel problem or maybe 836 00:30:50,550 --> 00:30:52,949 they're missing a kernel modules, and 837 00:30:52,950 --> 00:30:55,109 this might happen a lot because not all 838 00:30:55,110 --> 00:30:57,179 Fillmore packages are full 839 00:30:57,180 --> 00:30:58,289 Theama packages. 840 00:30:58,290 --> 00:31:00,509 You must know that 841 00:31:00,510 --> 00:31:02,579 most of the films are kind of partial 842 00:31:02,580 --> 00:31:04,769 updates. Most of the vendors, they just 843 00:31:04,770 --> 00:31:07,259 send you a D for the updates 844 00:31:07,260 --> 00:31:08,469 of impacted files. 845 00:31:08,470 --> 00:31:10,829 They do not send you every time the whole 846 00:31:10,830 --> 00:31:12,239 image of the file system. 847 00:31:12,240 --> 00:31:14,979 And that's why sometimes you you 848 00:31:14,980 --> 00:31:17,459 you need to know why the simulation 849 00:31:17,460 --> 00:31:18,690 or analysis is failing. 850 00:31:20,080 --> 00:31:22,179 But that is the challenging 851 00:31:22,180 --> 00:31:24,549 thing, is how how do you scalability 852 00:31:24,550 --> 00:31:27,159 or scalable 853 00:31:27,160 --> 00:31:29,349 emulate heterogeneous architectures 854 00:31:29,350 --> 00:31:31,359 or in general how you automatically 855 00:31:31,360 --> 00:31:33,309 emulate? Because if you do it by hand, 856 00:31:33,310 --> 00:31:35,139 it's funny, but you get tired after half 857 00:31:35,140 --> 00:31:37,329 a day when we 858 00:31:37,330 --> 00:31:39,009 need to choose an emulator. 859 00:31:39,010 --> 00:31:41,109 And there are a lot of options how 860 00:31:41,110 --> 00:31:43,839 to do the simulation or analysis. 861 00:31:43,840 --> 00:31:46,359 So that would be the ideal later. 862 00:31:46,360 --> 00:31:48,129 But the problem, it does not exist. 863 00:31:48,130 --> 00:31:49,719 And when I'm talking about ideally 864 00:31:49,720 --> 00:31:51,819 emulation is very later, which you give 865 00:31:51,820 --> 00:31:54,039 it a file and it will automatically 866 00:31:54,040 --> 00:31:56,499 know the architecture and will 867 00:31:56,500 --> 00:31:58,449 be able to emulate the CPU, will 868 00:31:58,450 --> 00:32:00,399 automatically know the operating system 869 00:32:00,400 --> 00:32:02,979 and will know how to put it and will know 870 00:32:02,980 --> 00:32:05,289 at which addresses basically to load 871 00:32:05,290 --> 00:32:06,459 all these files. 872 00:32:06,460 --> 00:32:09,159 But from what we know publicly, 873 00:32:09,160 --> 00:32:10,899 some such thing is not available 874 00:32:12,010 --> 00:32:14,319 when a generic system immolators 875 00:32:14,320 --> 00:32:16,659 is the chemo 876 00:32:16,660 --> 00:32:18,789 and there are two options to use 877 00:32:18,790 --> 00:32:20,919 it with original 878 00:32:20,920 --> 00:32:23,259 Fillmore and the original kernel or 879 00:32:23,260 --> 00:32:25,419 with original Fermor and generic 880 00:32:25,420 --> 00:32:28,019 kernel. The problem is that not very 881 00:32:28,020 --> 00:32:30,189 many Fermor come with 882 00:32:30,190 --> 00:32:31,209 a kernel update. 883 00:32:31,210 --> 00:32:33,069 Most of them, if you look at them there 884 00:32:33,070 --> 00:32:35,529 on Kernel two point six 885 00:32:35,530 --> 00:32:37,389 to 10 years ago. 886 00:32:37,390 --> 00:32:39,759 So they do not update very often 887 00:32:39,760 --> 00:32:42,429 the kernels and you will not get them 888 00:32:42,430 --> 00:32:44,439 very often in the Fillmore update. 889 00:32:44,440 --> 00:32:46,569 So this means that you will have 890 00:32:46,570 --> 00:32:49,269 to either extracted by Jayton 891 00:32:49,270 --> 00:32:51,459 or use some manual process 892 00:32:51,460 --> 00:32:53,199 which doesn't scale. 893 00:32:53,200 --> 00:32:55,299 And in that case, the generic 894 00:32:55,300 --> 00:32:57,549 kernel approach where you have a generic 895 00:32:57,550 --> 00:32:59,439 general built with all the possible 896 00:32:59,440 --> 00:33:01,689 modules and options would 897 00:33:01,690 --> 00:33:03,729 be a better idea. 898 00:33:03,730 --> 00:33:05,889 And then there are some other options 899 00:33:05,890 --> 00:33:07,959 where you can just take the 900 00:33:07,960 --> 00:33:09,639 application you want to test and you 901 00:33:09,640 --> 00:33:11,229 don't test it in an emulator, but you 902 00:33:11,230 --> 00:33:13,299 load it in a 903 00:33:13,300 --> 00:33:15,130 test environment, which is 904 00:33:16,270 --> 00:33:18,469 different from where you related 905 00:33:18,470 --> 00:33:20,529 environment. And this works very well 906 00:33:20,530 --> 00:33:23,259 for interpreted languages like people 907 00:33:23,260 --> 00:33:25,779 and things like that, basically 908 00:33:25,780 --> 00:33:27,279 where there is a virtualization 909 00:33:27,280 --> 00:33:28,659 environment and you can replicate the 910 00:33:28,660 --> 00:33:30,729 virtualization environment without 911 00:33:30,730 --> 00:33:32,069 putting all that XML 912 00:33:33,670 --> 00:33:35,229 kitchen souper in there. 913 00:33:36,730 --> 00:33:38,889 Again, we had to make some 914 00:33:38,890 --> 00:33:41,289 choices that a perfect 915 00:33:41,290 --> 00:33:43,239 emulator doesn't exist, so we cannot use 916 00:33:43,240 --> 00:33:45,519 it. There are not many farmers 917 00:33:45,520 --> 00:33:47,619 have kernels inside, so we cannot 918 00:33:47,620 --> 00:33:48,639 use it. 919 00:33:48,640 --> 00:33:50,739 And this is all too experimental. 920 00:33:50,740 --> 00:33:52,869 But details about architectural truth are 921 00:33:52,870 --> 00:33:53,870 in the paper. 922 00:33:54,640 --> 00:33:56,979 Not Borio now with this, but you can 923 00:33:56,980 --> 00:33:59,439 look look it up what exactly it is. 924 00:33:59,440 --> 00:34:01,509 So we use VESTO approaches using the 925 00:34:01,510 --> 00:34:03,669 original Fermor we with a generic kernel 926 00:34:03,670 --> 00:34:05,889 and in cases where it applies 927 00:34:05,890 --> 00:34:08,468 to basically strip the whole document 928 00:34:08,469 --> 00:34:10,539 route if it is a pearl 929 00:34:10,540 --> 00:34:12,510 or PSP and put it in a 930 00:34:13,570 --> 00:34:15,819 Eeks 86 931 00:34:15,820 --> 00:34:17,979 test environment and run it there and 932 00:34:17,980 --> 00:34:19,679 there are Apache or like they should be. 933 00:34:21,070 --> 00:34:23,259 Now, the idea is that 934 00:34:23,260 --> 00:34:25,869 you have vacuum chemo, 935 00:34:27,100 --> 00:34:29,229 which runs inside the normal machine, 936 00:34:29,230 --> 00:34:31,779 or it can run inside the van. 937 00:34:31,780 --> 00:34:34,869 In our case, it runs inside the VM. 938 00:34:34,870 --> 00:34:36,968 We we run on top of the 939 00:34:36,969 --> 00:34:39,039 with our technical details, but then we 940 00:34:39,040 --> 00:34:41,649 throw the film inside the chemo 941 00:34:41,650 --> 00:34:42,749 and we see the truth. 942 00:34:42,750 --> 00:34:44,559 The truth is the procedure where 943 00:34:44,560 --> 00:34:46,869 basically you change the root system, 944 00:34:46,870 --> 00:34:49,569 the perceived root system of air 945 00:34:49,570 --> 00:34:51,428 or the environment you are working on. 946 00:34:51,429 --> 00:34:53,619 And you can basically say to where 947 00:34:53,620 --> 00:34:56,319 to remove that from now on, 948 00:34:56,320 --> 00:34:58,539 the root of a few more file is 949 00:34:58,540 --> 00:35:00,039 your root file system and you can 950 00:35:00,040 --> 00:35:02,139 basically use the environment from 951 00:35:02,140 --> 00:35:04,269 the former as if 952 00:35:04,270 --> 00:35:06,489 it was being provided by chemo. 953 00:35:06,490 --> 00:35:08,679 So in this way, you kind of 954 00:35:08,680 --> 00:35:11,259 can easily emulate their 955 00:35:11,260 --> 00:35:12,279 corvids with that. 956 00:35:12,280 --> 00:35:14,379 But it works pretty well for 957 00:35:14,380 --> 00:35:15,669 many Fillmore's. 958 00:35:15,670 --> 00:35:17,769 When you just because 959 00:35:17,770 --> 00:35:20,019 you are insitute environment, you just 960 00:35:20,020 --> 00:35:22,659 bootstrap everything with finitely, NRC 961 00:35:22,660 --> 00:35:23,920 and so on and live it 962 00:35:25,540 --> 00:35:27,819 run. Of course, some of them will fail 963 00:35:27,820 --> 00:35:30,339 because there's no device 964 00:35:30,340 --> 00:35:32,889 attached to chemo because 965 00:35:32,890 --> 00:35:34,989 you need to write some 966 00:35:34,990 --> 00:35:37,209 plugins for chemo in order to 967 00:35:37,210 --> 00:35:39,279 emulate the flash memory 968 00:35:39,280 --> 00:35:41,439 of April memory of a serial port 969 00:35:41,440 --> 00:35:42,459 Ethernet. 970 00:35:42,460 --> 00:35:44,889 Luckily, the networking is pretty 971 00:35:44,890 --> 00:35:47,229 well done in chemo and it works fine. 972 00:35:47,230 --> 00:35:49,479 But for others, you need to basically 973 00:35:49,480 --> 00:35:51,609 write a good set of 974 00:35:51,610 --> 00:35:53,739 plugin libraries, which would be 975 00:35:53,740 --> 00:35:55,869 able to accommodate most of your 976 00:35:55,870 --> 00:35:56,799 devices. 977 00:35:56,800 --> 00:35:59,079 And once you have that, you can 978 00:35:59,080 --> 00:36:02,169 basically overcome those failures 979 00:36:02,170 --> 00:36:04,299 and then you just 980 00:36:04,300 --> 00:36:07,059 fire off a Web server, whether it's 981 00:36:07,060 --> 00:36:09,579 more like the PDA 982 00:36:09,580 --> 00:36:12,519 and so on, or it's a 983 00:36:12,520 --> 00:36:14,019 standalone binary. 984 00:36:14,020 --> 00:36:15,310 And then you just 985 00:36:16,930 --> 00:36:18,099 interested in that part. 986 00:36:18,100 --> 00:36:19,809 In our case, we are interested in Web 987 00:36:19,810 --> 00:36:22,119 server part and then we just plug 988 00:36:22,120 --> 00:36:24,549 the Iranis up w 989 00:36:24,550 --> 00:36:25,839 free A.F. 990 00:36:25,840 --> 00:36:27,729 Penetration testing tools. 991 00:36:27,730 --> 00:36:30,219 We use GCP dump in order to recover 992 00:36:30,220 --> 00:36:32,109 all the communication, to be able to roll 993 00:36:32,110 --> 00:36:34,599 back and find what the input 994 00:36:34,600 --> 00:36:36,040 trigger a particular exploit 995 00:36:37,120 --> 00:36:39,159 or a particular crash or a particular 996 00:36:39,160 --> 00:36:41,349 command injection you 997 00:36:41,350 --> 00:36:43,389 can use and map you can use methods, 998 00:36:43,390 --> 00:36:45,069 Blodget and Nessus, and basically fire 999 00:36:45,070 --> 00:36:47,409 all your arsenal of tools 1000 00:36:47,410 --> 00:36:49,389 on the immolators systems, on the ports 1001 00:36:49,390 --> 00:36:52,379 you want to to work on. 1002 00:36:52,380 --> 00:36:54,029 In our case, we focused on the web 1003 00:36:54,030 --> 00:36:56,130 interface, so we we use these tools 1004 00:36:57,150 --> 00:36:59,249 and as a result, we 1005 00:36:59,250 --> 00:37:01,499 had around 1006 00:37:01,500 --> 00:37:03,839 225 high security vulnerabilities, 1007 00:37:03,840 --> 00:37:06,029 meaning command injection exercises and 1008 00:37:06,030 --> 00:37:08,399 SRF impacting 1009 00:37:08,400 --> 00:37:10,199 around 10 percent of the original 1010 00:37:10,200 --> 00:37:12,659 dataset. We've been we've started from. 1011 00:37:12,660 --> 00:37:14,969 And these vulnerabilities impacted 1012 00:37:14,970 --> 00:37:17,669 25 percent of the vendors. 1013 00:37:17,670 --> 00:37:20,159 That is that we didn't develop 1014 00:37:20,160 --> 00:37:22,289 this framework to find all the 1015 00:37:22,290 --> 00:37:23,339 vulnerabilities. 1016 00:37:23,340 --> 00:37:25,649 But if you have such a framework and 1017 00:37:25,650 --> 00:37:27,839 you can find the low hanging fruit very 1018 00:37:27,840 --> 00:37:29,939 fast in one day and and 1019 00:37:29,940 --> 00:37:32,009 kill basically or close 10 percent 1020 00:37:32,010 --> 00:37:33,839 of your vulnerabilities, if you're a 1021 00:37:33,840 --> 00:37:35,889 vendor, then it's a very useful tool. 1022 00:37:35,890 --> 00:37:38,069 Or if you are a tester, you want to find 1023 00:37:38,070 --> 00:37:39,059 all of these things quickly. 