Holy smokes, how to vape yourself to root

[Applause] thank you very much for that rapturous round of applause um hello everybody hopefully you have turned up to the right room this is indeed holy smokes how to vape yourself to root um if it it's not the right room there's plenty of other good stuff going on so first of all a bit of a warning I'm not going to set fire to anything today I hope um but there will be some profanity so if you're easily upset by I know naughty words that kind of stuff might be a good time to go visit another track um also there is um scenes of smoking um perhaps drug use it depends how uh inspired You Are by my by my

memes and crucially um hacking ecigarettes will void your warranty so if you've come here looking for a nice safe way to kind of get into smoking this is probably not the the talk for you it's worth saying that some of the kind of the tools and techniques I'm going to show you if you were to do that on someone's a machine you do not own that would be quite illegal so don't do that um so by staying here you're all agreeing you're going to do stupid things with me right good good we got the right crowd um I also have a lot of poor quality memes and for that I do not apologize um so who the hell am I well

this is my first computer and I learned to program basic on it many many years ago um so my name is Ross bton and I've been hacking stuff for a very very long time I had a misspent youth hacking computer games and pretty much um since then I've been messing around with computers so for the last 10 years I've been working in infc I work for BA systems some of them are here today I apologize for the shouts from them earlier um thank you guys um and what I do is pretty much reverse engineering and that might be Windows malware in my be arm binaries or kind of weird exotic platforms um if you have a calculator ROM you want me to

reverse engineer or I know a Nez ROM I'm probably a I also hang about at uh DC44 Gloucester so if you're in the west country around there you can turn up at some Monday a month we haven't quite decided on what what date it is it it changes rapidly um be hang about there you might have seen me hacking some cameras so that's the ch DK logo um Canon par shck cameras I've been hacking them for a while um you can add extra functionality to them I'm also responsible for the Pentax hacker development kit um hacking Pentax Cameras and I'm a member of tool so you may have seen me today picking some locks and stealing some wonderful ROM

and Coke from MWR which I'll be drinking through this presentation so today I'm going to be talking to you about hacky cigarettes and first of all what are these devices I'm going to pick up the biggest and chunky one with like two batteries there's no wonder why these things start fires on a plate like it's got two lithium batteries in it with 500 milliamp hours like crazy um these devices are pretty cool um not just for smoking but also they're generally a system on a chip that has a gpio that makes something hot and what this presentation is is a kind of a beginner's guide to getting into hacking these devices because they're pretty cool

um so hopefully you're all hearing actually the security of these devices but why you should be interested in this well it's bad USB of course if you've been to the um [ __ ] Talk um earlier on like bad USB is pretty much all the rage at the moment unless you've been living under a stone you've probably heard about it USB is a really great protocol but its versatility is its downfall because one US USB device can pretty much turn into another USB device without any kind of limitation so you might have a USB pen drive that can turn into a a keyboard and start um adding key presses that kind of stuff or a

keyboard that turns into a MH storage device so there are really good examples about how you can actually use this when you're doing things like physical penetration testing so you you walk up with your USB rubber ducky which is this thing here or your USB Armory and you connect it up and it will type in a load of commands and give you a root shell or you might wander up with your p key and and steal the credentials from the machine or use your Arduino Pro Mini to um launch a a USB um file system exploit which will get will pone the machine some of these attacks require the machine to be unlocked but not all of

them because USB is hardware and Hardware is trusted so why do we need another one of these platforms there's already a tunnel already well one glaring mistake which the author of these missed is that none of these can be smoked so but there is another good reason and it's secure facility so so there could be an airport it could be a data center um you might be involved in um physical penetration testing um and when you go into engagements like that you'll be stopped at the border and your mobile phone might be taking off you um I know your USB devices might be taken off you but ecigarette probably not so when you're in your secure office right

