I recently attended the TROOPERS conference, held in Heidelberg, Germany. A lot of interesting research was presented, in this blog post I’m going to summarize selected talks that I particularly enjoyed.
The first presentation was by Philippe Teuwen, where he demonstrated his latest attack on white-box cryptography. The idea is to apply existing hardware attacks such as side-channel or fault attacks in order to break white-box cryptography implementations. For example, a simple DPA can be applied to software execution traces to reveal the key with only 16 traces. This approach is really efficient since all publicly available challenges can be broken and this could expose, for example, the incoming Host Card Emulation systems (HCE). In addition, Philippe released all his tools as open source on his GitHub account, allowing everyone to experiment with these attacks. He also posted the instructions on how to use the software on the Insinuator blog.
The emphasis this year was on embedded systems. The first talk about this topic was by Alex Plaskett and Georgi Geshev from MWR Labs, and covered the security of the QNX OS. They emulated and debugged a QNX firmware in qemu and found various vulnerabilities, including several against BlackBerry 10 that have not been disclosed yet. Another interesting presentation by Attila Marosi was how services like shodan.io or censys.io can be used to build a botnet, by only exploiting basic non-patched vulnerabilities or default settings of connected devices.
Wireless systems were also a hot topic at TROOPERS. Travis Goodspeed and Christiane Ruetten presented the reverse engineering a digital mobile radio (DMR), the Tytera MD380. They managed to dump the radio settings through the device firmware upgrade (DFU) mechanism. Using documentation about the chips, they managed to open the radio, dumped the bootloader, and modified it to remove the flash protection. Finally, they dumped the complete application. They broke the firmware “encryption” (a XOR) and now the modified firmware can be uploaded using the official manufacturer tool.
The next day, Michael Ossman presented how to use software defined radio (SDR) and non-SDR tools in order to quickly reverse engineer a wireless cabinet locker. He demonstrated that both tools used in conjunction allow for fast results.
A great presentation about vehicle security was given by Andy Davis from the NCC group. He presented research results about security of the digital audio broadcasting (DAB) standard, which is used for radio broadcasting. They created the DABble fuzzer to test the security of a DAB receiver, and discovered several vulnerabilities from code execution in the image parser to buffer overflow on the station name. In addition, since the system architecture of vehicle is often insecure, he argued that such vulnerabilities can be exploited to access the CAN bus, hence deactivating critical features. There was another talk about vehicle security, by Cédric Levy-Bencheton from ENISA, wherein he presented today’s threats and new challenges brought by smart cars.
Medical devices were also covered during the conference with a first by Kevin Fu from University of Michigan presented about medical devices security, in a talk that discussed the latest ransomware infections that some hospitals fell victim to. On the same topic, Marie Moe exposed how her pacemaker was accessible from the outside, with all the threats that it implies.
A funnier presentation was given by Adrian Dabrowski about the perception of hacking in movies and TV series. It was a great way to end the first day.
Ange Albertini’s talk explained that file formats like PDF can offer a huge attack surface. The PDF specifications do not completely define the file format anymore, since they have evolved a lot throughout the years. For example, files may no longer be readable if you follow the official specifications. He illustrated his talk with examples which are in the brand new PoC || GTFO which is “self-aware”.
During the conference, several challenges were put forward, such as the 10k run, the soldering challenge, PacketWars, and the famous TROOPERS badge. The badge is based on the CC1310 chip, which contains an ARM Cortex M3 and enable communications over several supported RF-bands. This also allowed the Fishbowl company to hack the badge during the conference :-)
We would like to thank the TROOPERS 2016 team, we had a great time there and hope that we’ll be back next year. You can find the presentations and videos online.
Kudelski Security Research 