1024 00:37:39,060 --> 00:37:41,129 You don't want to spend all your days 1025 00:37:41,130 --> 00:37:43,469 just going manually and try to emulate 1026 00:37:43,470 --> 00:37:45,389 manually. Just leave it overnight to come 1027 00:37:45,390 --> 00:37:47,939 in the morning. You have two hundred 1028 00:37:47,940 --> 00:37:50,129 twenty five reports on 1029 00:37:50,130 --> 00:37:52,199 200 Pyramus and your job is done for the 1030 00:37:52,200 --> 00:37:53,200 day. 1031 00:37:54,570 --> 00:37:55,570 Right now. 1032 00:37:56,890 --> 00:37:59,409 OK, so I 1033 00:37:59,410 --> 00:38:01,719 showed you, like part of this demo. 1034 00:38:01,720 --> 00:38:04,579 I mean, this is, uh, 1035 00:38:04,580 --> 00:38:05,710 Fabricant camera 1036 00:38:07,510 --> 00:38:09,819 where some things you can 1037 00:38:09,820 --> 00:38:10,599 play with. 1038 00:38:10,600 --> 00:38:13,229 But what I wanted to show you is that, 1039 00:38:13,230 --> 00:38:15,459 uh, the process 1040 00:38:15,460 --> 00:38:17,619 of starting from the femur and 1041 00:38:17,620 --> 00:38:19,999 going to the to the correlation 1042 00:38:20,000 --> 00:38:22,389 and then finding the interesting 1043 00:38:22,390 --> 00:38:25,129 things. So, for example, if you have 1044 00:38:25,130 --> 00:38:26,810 analysis on, uh. 1045 00:38:28,350 --> 00:38:29,350 On these 1046 00:38:31,050 --> 00:38:33,239 files, for example, you can correlate 1047 00:38:33,240 --> 00:38:35,459 buy by string and you can see 1048 00:38:35,460 --> 00:38:38,159 what some of the Fillmore's 1049 00:38:38,160 --> 00:38:40,440 in particular, HP, for example, 1050 00:38:41,760 --> 00:38:43,949 they had some some Fenmore which 1051 00:38:43,950 --> 00:38:45,659 they pulled from pulled out from the 1052 00:38:45,660 --> 00:38:48,029 Internet for I don't know what reason 1053 00:38:48,030 --> 00:38:50,249 which contained V0 or failed to open 1054 00:38:50,250 --> 00:38:51,509 a net channel. 1055 00:38:51,510 --> 00:38:52,829 I don't know what it means, but. 1056 00:38:53,870 --> 00:38:56,419 I think it's very 1057 00:38:56,420 --> 00:38:57,489 not very funny. 1058 00:38:57,490 --> 00:38:59,179 So if you have this kind of you can 1059 00:38:59,180 --> 00:39:01,009 search by keywords and you you will be 1060 00:39:01,010 --> 00:39:03,079 amazed how many Fillmore's 1061 00:39:03,080 --> 00:39:05,179 actually hit on the key word Back-Door. 1062 00:39:05,180 --> 00:39:07,399 Some of them, of course, are with snorter 1063 00:39:07,400 --> 00:39:09,529 ideas. Rules which look for 1064 00:39:09,530 --> 00:39:11,689 keyword Back-Door and Visa 1065 00:39:11,690 --> 00:39:13,819 rules basically give you a hint. 1066 00:39:13,820 --> 00:39:15,979 But sometimes you actually find Railsback 1067 00:39:15,980 --> 00:39:18,199 doors by searching for the word 1068 00:39:18,200 --> 00:39:19,840 Back-Door, right? 1069 00:39:21,680 --> 00:39:23,809 Now, I mean, they understood that 1070 00:39:23,810 --> 00:39:26,359 this is very obvious, and 1071 00:39:26,360 --> 00:39:28,549 if you know the story of Juniper, they 1072 00:39:28,550 --> 00:39:30,859 started to use cryptograms. 1073 00:39:30,860 --> 00:39:32,389 But I mean, if you have this kind of 1074 00:39:32,390 --> 00:39:34,729 cryptograms, you can also start 1075 00:39:34,730 --> 00:39:37,009 looking around at this from our files. 1076 00:39:37,010 --> 00:39:39,949 And then you look at the few more details 1077 00:39:39,950 --> 00:39:42,049 and also the name of the version. 1078 00:39:42,050 --> 00:39:44,060 And you can pivot from there. 1079 00:39:45,980 --> 00:39:48,199 You can also look for those 1080 00:39:48,200 --> 00:39:50,419 dual see keys if 1081 00:39:50,420 --> 00:39:52,189 you are present in this film or other 1082 00:39:52,190 --> 00:39:53,190 films. 1083 00:39:54,020 --> 00:39:56,329 But to give you an example of the 1084 00:39:56,330 --> 00:39:57,440 fuzzy hash thing, 1085 00:39:58,520 --> 00:40:01,099 as I mentioned, you in the slides 1086 00:40:02,990 --> 00:40:04,159 somewhere here. 1087 00:40:07,330 --> 00:40:09,429 OK, so this is why I 1088 00:40:09,430 --> 00:40:11,769 mentioned the SD cards and correlational 1089 00:40:11,770 --> 00:40:13,839 files, and 1090 00:40:13,840 --> 00:40:15,850 that is what I can. 1091 00:40:18,440 --> 00:40:20,659 I'll keep it shorter. 1092 00:40:20,660 --> 00:40:22,799 We know this file is vulnerable 1093 00:40:22,800 --> 00:40:25,069 in one of a one of SD 1094 00:40:25,070 --> 00:40:26,070 cards. 1095 00:40:26,960 --> 00:40:29,179 It was very well known blog post we 1096 00:40:29,180 --> 00:40:31,519 can look at by the hash and we can 1097 00:40:31,520 --> 00:40:33,739 actually see that this file. 1098 00:40:35,160 --> 00:40:38,159 Is presenting these farmers 1099 00:40:38,160 --> 00:40:39,569 OK? 1100 00:40:39,570 --> 00:40:41,669 Some some of them and is 1101 00:40:41,670 --> 00:40:43,919 nothing particular because they're just 1102 00:40:43,920 --> 00:40:46,259 incremental versions of 1103 00:40:46,260 --> 00:40:48,389 the same device, Fermor 1104 00:40:48,390 --> 00:40:50,549 and we can also see what it's 100 1105 00:40:50,550 --> 00:40:51,449 percent similarity. 1106 00:40:51,450 --> 00:40:53,460 So it means this file didn't change 1107 00:40:54,810 --> 00:40:56,099 across versions. 1108 00:40:56,100 --> 00:40:58,929 But the interesting thing is that. 1109 00:40:58,930 --> 00:41:01,209 You see that ad 1110 00:41:01,210 --> 00:41:03,459 for some entries, the vendor change and 1111 00:41:03,460 --> 00:41:05,769 you can easily automate 1112 00:41:05,770 --> 00:41:07,939 to trigger you an alert or to basically 1113 00:41:07,940 --> 00:41:10,059 pivot automatically when you have 1114 00:41:10,060 --> 00:41:12,159 a similarity hit 1115 00:41:12,160 --> 00:41:14,559 for one file across vendors. 1116 00:41:14,560 --> 00:41:16,209 When it goes across vendors, you know 1117 00:41:16,210 --> 00:41:17,619 that something is fishy. 1118 00:41:17,620 --> 00:41:19,869 It means that the other vendor must 1119 00:41:19,870 --> 00:41:21,399 be vulnerable. And you see what the 1120 00:41:21,400 --> 00:41:22,029 similarity is. 1121 00:41:22,030 --> 00:41:24,369 Not 100 percent is 46, 1122 00:41:24,370 --> 00:41:26,589 which is because these 1123 00:41:26,590 --> 00:41:28,569 vendors of the cars, they take the white 1124 00:41:28,570 --> 00:41:30,759 label or as the case or development 1125 00:41:30,760 --> 00:41:32,889 kits and they put their logo on their 1126 00:41:32,890 --> 00:41:35,139 copyright text. 1127 00:41:35,140 --> 00:41:38,019 So there's some change in the in their 1128 00:41:38,020 --> 00:41:39,519 output or in their 1129 00:41:41,080 --> 00:41:43,269 files. But that is where the core 1130 00:41:43,270 --> 00:41:44,689 functionality stays the same way. 1131 00:41:44,690 --> 00:41:47,229 Whenever a core functionality 1132 00:41:50,160 --> 00:41:52,389 of a Web server or the kernel, they 1133 00:41:52,390 --> 00:41:53,529 just update their copyrights. 1134 00:41:53,530 --> 00:41:56,499 And that's why there is not full 1135 00:41:56,500 --> 00:41:58,509 similarity. But there is some similarity. 1136 00:41:58,510 --> 00:42:01,149 So if you look at this file is 1137 00:42:01,150 --> 00:42:03,599 peculiar and 1138 00:42:03,600 --> 00:42:05,679 is a version 1139 00:42:05,680 --> 00:42:08,199 147, but that is what OK, 1140 00:42:08,200 --> 00:42:10,389 once you have this knowledge that 1141 00:42:11,890 --> 00:42:14,739 this file is vulnerable 1142 00:42:14,740 --> 00:42:16,899 and you have two vendors, you can just 1143 00:42:16,900 --> 00:42:19,179 try to emulate 1144 00:42:19,180 --> 00:42:20,889 both of them and see whether they are 1145 00:42:20,890 --> 00:42:21,909 vulnerable. 1146 00:42:21,910 --> 00:42:24,079 And in one case, 1147 00:42:24,080 --> 00:42:25,699 you see is the same IP is the same 1148 00:42:25,700 --> 00:42:27,849 virtual machine is transend wi 1149 00:42:27,850 --> 00:42:30,669 fi as I can 1150 00:42:30,670 --> 00:42:31,959 kill it like it is. 1151 00:42:31,960 --> 00:42:34,449 But we've have 1152 00:42:34,450 --> 00:42:36,909 another part, and this is that you are 1153 00:42:36,910 --> 00:42:38,619 having this kind of emulation. 1154 00:42:38,620 --> 00:42:41,079 You can also find very 1155 00:42:41,080 --> 00:42:43,179 quickly bugs like unauthorized 1156 00:42:43,180 --> 00:42:45,129 access. Right. So you see what it asked 1157 00:42:45,130 --> 00:42:46,359 me for a password. 1158 00:42:46,360 --> 00:42:47,360 But if I. 1159 00:42:48,450 --> 00:42:50,489 Go to this page, it's automatic like 1160 00:42:50,490 --> 00:42:52,079 that, so you see what you don't need, 1161 00:42:52,080 --> 00:42:54,449 like a very sophisticated thing and 1162 00:42:54,450 --> 00:42:56,789 you can use these fantastic 1163 00:42:56,790 --> 00:42:58,889 tools or plug ins for fantastic tools to 1164 00:42:58,890 --> 00:43:00,899 find these kind of vulnerabilities very 1165 00:43:00,900 --> 00:43:03,599 easily and basically generate 1166 00:43:03,600 --> 00:43:06,539 KVI reports every every minute. 1167 00:43:06,540 --> 00:43:07,540 Uh. 1168 00:43:08,590 --> 00:43:10,959 OK, we can log 1169 00:43:10,960 --> 00:43:13,299 in sometimes where 1170 00:43:13,300 --> 00:43:15,369 the thing is where interfaces are 1171 00:43:15,370 --> 00:43:17,499 broken, because you see there is no Mac 1172 00:43:17,500 --> 00:43:19,719 address, right, because it 1173 00:43:19,720 --> 00:43:21,849 tries to call some IOC, T.L., 1174 00:43:21,850 --> 00:43:23,979 which is not supported by Kojima. 1175 00:43:23,980 --> 00:43:25,989 And you need to write a blog in in order 1176 00:43:25,990 --> 00:43:28,539 to to support all this kind of e-mail. 1177 00:43:28,540 --> 00:43:30,549 But that is what you can still find the 1178 00:43:30,550 --> 00:43:32,739 vulnerabilities if you go 1179 00:43:32,740 --> 00:43:34,989 see your name, Arachne name 1180 00:43:34,990 --> 00:43:37,389 is because now the Arachne 1181 00:43:37,390 --> 00:43:40,269 is is is testing with 1182 00:43:40,270 --> 00:43:41,500 this machine. 1183 00:43:49,010 --> 00:43:51,079 OK, so it used to 1184 00:43:51,080 --> 00:43:53,629 test this machine, I can 1185 00:43:53,630 --> 00:43:55,820 do a very quick thing. 1186 00:43:58,940 --> 00:43:59,940 Like that. 1187 00:44:04,740 --> 00:44:06,509 So basically, you see that using 1188 00:44:06,510 --> 00:44:08,039 ventilatory the need to buy that 1189 00:44:08,040 --> 00:44:10,229 expensive 40 50 euro card, 1190 00:44:10,230 --> 00:44:11,909 you can find the vulnerability and the 1191 00:44:11,910 --> 00:44:14,219 same way you can. It's just a very quick 1192 00:44:14,220 --> 00:44:16,989 example. But you can find also we found 1193 00:44:16,990 --> 00:44:18,809 the same common injection which took some 1194 00:44:18,810 --> 00:44:20,969 time for the guy to find the 1195 00:44:20,970 --> 00:44:24,239 right spot automatically is easy to find. 1196 00:44:24,240 --> 00:44:25,709 Now we go to court, 1197 00:44:27,300 --> 00:44:29,909 which is basically a very peculiar 1198 00:44:29,910 --> 00:44:32,239 and we can go to 1199 00:44:32,240 --> 00:44:33,240 WiFi set up. 1200 00:44:34,600 --> 00:44:36,729 And to 1201 00:44:36,730 --> 00:44:37,730 try to. 1202 00:44:39,090 --> 00:44:41,189 To do the same, I mean, it's 1203 00:44:41,190 --> 00:44:43,349 basically the same the same page in 1204 00:44:43,350 --> 00:44:45,089 the back because it's a parallel, but 1205 00:44:45,090 --> 00:44:46,199 their output is different. 1206 00:44:46,200 --> 00:44:48,329 That's why I told you the similarity is 1207 00:44:48,330 --> 00:44:50,789 different, because 1208 00:44:50,790 --> 00:44:52,109 if you look at the source. 1209 00:44:52,110 --> 00:44:54,269 No, not this one, uh, 1210 00:44:54,270 --> 00:44:55,409 frame source. 