Presented at
44CON 2019,
Sept. 11, 2019, 7:45 p.m.
(59 minutes)
This talk relates to software and hardware modification of existing consumer electronics in order to give them features that could be relevant in a security context. It mainly focuses on techniques for identifying the potential for a device to be modified, and techniques for doing so, with a large number of varying demos to back it up.
The first device modification will be the NX301 handheld ODB-II reader. This device in particular was chosen due to its locked chip, encrypted firmware updates and the board’s capabilities, in particular the STM32 MCU, which could be used for connection to various peripherals. The talk will then outline the current features, and the features that could be potentially added to it. The most key of these will be discussing how, due to the STM32 chip used on the board, it would be possible to turn this device into a handheld USB rubber ducky, with an LCD screen menu and interface. This will then discuss how the device was selected for reverse engineering among a large number of potential devices.
The talk will then move onto another device, the WS-6933 satlink detector. This device was found to have a similar Microcontroller to the previous device, however it has some limitations which meant that it could not be used for the same purpose, but could be used for its own. Various modification techniques will be discussed in depth.
These techniques will be performed on a third device, a 2.4GHz RF modular used by radio controlled planes. This device was briefly touched upon in my talk last year “Pwning the 44CON Nerf Tank”, but in this instance will be used in order to show how USB access can be provided to all four radio chipsets on the device, providing a powerful interface for interacting with their specific protocols. This will cover more details of debugging in environments where it is not always possible. This will be briefly touched upon as similar work has been covered in other talks, but can demonstrate useful techniques.
A children’s toy will then be demonstrated with custom firmware to perform different functions to what was intended. This will outline the disassembly and analysis of the device, and point out how large amounts of the technology involved in creating a smart children’s toy are the same as in a more serious piece of equipment, and also outline the same vulnerabilities. This section of the talk will largely be for entertainment value, but will show how anything can be converted into a useful device with a sufficient amount of knowledge and effort.
The last demo will be of what can be done when hardware changes are made to devices. We will demonstrate how, by adding a few additional components and a tuned coil to the back of the OBD-II reader, the device can be modified in order to perform the functions of an NFC device, specifically a Mifare Classic NFC tag, with all of the features necessary to emulate and exploit the device. This will show how desirable modifications can be made to the hardware on the device in order to increase it’s capabilities, and demos with some NFC exploits will accompany this.
Presenters:
-
Chris Wade
- Pen Test Partners
Chris is a seasoned security researcher and consultant. His main focuses are in reverse engineering hardware, fingerprinting USB vulnerabilities and playing with Software Defined Radios, with his key strength lying in firmware analysis, which he utilises as part of the hardware testing team at Pen Test Partners.
Links:
Similar Presentations: