{"id":10248,"date":"2017-11-02T09:40:15","date_gmt":"2017-11-02T17:40:15","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/11\/02\/news-4021\/"},"modified":"2017-11-02T09:40:15","modified_gmt":"2017-11-02T17:40:15","slug":"news-4021","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/11\/02\/news-4021\/","title":{"rendered":"Security Research News in Brief &#8211; September 2017 Edition"},"content":{"rendered":"<p><strong>Credit to Author: Axelle Apvrille| Date: Thu, 02 Nov 2017 12:50:59 +0000<\/strong><\/p>\n<div class=\"entry\">\n<p cid=\"n0\" mdtype=\"heading\">Welcome back to our monthly review of some of the most interesting security research publications.<\/p>\n<p cid=\"n4\" mdtype=\"paragraph\">Past editions:<\/p>\n<ul cid=\"n6\" data-mark=\"-\" mdtype=\"list\">\n<li cid=\"n7\" mdtype=\"list_item\">\n<p cid=\"n8\" mdtype=\"paragraph\"><a href=\"http:\/\/blog.fortinet.com\/2017\/09\/07\/security-research-news-in-brief-august-2017-edition\" spellcheck=\"false\">August 2017<\/a><\/p>\n<\/li>\n<li cid=\"n10\" mdtype=\"list_item\">\n<p cid=\"n11\" mdtype=\"paragraph\"><a href=\"http:\/\/blog.fortinet.com\/2017\/09\/07\/security-research-news-in-brief-july-2017-edition\" spellcheck=\"false\">July 2017<\/a><\/p>\n<\/li>\n<li cid=\"n13\" mdtype=\"list_item\">\n<p cid=\"n14\" mdtype=\"paragraph\"><a href=\"https:\/\/blog.fortinet.com\/2017\/07\/04\/sstic-2017-in-a-nutshell\" spellcheck=\"false\">June 2017<\/a><\/p>\n<\/li>\n<li cid=\"n16\" mdtype=\"list_item\">\n<p cid=\"n17\" mdtype=\"paragraph\"><a href=\"https:\/\/blog.fortinet.com\/2017\/06\/22\/security-research-news-in-brief-may-2017-edition\" spellcheck=\"false\">May 2017<\/a><\/p>\n<\/li>\n<li cid=\"n19\" mdtype=\"list_item\">\n<p cid=\"n20\" mdtype=\"paragraph\"><a href=\"http:\/\/blog.fortinet.com\/2017\/05\/10\/security-research-news-in-brief-april-2017-edition\" spellcheck=\"false\">April 2017<\/a><\/p>\n<\/li>\n<li cid=\"n22\" mdtype=\"list_item\">\n<p cid=\"n23\" mdtype=\"paragraph\"><a href=\"http:\/\/blog.fortinet.com\/2017\/03\/24\/security-research-news-in-brief-march-2017-edition\" spellcheck=\"false\">March 2017<\/a><\/p>\n<\/li>\n<\/ul>\n<h2 cid=\"n25\" mdtype=\"heading\">Froschle et al. Analyzing the Capabilities of the CAN Attacker, ESORICS, [<a href=\"https:\/\/www.ntnu.edu\/documents\/1271414887\/0\/Proceedings+part+1.pdf\/424edd3b-c70e-4f97-8b15-7d2c3debff5c\" spellcheck=\"false\">proceedings<\/a>]<\/h2>\n<p cid=\"n26\" mdtype=\"paragraph\">Modern cars are made of multiple Electronic Control Units (ECUs). Those ECUs typically communicate via Controller Area Network (CAN) buses.<\/p>\n<p cid=\"n28\" mdtype=\"paragraph\">This paper is a <strong>must read for anyone wishing to understand how CAN buses work<\/strong>. It&#39;s not like TCP\/IP! You will find in this paper things like the format of messages.<\/p>\n<p cid=\"n30\" mdtype=\"paragraph\" style=\"text-align: center;\"><img decoding=\"async\" alt=\"\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/canbus.png\" style=\"width: 709px; height: 179px;\" \/><\/p>\n<p cid=\"n30\" mdtype=\"paragraph\"><em>Image source: <a href=\"https:\/\/en.wikipedia.org\/wiki\/File:CAN-Bus-frame_in_base_format_without_stuffbits.svg\" spellcheck=\"false\">Wikipedia<\/a><\/em><\/p>\n<p cid=\"n33\" mdtype=\"paragraph\">Then, the paper details possible attacks on CAN buses, assuming the attacker has full access to an ECU and can run code on it, but without necessarily having physical access to the car.<\/p>\n<blockquote cid=\"n35\" mdtype=\"blockquote\">\n<p cid=\"n36\" mdtype=\"paragraph\">The study is interesting because it details which attacks are possible. For instance, <strong>removing a message on a CAN bus is not trivial, and they explain how it can be done<\/strong>.<\/p>\n<\/blockquote>\n<h2 cid=\"n38\" mdtype=\"heading\">S. Skorobogatov, Challenging real-world targets: from iPhone to insulin pump, Hardwear.io, [<a href=\"http:\/\/www.cl.cam.ac.uk\/~sps32\/HWIO_keynote.pdf\" spellcheck=\"false\">slides<\/a>]<\/h2>\n<p cid=\"n39\" mdtype=\"paragraph\">From a research point of view, the teardown of an iPhone or an Audi smart key or a connected insulin pump have at least one common point: the fact that their vendors claim they are <em>unbreakable<\/em>.