1211 00:45:01,280 --> 00:45:04,219 You see where there is Vizcarra 1212 00:45:04,220 --> 00:45:06,079 everywhere, so basically they use race 1213 00:45:06,080 --> 00:45:08,329 cards as the caffeine, 1214 00:45:08,330 --> 00:45:09,330 um. 1215 00:45:12,750 --> 00:45:14,849 And you say that it's basically the same, 1216 00:45:14,850 --> 00:45:16,739 that is where you can find exactly the 1217 00:45:16,740 --> 00:45:18,209 same vulnerability, exactly the same 1218 00:45:18,210 --> 00:45:20,669 philes car that it whatever 1219 00:45:20,670 --> 00:45:23,039 it name it is a very simple 1220 00:45:23,040 --> 00:45:24,539 by just triggering the tools and 1221 00:45:24,540 --> 00:45:26,459 basically the tools will do this for you 1222 00:45:26,460 --> 00:45:28,179 because it was for everything, for 1223 00:45:28,180 --> 00:45:31,169 exercise, for common injection, for 1224 00:45:31,170 --> 00:45:33,449 reversals, for file inclusions and 1225 00:45:33,450 --> 00:45:34,709 so on. 1226 00:45:34,710 --> 00:45:37,499 So basically 1227 00:45:37,500 --> 00:45:39,779 that's that's 1228 00:45:39,780 --> 00:45:41,609 the idea. 1229 00:45:41,610 --> 00:45:44,339 Well, I guess I'll conclude now 1230 00:45:44,340 --> 00:45:46,799 and we'll leave some 1231 00:45:46,800 --> 00:45:48,389 minutes for four questions. 1232 00:45:48,390 --> 00:45:50,579 But the idea is that I can assure 1233 00:45:50,580 --> 00:45:52,289 you that there are plenty of Latin 1234 00:45:52,290 --> 00:45:54,119 vulnerabilities in embedded former 1235 00:45:54,120 --> 00:45:55,169 Wideman's. 1236 00:45:55,170 --> 00:45:57,119 And because we are there, we just way to 1237 00:45:57,120 --> 00:45:58,169 be discovered. 1238 00:45:58,170 --> 00:46:00,279 And many of the farmers are all this 1239 00:46:00,280 --> 00:46:02,489 help or even if they 1240 00:46:02,490 --> 00:46:05,639 get updated, we see cases where 1241 00:46:05,640 --> 00:46:07,739 they ship in 2014, 1242 00:46:07,740 --> 00:46:10,529 2015 Fenmore update 1243 00:46:10,530 --> 00:46:13,469 10 year old busy box or 1244 00:46:13,470 --> 00:46:14,640 Linux kernel version. 1245 00:46:16,100 --> 00:46:19,069 I mean, uh, feel security 1246 00:46:19,070 --> 00:46:21,199 analysis is absolutely 1247 00:46:21,200 --> 00:46:23,299 necessary is another conclusion, and 1248 00:46:23,300 --> 00:46:25,359 we see it by every day because the 1249 00:46:25,360 --> 00:46:27,439 everyday that Juniper 1250 00:46:27,440 --> 00:46:29,929 Back-Door popped out, everybody 1251 00:46:29,930 --> 00:46:31,999 started analyzing the funeral of Junipero 1252 00:46:32,000 --> 00:46:34,279 S.. Right. So I 1253 00:46:34,280 --> 00:46:36,499 we we we we think and we also 1254 00:46:36,500 --> 00:46:38,569 we agree with the former security analyst 1255 00:46:38,570 --> 00:46:40,519 is absolutely necessary. 1256 00:46:40,520 --> 00:46:42,739 And a broader view on perfumers, 1257 00:46:42,740 --> 00:46:45,079 not just the very particular view on this 1258 00:46:45,080 --> 00:46:47,269 set of Fillmore's is not just beneficial, 1259 00:46:47,270 --> 00:46:48,919 but is necessary because you can see what 1260 00:46:48,920 --> 00:46:51,109 you can relate the same vulnerabilities 1261 00:46:51,110 --> 00:46:52,969 or different vendors and you can actually 1262 00:46:52,970 --> 00:46:56,149 discover the big surface, the big impact. 1263 00:46:56,150 --> 00:46:58,489 You never know when we'll 1264 00:46:58,490 --> 00:47:00,619 find those dual keys 1265 00:47:00,620 --> 00:47:02,119 in other Fillmore's and we will be 1266 00:47:02,120 --> 00:47:03,589 surprised if it's actually not just 1267 00:47:03,590 --> 00:47:05,320 Junipero OS was 1268 00:47:06,350 --> 00:47:08,359 or was affected by the back door or 1269 00:47:08,360 --> 00:47:09,950 whatever. It was just an example. 1270 00:47:11,030 --> 00:47:13,009 But of course it involves many untrivial 1271 00:47:13,010 --> 00:47:14,299 steps and challenges. 1272 00:47:14,300 --> 00:47:16,519 We have to overcome them in 1273 00:47:16,520 --> 00:47:18,799 some ways. Sometimes we take 1274 00:47:18,800 --> 00:47:20,779 shortcuts and we don't get the 100 1275 00:47:20,780 --> 00:47:21,829 percent results. 1276 00:47:21,830 --> 00:47:23,149 But as long as we get some 1277 00:47:23,150 --> 00:47:25,489 vulnerabilities, it's important. 1278 00:47:25,490 --> 00:47:27,589 And that we we also 1279 00:47:27,590 --> 00:47:30,109 see that for many vendors, 1280 00:47:30,110 --> 00:47:32,209 in particular, the white labels, but 1281 00:47:32,210 --> 00:47:33,859 not just white labels, it's also the big 1282 00:47:33,860 --> 00:47:36,259 corporates who buy the white labels. 1283 00:47:36,260 --> 00:47:38,419 But security is 1284 00:47:38,420 --> 00:47:40,339 clearly not a priority. 1285 00:47:40,340 --> 00:47:42,589 But it's a tradeoff with cost 1286 00:47:42,590 --> 00:47:44,719 and time to market. And we prefer not 1287 00:47:44,720 --> 00:47:47,029 to invest a lot and actually be first 1288 00:47:47,030 --> 00:47:49,189 to market. And they completely 1289 00:47:49,190 --> 00:47:50,199 ignore the security. 1290 00:47:52,700 --> 00:47:54,859 So vis A 1291 00:47:54,860 --> 00:47:56,989 are my references, you 1292 00:47:56,990 --> 00:47:59,239 are more welcome to to read them, 1293 00:47:59,240 --> 00:48:01,519 share or tweet or cite 1294 00:48:01,520 --> 00:48:03,949 them in your papers or studies 1295 00:48:03,950 --> 00:48:06,439 or give me 1296 00:48:06,440 --> 00:48:08,749 a sign if you need 1297 00:48:08,750 --> 00:48:09,769 any question 1298 00:48:11,020 --> 00:48:13,129 or any advice or you have an 1299 00:48:13,130 --> 00:48:14,059 idea. 1300 00:48:14,060 --> 00:48:15,060 I am. 1301 00:48:16,990 --> 00:48:19,279 I'll be around or you'll reach me 1302 00:48:19,280 --> 00:48:21,919 on my email. I'd like to acknowledge 1303 00:48:21,920 --> 00:48:23,989 my colleagues with whom I have done part 1304 00:48:23,990 --> 00:48:26,479 of his research and work, 1305 00:48:26,480 --> 00:48:28,879 John Arzak, our Lanfranchi Down 1306 00:48:28,880 --> 00:48:30,859 the Road and Apostolis US. 1307 00:48:30,860 --> 00:48:33,319 And thank you. 1308 00:48:33,320 --> 00:48:35,509 If you have any questions, I'm 1309 00:48:35,510 --> 00:48:36,510 ready to take them. 1310 00:48:46,400 --> 00:48:48,289 Thanks for the great talk and we're 1311 00:48:48,290 --> 00:48:50,389 taking questions now for 10 minutes, and 1312 00:48:50,390 --> 00:48:52,699 if you absolutely have to leave the room, 1313 00:48:52,700 --> 00:48:55,649 please do so as quietly as possible. 