Barack Obama is there um actually the kind of the policies in office environments might help um you take these ecigarettes into the building because this is like a a crop from from the health and safety um kind of advisory something something something wiki page and it says that pretty much employers will want to help their staff quit smoking and to do that ecigarettes pretty much are exemp EXT from all the standing standard smoking legislation so this kind of goes hand in hand with actually trying to get into these kind of facilities that you might not otherwise be able to take kind of USB devices so when you're going red teaming or physical pen testing think about kind

of these kind of things so how do you actually go about turning an e cigarette into something more interesting well for me it all started with a tweet and this is blasty from in Bas and CTF he's part of a really big um German Austrian CTF team I can't remember and what he posted was this the code to decate or descramble the firmware of these devices so usually when you go to the Internet and get a firmware update something like that you can't just pop it into a reverse engineering tool or run strings on it it's not that easy you need to actually descramble that firmware and this is the code that does it and if you've got Keen

eyes maybe difficult you can see that none of this is actually that complicated there's not really a lot of crypto in fact there's none at all there's a zor there's some magic numbers that kind of stuff um I can generally kind of crack this myself given time but seeing that I thought this seems like a really interesting thing to have a look at so I went out and bought one of these for 40 quid and they're incredibly cheap like 30 40 quid that's quite a nice interesting platform to work on it's a low powerered like device it runs in a battery you can keep it in your pocket for ages so when I got my box I looked on it

first of all there's a printing error and said they had upgradeable Fireware and I don't know about you but I'm a bit worried if someone says it's got upgradable Fireware I don't want to start any fires um I unboxed it and this is kind of what it is it's an atomizer it's this thing at the top that gets hot I'm less interested in that because of fires it's got some buttons and what those buttons are are pretty much connected to what's called gpio general purpose input output and they cause things to happen inside the device it's got a black and white OLED screen that's pretty cool and it's got a USB charging point but the most

important thing about this device is it can run Flappy Birds so and know while you're smoking I don't know quite like how it works whether you got it out here or smoking it like that but you can play Flappy Birds so you can waste that smoking Break Even quicker um this is you you get access to Flappy Birds a secret menu hold down two buttons and Flappy Birds appears and this is going to be quite important for later so remember flappy birds so how do you Fireware or firmware even well use the USB charging point and you get the windows binary and you double click on it and it says plug in your USB cable and you hit go and it

squirts the latest firmware over it and this is really useful because if we didn't have this functionality if the USB port was hardwired to the battery we wouldn't be able to do anything more so it' be pointless so having that upgradeable firmware means that the ecigarette is somehow involved with putting firmware on its Rob chip and this is really important so we know what it is and I think I know what we can do so we're going to need a plan so my plan is to make a exploit platform that you can smoke so I want to create a really cool bad USB payload and put it onto this and I want to do do

something with the keyboard because that's really cool and also something with perhaps some of the storage that's inside it and and I want to like collect the collect data from a machine and store it for later use I don't want to start creating IP connections because in some environments if you start creating IP connection someone in a stock somewhere gets a I know an email or something so I want to be able to plug this in and take it away I also want it to work as an ecigarette as well and I want to weld the payload that I'm going to create this bad USB payload onto the original firmware to make will work and I'm going

to try and activate this from the Flappy Birds menu but the problem is I don't have the source code because if I had the source code this would be relatively easy so I'm going to have to do some reverse engineering so this presentation is also about how I can approach these problems and how I could of start off doing kind of the reverse engineering so how are we going to do this well we need to understand how the firmware works because without that we have no hope in actually putting any extra functionality into it and to do that we're going to have to do some reverse engineering now the problem is reverse engineering is actually quite

expensive to do and it's quite hard um you can buy really really expensive tools and that makes the job slightly easier but this is a job that is kind of quite hard people are paid good money for it so it's really important to have a process when you approach kind of reverse engineering anything it doesn't matter where it's e cette rout whatever and I'm going to kind of explain to the kind of the plan I use it's basically asking kind of three questions at a time answering those questions onto the next one seems really simple but even really expensive expensive experienced reverse Engineers that may be expensive as well um have kind of fallen into the Trap of