<\/p>\n<h3 cid=\"n41\" mdtype=\"paragraph\">iPhone 5C NAND mirroring<\/h3>\n<p cid=\"n43\" mdtype=\"paragraph\">This was said to be <em>impossible<\/em> by the FBI.The speaker explains his steps. An iPhone 5C is bought from Ebay, and opened using a <strong>hot air gun<\/strong>.The NAND chip is desoldered using, again, a hot air gun.Finally, the NAND chip is separated from the PCB: it is manually wired back to the main PCB so that it is possible to act on the NAND chip itself while having the phone boot.Unfortunately, this did not work straight away, as the phone would no longer boot because the NAND had been corrupted. After several steps it finally worked and an oscilloscope and logic analyser was attached to understand the NAND.Finally, at the end, after designing a custom hardware board to read the NAND, he was able to clone it.<\/p>\n<h3 cid=\"n51\" mdtype=\"paragraph\">Audi smart key<\/h3>\n<p cid=\"n53\" mdtype=\"paragraph\">The speaker details again the hardware teardown of the key.He concluded with two facts: (1) the key uses weak security (2) a spare plastic key is provided to owners, but they are unaware that this key is fully functional.<\/p>\n<h3 cid=\"n56\" mdtype=\"paragraph\">Insulet OmniPod<\/h3>\n<p cid=\"n58\" mdtype=\"paragraph\">The hardware reverse engineering of this insulin pump was done for an open source project to create an artificial pancreas (which is related to Type 1 diabetes.)As usual for IoT, there is little technical documentation.He opens the device with a circular saw and analyses the hardware.He decapsulates the IC, and finds there is a Freescale chip inside. He locates the debug interface and attempts to use it to extract the firmware, but security is activated and the extraction is impossible &#8211; only an erase is possible.<\/p>\n<blockquote cid=\"n63\" mdtype=\"blockquote\">\n<p cid=\"n64\" mdtype=\"paragraph\">This keynote is <strong>amazing<\/strong>. Although these attacks require high skills and some equipment, they do prove that nothing is &quot;impossible.&quot; It seems to me that the iPhone and the insulin pump were relatively well secured &#8211; only the smart key really seemed to have a weak implementation. Finally, this talk only considered hardware reverse engineering. I wouldn&#39;t be surprised that some of these devices would turn out to be easier to attack from their software layers.<\/p>\n<\/blockquote>\n<h2 cid=\"n68\" mdtype=\"heading\">Miscellaneous<\/h2>\n<ul cid=\"n69\" data-mark=\"-\" mdtype=\"list\">\n<li cid=\"n70\" mdtype=\"list_item\">\n<p cid=\"n71\" mdtype=\"paragraph\"><strong>ESORICS<\/strong> proceedings <a href=\"https:\/\/www.ntnu.edu\/documents\/1271414887\/0\/Proceedings+part+1.pdf\/424edd3b-c70e-4f97-8b15-7d2c3debff5c\" spellcheck=\"false\">part 1<\/a> and <a href=\"https:\/\/www.ntnu.edu\/documents\/1271414887\/0\/Proceedings+part+2.pdf\/bf3aa6a6-e431-49e0-a5e7-20d6f5155e92\" spellcheck=\"false\">part 2<\/a><\/p>\n<\/li>\n<li cid=\"n73\" mdtype=\"list_item\">\n<p cid=\"n74\" mdtype=\"paragraph\"><a href=\"https:\/\/ches.iacr.org\/2017\/program.shtml\" spellcheck=\"false\">CHES<\/a> conference slides<\/p>\n<\/li>\n<li cid=\"n76\" mdtype=\"list_item\">\n<p cid=\"n77\" mdtype=\"paragraph\">Craig Smith, <a href=\"https:\/\/www.youtube.com\/watch?v=WUENq4XuIP4\" spellcheck=\"false\">Metasploit Hardware Bridge Hacking<\/a> at Hardwear.io and Troopers.<\/p>\n<\/li>\n<\/ul>\n<p cid=\"n79\" mdtype=\"paragraph\"><em>&#8212; the Crypto Girl<\/em><\/p>\n<\/div<br \/><a href=\"https:\/\/blog.fortinet.com\/2017\/11\/02\/security-research-news-in-brief-september-2017-edition\" target=\"bwo\" >https:\/\/blog.fortinet.com\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/d3gpjj9d20n0p3.cloudfront.net\/ngblog\/uploads\/files\/canbus.png\"\/><\/p>\n<p><strong>Credit to Author: Axelle Apvrille| Date: Thu, 02 Nov 2017 12:50:59 +0000<\/strong><\/p>\n<p>Welcome back to our monthly review of some of the most interesting security research publications.  <\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-10248","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10248","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=10248"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/10248\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=10248"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=10248"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=10248"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}