1314 00:48:55,650 --> 00:48:57,739 Um, OK, so just walk 1315 00:48:57,740 --> 00:49:00,019 up to one of the microphones on my left 1316 00:49:00,020 --> 00:49:02,089 or on the right, um, and 1317 00:49:02,090 --> 00:49:03,529 ask away. 1318 00:49:03,530 --> 00:49:05,359 We start with a microphone to my right to 1319 00:49:05,360 --> 00:49:06,360 please. 1320 00:49:07,250 --> 00:49:10,099 Hey, look, I 1321 00:49:10,100 --> 00:49:12,169 thank you for the great talk. 1322 00:49:12,170 --> 00:49:13,940 I was wondering if because 1323 00:49:15,170 --> 00:49:17,299 because you don't always actually 1324 00:49:17,300 --> 00:49:19,729 purchase a device and actually test 1325 00:49:19,730 --> 00:49:21,469 exploits directly on a device, if you 1326 00:49:21,470 --> 00:49:23,689 have trouble 1327 00:49:23,690 --> 00:49:24,979 with vendors 1328 00:49:26,300 --> 00:49:28,399 acknowledging or being willing to 1329 00:49:28,400 --> 00:49:29,400 receive 1330 00:49:30,710 --> 00:49:32,299 vulnerabilities that haven't actually 1331 00:49:32,300 --> 00:49:33,920 been tested against the physical device. 1332 00:49:35,900 --> 00:49:38,539 OK, so I'll repeat the question whether 1333 00:49:38,540 --> 00:49:40,339 the fact that we don't always buy the 1334 00:49:40,340 --> 00:49:42,649 devices and we don't test 1335 00:49:42,650 --> 00:49:44,809 on actual devices whether the 1336 00:49:44,810 --> 00:49:47,149 vendors are willing to take 1337 00:49:47,150 --> 00:49:49,519 those reports in and 1338 00:49:49,520 --> 00:49:52,279 address those vulnerabilities with. 1339 00:49:52,280 --> 00:49:53,389 Yeah, yeah. 1340 00:49:53,390 --> 00:49:55,669 So actually when 1341 00:49:55,670 --> 00:49:58,219 we talk today, I want I 1342 00:49:58,220 --> 00:50:00,829 the plan to to drop some zero days 1343 00:50:00,830 --> 00:50:03,109 in some of our routers, but 1344 00:50:03,110 --> 00:50:05,179 because the 1345 00:50:05,180 --> 00:50:07,279 vendors actually listens or started to 1346 00:50:07,280 --> 00:50:10,099 listen, we'll have to delay 1347 00:50:10,100 --> 00:50:11,089 some of those. 1348 00:50:11,090 --> 00:50:13,339 So the short answer is 1349 00:50:13,340 --> 00:50:15,529 yes. Most of the vendors start right 1350 00:50:15,530 --> 00:50:17,899 now looking at these reports, even 1351 00:50:17,900 --> 00:50:19,519 though they are not tested on real 1352 00:50:19,520 --> 00:50:20,989 devices. 1353 00:50:20,990 --> 00:50:23,539 They look at these reports and 1354 00:50:23,540 --> 00:50:25,579 we provide as much detail as possible 1355 00:50:25,580 --> 00:50:27,649 regarding how we found them and what 1356 00:50:27,650 --> 00:50:29,749 is very triggering 1357 00:50:29,750 --> 00:50:32,509 input or what is very exploitation 1358 00:50:32,510 --> 00:50:33,679 methodology. 1359 00:50:33,680 --> 00:50:35,929 And if they are not willing to take 1360 00:50:35,930 --> 00:50:37,730 it in a responsible disclosure manner, 1361 00:50:38,780 --> 00:50:40,819 then it is becoming full disclosure after 1362 00:50:40,820 --> 00:50:42,399 the time out then OK, 1363 00:50:43,520 --> 00:50:45,079 otherwise I do not say. 1364 00:50:45,080 --> 00:50:47,359 But yeah, to confirm is, 1365 00:50:47,360 --> 00:50:49,549 is that the 1366 00:50:49,550 --> 00:50:51,859 vendors started looking at these 1367 00:50:51,860 --> 00:50:54,049 reports, at least in our case, 1368 00:50:54,050 --> 00:50:55,309 and is good. 1369 00:50:55,310 --> 00:50:56,599 They don't have a zero, they maybe they 1370 00:50:56,600 --> 00:50:58,099 have time to fix it. 1371 00:50:58,100 --> 00:50:59,239 Great. Thank you. 1372 00:50:59,240 --> 00:51:02,179 OK, another question from the microphone 1373 00:51:02,180 --> 00:51:04,579 to my father. 1374 00:51:04,580 --> 00:51:07,219 Um, congratulations on a great talk. 1375 00:51:07,220 --> 00:51:09,109 Thank you, Will. 1376 00:51:09,110 --> 00:51:11,269 Did you actually write Kimeu 1377 00:51:11,270 --> 00:51:13,309 devices? And if so, will you make them 1378 00:51:13,310 --> 00:51:14,629 public? 1379 00:51:14,630 --> 00:51:16,429 Oh, that's a very good question. 1380 00:51:17,550 --> 00:51:20,149 I'm not very kumu 1381 00:51:20,150 --> 00:51:21,739 guy. 1382 00:51:21,740 --> 00:51:24,319 Dr. Jonas Other my colleague, 1383 00:51:24,320 --> 00:51:26,509 he is a very good kumu 1384 00:51:26,510 --> 00:51:28,819 guy who is actually working on 1385 00:51:28,820 --> 00:51:31,579 binary dynamic translation and analysis. 1386 00:51:31,580 --> 00:51:33,649 And he he actually 1387 00:51:33,650 --> 00:51:36,199 writes plug ins to map 1388 00:51:36,200 --> 00:51:37,549 both devices. 1389 00:51:37,550 --> 00:51:39,829 And I only recommend 1390 00:51:39,830 --> 00:51:42,019 to contact him if you have 1391 00:51:42,020 --> 00:51:44,509 any questions regarding this thing. 1392 00:51:44,510 --> 00:51:47,029 In our methodology, we just used 1393 00:51:47,030 --> 00:51:49,159 bare metal chemo, but 1394 00:51:49,160 --> 00:51:52,039 that is where once you have a library of 1395 00:51:52,040 --> 00:51:54,199 chemo plugins or devices is 1396 00:51:54,200 --> 00:51:56,419 just easy breezy to 1397 00:51:56,420 --> 00:51:58,789 plug them in and basically broaden 1398 00:51:58,790 --> 00:52:01,220 your testing surface. 1399 00:52:02,290 --> 00:52:03,519 Thank you. 1400 00:52:03,520 --> 00:52:05,619 So we have one question from the 1401 00:52:05,620 --> 00:52:07,020 Internet, if I'm correct. 