getting lost in the code because when you open up on a foreign binary it's really easy to get completely and utterly lost um that link there if you can see it I might put it on Twitter later it's got some really good tutorials for reverse engineering embedded stuff I'm not going to concentrate on on teaching how to do that because that's really hard but kind of gloss over some of the easier stuff the most important thing to show you is some tooling and like tooling kind of varies in price dramatically um I'll probably show you the most expensive tool that I use and it's Google Google is in all seriousness the most important reverse engineering

tool like how people did reverse engineering before Google I I I do not know when you're reverse engineering you have to stare at this and keep Googling over and over and over again until the thought of looking at arm or myips assembly basically gives you Joy so keep on Googling and if you're not Googling Google some more one of the best plugins I've got for Ida Pro the really expensive reverse engineering tool pretty much um gets strings from binaries and Googles it for you so that's a quite an interesting plugin to get onto the actual tooling keep talking about ID Pro hopefully you know that um I'm not going to really dwell on that because it's quite expensive but I've

got a very expensive one that allows you to hit F5 and it turns it into source code um let's say you're doing this on a Sho string budget and there's no reason why you can you can't do firmware reverse engineering on on basically no money and pretty much the answer to that is a tool called redair which is open source it is incredibly complicated I look at it and kind of blows my mind and I'm an experienced reverse engineer but I'm told if you become really really good at redair you become awesome Mad Skills so if you are starting off on the Journey of learning to be a reverse engineer and you have no money redair is

probably the tool to have a look at there's some other ones as well binary ninja you may have heard of that um the key thing that I want to show here is something called retar retargetable decompiler which is an online decompiler so it takes assembly and gives you something a bit like C this is free um uploading your code to it may be a bad idea but if you're just starting out or you're doing some kind of Open Source work um might be something to have a look at so back to the plan on to my three questions so is there enough space to actually put the code because this bad USB payload I'm going to write it's

going to be non-trivial and it's going to have a size and if it doesn't actually fit on that ROM chip there's no point in continuing so we need to know that first how do we put code on device and is there any public work so I've already answered two of these already so that' be quite quick and pretty much to answer these questions are we going to Google a lot we're going to Google for you know chips and manufacturers and sdks um hitting the manufacturers website and downloading all their tools that's really important and kind of Chinese forums as well have a whole kind of host of documents that probably shouldn't be kind of out there um with a

device like an ecigarette you might actually have to start with a hammer so this bloke here is obviously deep in reverse engineering thought um he's hitting his computer with a hammer and reverse engineering um that or a screwdriver you might need to take it apart and have a look at the chips on it Google it this is how they kind of The Adventure Starts we're going to need to know things like what architecture it is and how much RAM and ROM has it got and all that kind of stuff okay so I started Googling and eventually I found what the chip was and it was a new micro m451 and if you Google enough you get

the spec document and it's an arm cortex m m4f running at 72 MHz it's got some RAM and it's got some ROM and that's pretty much all I've got out of this this makes kind of this device or the the smaller one I've got basically a little slower than my first computer which is pretty amazing I'm going have some ret cake next up do a bit more Googling I found this wonderful tool this tool will eventually be my savior and my way of kind of cracking open the whole of the firmware and what it is is a a third party tool to basically change all of the strings that are in the the binary in the firmware so you can see on the

left there's things like easy normal heart that's the kind of Flappy Bird stuff there's some other stuff as well and you can go through and and change those letters to different things why you want to do that I don't know but there's a tool to do it so yeah that this would crack it wide open for me so thank you internet so back to our questions we can answer them really quickly um is there enough space well based on how big the current firmware is and um I think we've got about 70k to play with how do we put code on the device well you program it over USB it's a lot like programming in Arduino the

specifications out there it's quite easy to do is there open source work yet we've got an SDK there's this magic firmware tool um I was doing this about a year and a half to two years ago there wasn't much else but now there's absolutely tons um so things move on so we need three other questions and now we're going to start actually going into the reverse engineering how does the software control USB there must be a routine somewhere we need to understand that because we're going to know Co-op that to do our own thing where is the Flappy Birds code located well we need to know that because we want to I know launch our

