Recap Amrita InCTF 2019 | Part 2

+

Amrita InCTF 10th Edition is an offline CTF(Capture the Flag) event hosted by Amrita University. In our previous blog, we discussed about talks from the first day. In this we’ll share some lights on the talks from second day.

Talk 1: Exploring attack surfaces in embedded devices by Vivek 

The IoT’s has become popular in everyday household item like a fridge, washing machine, camera, and television. You can access them remotely and some devices can communicate with each other. These connections become entry points to the attacker. 

Now a days commodity devices are getting intelligent and SOC’s are pretty much cheaper($5 raspberry pi Zero),as such they are all over us from watch to contact glasses; these are all now getting connected to a massive IoT network all connected and potentially vulnerable.

Below are some insights on key topics discussed in the talk around IOT security.

BLE Security Testing:- Bluetooth Low Energy Low cost and ease of implementation lead BLE to be widely used among IoT devices and applications like Wearable sensors, light-bulbs and medical devices.

BLE has three main vulnerabilities.

  • Eavesdropping:- Eavesdropping refers to a third-party device listening in on the data that’s being exchanged between two paired devices.
  • Man in the Middle Attacks (MITM): Man in the middle attacks involve a third party device impersonating a legitimate device, tricking two legitimate devices into believing that they’re connected to each other, when in reality, the legitimate devices are connected to the impersonator.
  • Denial of Service & Fuzzing Attack: DoS attacks expose a system to the possibility of frequent crashes leading to a complete exhaustion of its battery.Fuzzing attacks too lead to systems crashing as an attacker may send malformed or non-standard data to a device’s.

ZigBee Security Testing- : Zigbee is a wireless communication Protocol. It’s used to connect the sensor, door locks, electric meters and traffic management systems. This protocol is open at a network level. So when the devices start connecting they send out beacon requests.

 NFC RFID cloning :- 

There is no security, they’ve been hacked, there’s no protection of data, no privacy, everything is in the clear and it’s not resistant to sniffing or common attacks. 

To access sensitive information, you have to provide that sector of memory with the right key—otherwise, it will show up blank. Even though these cards are a lot more secure, once you know the encryption algorithm you can decrypt them and access the sensitive information. With that, people can also clone these cards relatively easily.

Hello barbie hardware hacking:-  The doll uses Wi-Fi transmit audio from children talking like siri or google assistant. The toy uses a digital ID that attackers can abuse and potentially let them spy on the chatter between a doll and a server. phones with the app will automatically connect to any Wi-Fi network that includes “Barbie” in its name.

Talk 2: APT attack by Shaunak :

Shaunak is the CEO of Zacco cyber security company. He talks about his experience in APT attacks. He give a brief intro about what Advanced persistent threat attacks. He also shared his experience of finding out an APT attack within an organization which had no clue about it.

What is APT Attack:- 

APT attack are perform in large scale . APT attacks are a cyber crime directed at business and political targets. Organized crime groups may sponsor advanced persistent threats to gain information they can use to carry out criminal acts for financial gain.

How an APT attack works:-

  • Gain access: APT groups Target by targeting system. Like social engineering techniques and application vulnerability. 
  • Establish a foothold: After gaining access target, APT group do future reconnaissance, create networks of backdoors and tunnels that they can use to move around unnoticed. APTs may use advanced malware techniques such as code rewriting to cover their tracks.
  • Gain even greater access: Once inside a network APT actors may use such methods as password cracking to gain administrative rights. So they can get high level access.
  • Move laterally: After getting admin access, they can then move around the enterprise network.  They can attempt to attack other servers. 
  • Stage the attack: At this point, the hackers centralize, encrypt and compress the data so they can exfiltrate it.
  • Take the data: The attacker transfers data in his own system.
  • Remain until they’re detected: The APT group can repeat this process for a long time until they detected. 

 Talk 3: Intel L1 Terminal Fault Vulnerability
by Reno Robert

Reno Robert talks about Inlet L1 Terminal Fault most Intel processors are affected with this vulnerability. It can allow attackers to access sensitive information stored in the Level 1 CPU cache. 

This may include data from the operating system, kernel, hypervisor or the neighboring virtual machine.

It may allow a malicious code execution on one thread to access data from the L1 cache of another thread within the same core.

  • L1TF system information:- An attacker can use this vulnerability to read any physical memory location that is cached in the L1 data cache of the processor.
  • Page-table entries:- The memory addresses used by both user space and the kernel do not point directly into physical memory. Instead, the hierarchical page-table structure is used to translate between virtual and physical addresses. 
  • Flush L1 data cache on security domain transition:- The L1D is shared by all LPs on the same physical core. This means disclosure can be prevented by flushing the L1 data cache when transitioning between security domains. Intel has provided new capabilities through a microcode update that supports an architectural interface for flushing the L1 data cache.

This was all from day 2 talk, Come back on next Tuesday for talks from Day 3. And as the final segment of this series we’ll be updating about attack/defense and jeopardy CTF experience.

We’ll be more than happy to hear from you in comments section regarding any feedback or criticism.

Stay Tuned, Happy Blogging!

Reference: https://blog.attify.com/the-practical-guide-to-hacking-bluetooth-low-energy/

https://msrc-blog.microsoft.com/2018/08/14/analysis-and-mitigation-of-l1-terminal-fault-l1tf/

https://research.kudelskisecurity.com/2017/11/21/zigbee-security-basics-part-3/