1402 00:52:08,280 --> 00:52:10,349 Yes, so joining 1403 00:52:10,350 --> 00:52:12,449 us are all the features 1404 00:52:12,450 --> 00:52:13,919 you mentioned today, available 1405 00:52:13,920 --> 00:52:15,359 information or R.E. 1406 00:52:15,360 --> 00:52:17,459 or and also is 1407 00:52:17,460 --> 00:52:18,959 the project opensource? 1408 00:52:18,960 --> 00:52:21,619 Are readily available for download. 1409 00:52:21,620 --> 00:52:23,899 OK, so there 1410 00:52:23,900 --> 00:52:27,129 are two questions, whether the. 1411 00:52:27,130 --> 00:52:29,199 Films are available to be 1412 00:52:29,200 --> 00:52:31,269 downloaded and whether it's open 1413 00:52:31,270 --> 00:52:32,639 source first. 1414 00:52:32,640 --> 00:52:34,809 Oh, we can we can share 1415 00:52:34,810 --> 00:52:37,059 some of the metadata and information 1416 00:52:37,060 --> 00:52:39,279 about the finnemore, but we cannot share 1417 00:52:39,280 --> 00:52:41,949 the Fillmore's themselves because of a 1418 00:52:41,950 --> 00:52:44,259 copyright. I mean, we don't we are not 1419 00:52:44,260 --> 00:52:46,059 distributors of software. 1420 00:52:46,060 --> 00:52:47,769 And usually these fires back. 1421 00:52:47,770 --> 00:52:49,689 If you start putting them on your side 1422 00:52:49,690 --> 00:52:51,819 with fires, back with legal claims 1423 00:52:51,820 --> 00:52:53,679 that you are distributing illegally 1424 00:52:53,680 --> 00:52:55,929 software, which you are not entitled to. 1425 00:52:55,930 --> 00:52:58,239 And this is kind of a tricky situation. 1426 00:52:58,240 --> 00:53:01,059 But to address this, if anybody 1427 00:53:01,060 --> 00:53:02,590 wants to run a specific 1428 00:53:03,640 --> 00:53:05,829 test or analysis on the data we 1429 00:53:05,830 --> 00:53:07,899 have just dropped by an email, I'll 1430 00:53:07,900 --> 00:53:09,879 try to accommodate the Rania's create or 1431 00:53:09,880 --> 00:53:12,219 I'll try to to to give you access 1432 00:53:12,220 --> 00:53:14,349 on our ARMPAC environment where you can 1433 00:53:14,350 --> 00:53:16,779 run it. So this is the first question. 1434 00:53:16,780 --> 00:53:18,999 And second, our project 1435 00:53:19,000 --> 00:53:21,069 is well, is not intended to 1436 00:53:21,070 --> 00:53:23,559 be run as open to be 1437 00:53:23,560 --> 00:53:25,359 released as open source is more intended 1438 00:53:25,360 --> 00:53:28,479 to be run as a service 1439 00:53:28,480 --> 00:53:30,789 where we can give 1440 00:53:30,790 --> 00:53:32,799 back to the community as much information 1441 00:53:32,800 --> 00:53:34,959 as we can and at 1442 00:53:34,960 --> 00:53:37,359 the same time try to 1443 00:53:37,360 --> 00:53:39,999 to improve our things, basically 1444 00:53:40,000 --> 00:53:41,799 is not rocket science. 1445 00:53:41,800 --> 00:53:43,599 What we've implemented is well described 1446 00:53:43,600 --> 00:53:44,679 technically in the paper 1447 00:53:46,370 --> 00:53:48,669 is just a distribution of jobs and 1448 00:53:48,670 --> 00:53:50,979 so on as we sometimes 1449 00:53:50,980 --> 00:53:53,560 also contribute. 1450 00:53:57,080 --> 00:53:59,149 Comets or bugs 1451 00:53:59,150 --> 00:54:01,099 or improvements to some of these tools 1452 00:54:01,100 --> 00:54:03,259 like Moonwalker, binary analysis, tool 1453 00:54:03,260 --> 00:54:05,329 kit. So in that sense, yes, we contribute 1454 00:54:05,330 --> 00:54:07,369 also to the open source community. 1455 00:54:08,390 --> 00:54:10,429 OK, we'll take two more questions. 1456 00:54:10,430 --> 00:54:11,510 So please, to my left. 1457 00:54:12,540 --> 00:54:14,759 Hi, thanks for a great talk, 1458 00:54:14,760 --> 00:54:17,039 and actually I have two questions and 1459 00:54:17,040 --> 00:54:19,439 for a short question is that how 1460 00:54:19,440 --> 00:54:21,519 long does it take usually for 1461 00:54:21,520 --> 00:54:23,849 the dynamic analysis on 1462 00:54:23,850 --> 00:54:24,850 the farmers? 1463 00:54:26,280 --> 00:54:28,169 OK, vulnerabilities. 1464 00:54:28,170 --> 00:54:30,639 OK, so so to emulate 1465 00:54:30,640 --> 00:54:32,999 it, it takes 1466 00:54:33,000 --> 00:54:35,429 OK, we take some some 1467 00:54:35,430 --> 00:54:36,509 measure of precautions. 1468 00:54:36,510 --> 00:54:38,669 We're having some dead times where we 1469 00:54:38,670 --> 00:54:40,919 we do weights or sleeps just 1470 00:54:40,920 --> 00:54:43,019 to make sure that all the set up is fine 1471 00:54:43,020 --> 00:54:45,389 because you you cannot expect 1472 00:54:45,390 --> 00:54:48,179 a consistent or constant time from chemo 1473 00:54:48,180 --> 00:54:50,579 running in different virtual machines, 1474 00:54:50,580 --> 00:54:52,589 running on different hardware across the 1475 00:54:52,590 --> 00:54:55,439 globe. So you don't have a consistent 1476 00:54:55,440 --> 00:54:57,539 time, but in general 1477 00:54:57,540 --> 00:54:59,729 is to to 1478 00:54:59,730 --> 00:55:02,279 start the chemo for a particular 1479 00:55:02,280 --> 00:55:04,559 image takes around, I 1480 00:55:04,560 --> 00:55:06,629 know, up to five minutes, 1481 00:55:06,630 --> 00:55:08,769 depending what it has to load and all 1482 00:55:08,770 --> 00:55:10,899 devices it can or cannot find or 1483 00:55:10,900 --> 00:55:13,049 all kinds of folds and to 1484 00:55:13,050 --> 00:55:15,719 test it, it also depends 1485 00:55:15,720 --> 00:55:16,720 on 1486 00:55:17,880 --> 00:55:19,109 what kind of dynamic analysis. 1487 00:55:19,110 --> 00:55:21,179 In our case, we were on the testing 1488 00:55:21,180 --> 00:55:23,439 and we use the excessive SRF and 1489 00:55:23,440 --> 00:55:25,799 or always command the injection 1490 00:55:25,800 --> 00:55:28,259 models from Arachne and 1491 00:55:28,260 --> 00:55:30,419 they may very well take quite some time 1492 00:55:30,420 --> 00:55:32,789 to generate around 10000 1493 00:55:32,790 --> 00:55:35,009 20000 fuzzing inputs per 1494 00:55:35,010 --> 00:55:36,069 each class. 1495 00:55:36,070 --> 00:55:38,159 And basically it 1496 00:55:38,160 --> 00:55:40,559 takes around half, 1497 00:55:40,560 --> 00:55:42,969 half an hour, one hour to to 1498 00:55:42,970 --> 00:55:43,970 test. 1499 00:55:44,750 --> 00:55:45,929 Can I have one more question? 1500 00:55:47,930 --> 00:55:49,969 I think we should take the ones waiting 1501 00:55:49,970 --> 00:55:52,039 over there for a long time, so, 1502 00:55:52,040 --> 00:55:53,899 OK, first of all, thank you for the 1503 00:55:53,900 --> 00:55:54,900 beautiful talk. 1504 00:55:55,850 --> 00:55:58,309 I have many questions, but I 1505 00:55:58,310 --> 00:56:00,559 have selected one that is most 1506 00:56:00,560 --> 00:56:01,609 for me interesting. 1507 00:56:01,610 --> 00:56:03,949 How would it go about scaling 1508 00:56:03,950 --> 00:56:06,049 the, uh, the firmware 1509 00:56:06,050 --> 00:56:07,039 retrieval part? 1510 00:56:07,040 --> 00:56:10,249 Because from some of your slides, 1511 00:56:10,250 --> 00:56:12,959 I took, um, 1512 00:56:12,960 --> 00:56:14,630 thought that your current 1513 00:56:15,980 --> 00:56:18,139 sample size is about to two 1514 00:56:18,140 --> 00:56:19,639 thousand for very much. 1515 00:56:19,640 --> 00:56:21,229 Is that right? 1516 00:56:21,230 --> 00:56:24,049 And, uh, actually, 1517 00:56:24,050 --> 00:56:26,509 how do you go about loading 1518 00:56:26,510 --> 00:56:28,579 and processing all of the 1519 00:56:28,580 --> 00:56:30,889 firmware from different 1520 00:56:30,890 --> 00:56:32,929 browsers which are not publicly 1521 00:56:32,930 --> 00:56:35,119 available? And it seems that 1522 00:56:35,120 --> 00:56:37,249 it involves, like manually Googling for 1523 00:56:37,250 --> 00:56:39,349 their website to download the 1524 00:56:39,350 --> 00:56:40,249 firmware. 1525 00:56:40,250 --> 00:56:42,499 And and so this 1526 00:56:42,500 --> 00:56:44,239 was the first one and the second one. 1527 00:56:44,240 --> 00:56:46,309 What is your current sample size? 1528 00:56:46,310 --> 00:56:48,619 OK, so the current sample 1529 00:56:48,620 --> 00:56:50,030 size, we have 1530 00:56:51,140 --> 00:56:52,609 collected sample size, which you used for 1531 00:56:52,610 --> 00:56:54,889 the first study, and it will 1532 00:56:54,890 --> 00:56:57,169 it was around one estimate, up to around 1533 00:56:57,170 --> 00:56:59,689 170000 Fillmore images. 1534 00:56:59,690 --> 00:57:02,269 OK, 170000 fewer more images 1535 00:57:02,270 --> 00:57:04,549 which we called using the Google 1536 00:57:04,550 --> 00:57:06,889 custom searches or using FTP 1537 00:57:06,890 --> 00:57:09,229 spiders and have to be indexing sites. 1538 00:57:09,230 --> 00:57:11,449 And we just took a seed of 1539 00:57:11,450 --> 00:57:13,669 500 EFTPOS and vendor 1540 00:57:13,670 --> 00:57:16,099 sites and start crawling 1541 00:57:16,100 --> 00:57:17,689 everything. And then we just filtered out 1542 00:57:17,690 --> 00:57:20,089 the web with basically the PDAF 1543 00:57:20,090 --> 00:57:22,909 documentation drivers and so on, 1544 00:57:22,910 --> 00:57:25,239 and we ended up with one hundred seventy 1545 00:57:25,240 --> 00:57:26,419 thousand files. 1546 00:57:26,420 --> 00:57:28,969 Now we did the static analysis 1547 00:57:28,970 --> 00:57:31,069 on thirty two thousand 1548 00:57:31,070 --> 00:57:33,679 unpacked files because academic 1549 00:57:33,680 --> 00:57:36,379 deadlines do not usually meet with 1550 00:57:36,380 --> 00:57:38,719 our desires. So we had to cut some 1551 00:57:38,720 --> 00:57:41,209 lines and do on a shorter 1552 00:57:41,210 --> 00:57:43,279 scale of a static analysis and 1553 00:57:43,280 --> 00:57:45,139 the dynamic analysis as well, because it 1554 00:57:45,140 --> 00:57:47,239 takes much more time to 1555 00:57:47,240 --> 00:57:49,189 emulate than pentathletes. 1556 00:57:49,190 --> 00:57:51,479 We did it on two thousand 1557 00:57:51,480 --> 00:57:53,569 more images. We tried to emulate 1558 00:57:53,570 --> 00:57:55,969 and find Web vulnerabilities 1559 00:57:55,970 --> 00:57:57,499 in around 2000. 1560 00:57:57,500 --> 00:57:59,779 OK, so this is basically a breakdown 1561 00:57:59,780 --> 00:58:00,979 of the sample size. 1562 00:58:00,980 --> 00:58:03,229 Now, how do we do about the 1563 00:58:03,230 --> 00:58:04,849 files we cannot get? 1564 00:58:04,850 --> 00:58:06,709 Of course, there will be always files 1565 00:58:06,710 --> 00:58:08,959 behind the paywall at registrational 1566 00:58:08,960 --> 00:58:10,609 or which are not available. 1567 00:58:10,610 --> 00:58:12,799 If you are not registered as a customer 1568 00:58:12,800 --> 00:58:14,869 or as a reseller and 1569 00:58:14,870 --> 00:58:16,849 so on, which is why we have this service 1570 00:58:16,850 --> 00:58:18,529 where people can draw them. 1571 00:58:18,530 --> 00:58:20,659 And as we move forward, 1572 00:58:20,660 --> 00:58:22,849 we'll try to perform machine learning 1573 00:58:22,850 --> 00:58:24,919 as well as to classify them and 1574 00:58:24,920 --> 00:58:26,869 also to analyze them and give results 1575 00:58:26,870 --> 00:58:29,509 back, not just on the files we have 1576 00:58:29,510 --> 00:58:32,719 and from the public interface. 1577 00:58:32,720 --> 00:58:34,999 We collected around 2200 1578 00:58:35,000 --> 00:58:37,129 files, uh, around 10 1579 00:58:37,130 --> 00:58:39,769 gigs of data, so 1580 00:58:39,770 --> 00:58:41,329 around 50 megs per file. 1581 00:58:41,330 --> 00:58:43,099 But there are some some bogus files as 1582 00:58:43,100 --> 00:58:45,259 well. People just drop some movies and be 1583 00:58:45,260 --> 00:58:46,260 present. 1584 00:58:46,970 --> 00:58:48,739 OK, thank you. Unfortunately, we're out 1585 00:58:48,740 --> 00:58:50,569 of time, so we cannot take any more 1586 00:58:50,570 --> 00:58:52,099 questions. Thank you for being here this 1587 00:58:52,100 --> 00:58:53,329 morning and enjoy the rest of the 1588 00:58:53,330 --> 00:58:54,330 Congress.