code instead of Flappy Birds and how do you compile your own code and we need to know that for obvious reasons these questions don't actually sound that hard and because we're only going three questions at a time that's that's good but we'll still need to actually kind of use our reverse engineering tooling to actually get some of these answers so you've got this binary you descrambled it with a Cod from Twitter and then you've loaded it into your reverse engineering tool that might be idpr that might be redair might be something else and pretty much when you open it up it'll be presented with something like this and it's not that scary the first I'm not going to explain

to you um how arm assembly works or any kind of that stuff but this is pretty easy to grasp basically at the first I know 100 bytes of an arm firmware you'll have something called um the interrupt table and I like to think of this as a bit of a table of contents to actually how the firmware works and if you get the manufacturer spec and put it next to it you can pretty much read it across from what one function does because all of these are offsets to functions and it'll tell you what it does so ringed at the top we've got the reset Handler this is the first function that's called or and

it's called when I know there's an exception or something like that this is called to basically reset the device and right the way down the bottom we have got something called usbd irq Handler and this is called every time the computer sends some data to the USB device so that's really useful stuff now we understand kind of where we can start approaching these things next up Flappy Birds well we know we run Flappy Birds by pressing our two keys down and we get our secret menu and it gives us kind of an easy normal and hard now if any of you are reverse Engineers you probably think okay I'll get the firmware and start searching for

Strings so that's really easy job run strings on it none of those strings will appear because what those are are fonts or pictures so how do we go from I know a font that's somewhere in the firmware to actually the code that is actually doing stuff with it well the trick is this magic firmware tool so if you click on easy right down there it'll tell you the address of that data and where where it's used and if you search for that your reverse engineering tool will pop up something like this so here's some arm assembly don't be too afraid but basically I've done the working out for you um D9 7e plus oxa equals that magic

number Okay this may sound really really complicated but ba systems has paid lots and lots of money and to buy me a nice expensive version of Ida Pro and if I H hit F5 on this or if I upload it to the retable decompiler it will turn it into this and this is a lot less frightening you can see that some functions are called and they're called with some numbers and then some if statements occur and there's no real kind of shortcut to go from this to this but after kind of reverse engineering long enough you can see pretty much what happens is we're clearing the screen we're printing some text to the screen and then doing

something probably to do with level difficulty I don't know the key thing to get through is you don't have to actually know everything think about binary you only need to answer kind of the next questions almost certainly you'll never fully understand what this binder is actually doing so don't try to um this bits important remember this bit for later Flappy Birds Flappy Birds um Flappy draw Flappy Bird menu so let's answer our questions so how does the software control USB well there's a USB inter interrupt Handler and we know the address of it where is the Flappy code stored well it's in sub 7234 also known as draw Flappy Bird menu and how do you compile your own code

well at this point we know it's an armed device it's using the thumb instruction set and good news is that GCC supports us so we've got everything we need now to actually compile code so we need three more questions we're getting to the end now these are kind of the last three how can I get my code to be executed and what should it do and then does it work um the what should it do bit is really good because it's not actually a reverse engineering kind of question it's an engineering question that means it's easy and tractable so on to the first question well and that's going to involve looking into this reset Handler what happens

when you plug this device in and it turns on for the first time and usually these are quite complicated but luckily we got a really easy one um what it does is put some number numers in some addresses I don't know what those are I still don't know don't worry about it it then calls system in it and then it calls main okay this is pretty easy stuff so if I can get it to call my main instead of the original main it should boot up my firmware so this should be pretty simple to make the device go and we should just be able to call our reset Handler from anywhere providing the right numbers in

the right place so where do we call the reset Handler well we're back to draw Flappy Bird menu so instead of doing all of this instead we could do this so we print the text on the screen and then we just call our reset Handler what's good about this is it should only require four bytes to be changed in the original firmware simple Branch instruction so that's that's really nice and neat there's a lot of complic stuff there so I've drawn some pictures of what we're trying to do so what we've got here this is the ROM chip that's actually inside the cigarette we don't really know how big it it is we've kind of guessed at its

