Vincent Ruijter & Bernardo Maia Rodrigues

REDteam, KPN Telecom

Vincent Ruijter

Talk Title

I Boot when U-Boot

Abstract

Personal computer systems are now considerably more secure than embedded devices. Trusted Platform Module (TPM) and secure boot are readily available and even default to a lot of new desktop computers and laptops. Numerous small office and consumer devices, including routers and smart televisions, however, are lacking even the most basic security features.

In this talk, we will demonstrate and describe the inner-workings of a custom developed (Fully Weaponised IoT CyberTM) bootkit, which gains persistence on U-Boot based embedded devices, at a lower level than even the firmware. Firmware updates and factory resets usually do not interfere with the bootloader, as a small problem could render the device unusable for an end-user: the bootkit will, therefore, remain present. By including a properly functioning killswitch and a multi-boot like the technique, it is possible to switch between a regular and a backdoored image to thwart detection.

Enterprises and ISPs must take this additional attack surface into account, and put effort into detecting and responding to this threat. Well-known security researchers have long advocated for easier ways to verify and demonstrate the integrity of hardware, but this comes at a price that vendors are not willing to pay for security. Recently, however, regulatory bodies have started to enforce vendors to lock-down their wireless devices, in order to prevent them from operating outside of their certified frequencies. But these 'vendor lock-downs' are not sufficient to increase the device security, as we will demonstrate, it's just a minor inconvenience.

Bio

Bernardo Maia Rodrigues (Brazil) @bernardomr

Bernardo works as an Ethical Hacker for KPNs (Royal Duth Telecom) REDteam. He enjoys hacking (and bricking) embedded devices including routers, modems and TVs. He presented on security topics at the NullByte Conference, the null Amsterdam chapter, and local venues. He frequently participates in CTFs with TheGoonies and is famous for not using buzzwords like IoT, APT, and Cyber in his bio.

Vincent Ruijter (Netherlands) @_evict

Pacifistic Internetveapon @ KPNs (Royal Dutch Telco) REDteam, who thinks he knows Linux. Moderator @ null Amsterdam chapter, with an endless curiosity for all things binary. Knows how to quit Vi ^[ESC!wqwq:wq!

Copyright © 2019-20 | Nullcon India | International Security Conference | All Rights Reserved