size and we've got existing firmware and we've got some unused space we're going to compile our own custom bad USB payload and slap that on the end if I did that and compiled it off and then and and off fiscated it and put on the device wouldn't actually do anything it would still run the original firmware so we need to run our code and by doing that first of all in that interrupt table we point it to our USB Handler instead of the original USB Handler so that's four bytes of change right there and then that that's not enough we want to kind of actually gain full execution of the device and reboot into our firmware so we need to change

the Flappy Birds code to call our reset Handler and then we'll jump into our

firmware the next question is what Cod to write we' got 32 kiloby of space that's actually tons for an embedded device like this absolutely tons do you don't want to write a a really cool bad USB payload we want to do something with keyboards maybe mice um maybe a network card like um [ __ ] earlier definitely with storage um but I have no idea how to actually go about writing a keyboard and sending the stuff down and getting the rfc's and protocols and all that kind of stuff and this could take a long time to be able to understand that so I got lucky and I cheated and I cheated by looking at the

manufacturer's SDK and this why it pays to Google and Google some more because in the manufacturers SDK there's loads of folders and one of them is USB HD keyboard one of them is Kid hi Mouse and one of them is mass storage data flash I had to do some work um for instance the um hid keyboard example just press the letter A continually which is pretty useless to me so I went to the Arduino source source code and stole all that and co-opted it into my codebase the mass storage data flash stuff actually required you had a Micro SD card connected to the GPI pins so I changed that again to point to the firmware that's the ROM chip that's

actually inside the device so I got all this code compiled it up compiled it with GCC and it was about 37 kilobytes in size so absolutely ginormous which didn't sound right to me so I read the manufacturers do some more and they said if you you could try the arm supported Keel environment if you've done embedded reverse embedded programming before you may have heard of that and I recompiled it with that and it was 7 kiloby so good work GCC you had one job so back to the questions how can I get the code to be executed well it's simple we call the reset Handler in the draw Flappy Birds menu and pretty much it's that arm

assembler branched to that location what should it do going do a cool bad USB payload based on the sample code from the manufacture does it work no idea so months and months ago now I compile this all up put it on my device I've checked it in Ida Pro checked all the offsets are correct I've offis skated it with blasty code i' I've used the firmware tool to upgrade it and it it's popped up and it hasn't broke the device that's a really good first step I hold down the Flappy Birds menu and and I've I've changed easy to be pwn because because I'm a hacker and that's cool next up hit the Go Button plug it into

my machine and and a new USB storage device pops up great this is looking good already so I right click format format set fat great got 20 kilobytes of space I know not a lot but a little bit okay unplug it plug it plug it in again doesn't work

yeah so I [ __ ] up and it happens and my process goes out the window and I'm hastily reversing engineering trying to understand why I've broken it um is it like damaged forever um I actually bricked another device proving to myself that it was my code which actually saying back to it seems rather stupid and that's what it pays to have a process and eventually after for a lot of reverse engineering um I found out what was going wrong so back to our diagram we've got our existing firmware we've chucked our new firmware at the end and we've got 32 kiloby for mass storage now after this has been fat fat formatted that's how it

comes up as 20K the problem was this is all eyes um this space wasn't unused there's a blob for settings there and those settings um control I know what display driver to use because when these things are manufactured in China they might have 25 OLED um screens and the firmware needs to support each one of them and when I erase that with part of a fat table God knows what it's doing and it's probably crashing over and over and over again um so this is bad because I've got this existing firmware and and that's my backup I don't have any of this so more soul searching later I managed to fix it and it pays to

download everything because the version one firmware somehow knows what is going on on the device and recreates this settings blobs for me so I just randomly flashed all the firmware and it fixed it and few how I fixed this was um I shrunk my my storage space down and moved it after the settings and then um it all worked all work well so what does it all do so what I've created is a um payload that acts as a keyboard and it types in a load of Po shell and what this and then it kind of does U elevation if if U is installed what this power shell does is pretty simple it waits for 5 seconds and then

it goes through every disc on the machine and looks for a file called a. PS1 when it finds that it executes it because in the meantime while this has happened um I've switched to USB storage mode and I've got now a USB stick that's appeared and in it is my extra power shell and what this power shell does is it dumps the ntlm V2 hashes and it it starts a reverse TCP shell and you can do all manner of different things as well and crucially it's an exploit platform that you can smoke so I'm going to try and do a live demo now so pray to the demo gods so hold on so that so first of all what I've got here

is um pretend this screen is in China and it's my netcat listener listening on on Local Host Port 4444 and so this is where the um the connect back shell is going to come into and then this is my kind of to machine so you've stroll up to machine it's unlocked and then hopefully the camera will work y so what's going to happen it's going to happen quite fast is I'm going to try and put this behind here and hopefully you'll see it and you'll see the menu and I'll hit the Go Button then a load of power shell is going to pop up in the bottom left hand corner and if you you might be able to read

that and then I'm going to hit enter the power Shell's going to run it's going to wait for 5 seconds um and then the USB stick is going to mount and this all happens quite quickly and then it get executed and we'll get a shell and we'll get creds and it'll all be good so this all precludes me not dislodging the USB cable which happens all the time so I hold down the two buttons and you can't see that but it does say pone I stay very still and I've just lodged the USB cable by law this has to happen okay stay very very still let's type in the par shell and it's going to hit enter in a

second we go now it's going to flick into being a USB device USB storage device there we go it's popped up I can disconnect this now and what we've got here is our totes legit drive and it should be exceptionally tiny of 12 kilobytes of free space so our power shells run our power shells actually um a. PS1 and what a. PS1 does is say unzip a.zip into a temporary folder and then execute the power shell scripts are inside and we got po shell scripts to come on get some hashes and invoke a shell so first of have a look at some passwords so here we go these are nlm hashes so you can put this into your

hash cracking stuff and then off you go and then hopefully if we go into our Chinese environment over here here we go looks like a Shell's popped up and if I type di takes ages but there we go we've got a remote shell on the system [Applause]

done thank you very much so we just got a few more slides to go first of all everyone always comes out here and shows some attack but doesn't tell you actually how to defend against it um defending against actually these attacks is really quite hard um a lot of requires OS in so on Windows you've got Group Policy you can lock down things to specific devices you're probably in an organization that hasn't done any of that um at least with Microsoft is doing something to help you um these kind of attacks are very prevalent with kind of firewire devices a few years ago and what Microsoft has does now is if you have a FireWire

device and your machine is locked then the dma drivers that give R all these things aren't loaded and I think um a similar thing has to happen with USB because if you plug in a if that was a network card you can plug that into a lock machine and and still do kind of amazing things auditing um who audits the number of USB devices probably no one um who audits or or can can go to search of their organization and find out machines that have ever had two keyboards simultaneously plugged into it probably no one but that might be a good thing to write um one thing I found on my travels is Facebook's OS query tool this is a

kind of a host agent that runs on your machine on your estate and you can construct those queries and store them in a database and then ignore them um realistically without operating system buy and aiting is the only way you're going to kind of defend against these kind of things so next up I got my prequel me in um can you have this so at the moment it's a licensed misery um it's got part of the 3.3 evic firmware that's the manufacturer of the um actual ecigarette it's got parts from the m451 SDK which is a different license it's got part of the Arduino SDK which is the third license and I don't understand licenses I hate them um and I

don't want anyone to sue me um that being said time has uh has moved on and how I would rewrite this now is I would use an open source firmware for for my model of um ecigarette called um my evic and my plan is that next week I will take my code and I'll will P put it into that repo so if you've got one of the I think it's 10 or 15 devices that that supports then you should be able to pull that and do this kind of stuff so um tldr um you can hack USB devices it's actually not that hard um if you've got a a Raspberry Pi or or something like

that it's it's really trivial you don't need costly tools to do firmware reverse engineering and but what you do need is p IST no matter how much your company is spending on reverse engineering tools need someone who's very very persistent um my evic if you've got any of these devices go visit that web page it's um got the source to do all these kind of things and quite an interesting read and it's possible to defend against these things but it's actually quite hard um so there we are any questions [Applause] [Music] [Applause]