/299$32c3-talk-7189

Hallo Du!
Bevor du loslegst den Talk zu transkribieren, sieh dir bitte noch einmal unseren Style Guide an: https://wiki.c3subtitles.de/de:styleguide. Solltest du Fragen haben, dann kannst du uns gerne direkt fragen oder unter https://webirc.hackint.org/#irc://hackint.org/#subtitles oder https://rocket.events.ccc.de/channel/subtitles erreichen.
Bitte vergiss nicht deinen Fortschritt im Fortschrittsbalken auf der Seite des Talks einzutragen.
Vielen Dank für dein Engagement!

Hey you!
Prior to transcribing, please look at your style guide: https://wiki.c3subtitles.de/en:styleguide. If you have some questions you can either ask us personally or write us at https://webirc.hackint.org/#irc://hackint.org/#subtitles or https://rocket.events.ccc.de/channel/subtitles .
Please don't forget to mark your progress in the progress bar at the talk's website.
Thank you very much for your commitment!

======================================================================

This talk now is KRCA Video Mouse How to turn your KVM into a Raging Logging Monster by Yanov Balmes. Um, there has been a lot of work on cloggers already. So the question is what can be done or what can be achieved even more? And this is what this talk is about. Um, Yanov is a software engineer and professional in the security field. He mainly deals with analyzing malware and vulnerability research. So give a warm applause to. So thank you very much for coming to my doc. It's called Your Mouth, so how you keep your the raging killer monster. Now, a few words about the team who made this research. So first of all, it's me. My name is Amy Palmos. And I'm. How is this? So my name is Jennifer Ramos and I'm a security researcher. I work for Checkpoint Software Technologies and my colleague in this project is called Leo Oftentime is also a security researcher and he is trying to understand what to do with the perimeter. And unfortunately, he couldn't be here today. But this research is much, much owes him a lot for getting being done. So let's start with the problem. So our problem, as many other computer science related problems, it all starts with computers, right? Well, we have computers. We have many computers. We actually have a lot of computers, you see. And when we have a lot of computers, then the thing is that each one of these computers actually needs a set of keyboard, video and mouse in order to operate. Right. Make sense. And the problem is that when we have a lot of these computers, then we also have a lot of these keyboards, a lot of these videos and a lot of these mice. Yeah. And when a single user wants to work on several of these computers at the same time, well, this creates a big mess on his desk. Right. Does all of the sudden a lot of keyboards that he doesn't know which keyboard goes to which computer and which monitors display is what. Right? Well, it's a big problem and well, some of you might be thinking that that's not a new problem and that's r
eally not a new problem. And the solution to this problem is also not new at all. And it's called a cavium. Now, for those of you who don't actually know what a cavium is, so that's pretty simple. Keep the cavium simply stands for keyboard, video and mouse. Right. That simple. And its only purpose in life is to connect one or more sets of keyboard, video and mouse. I'm sorry to connect a single set of keyboard mouse to one or more computers. Right? Well, it all looks something like this. You see, you have two computers underneath your desk and there are inputs and outputs are then connected to the KVM. And the cavium in turn is connected to a single set of keyboard video mouse on your desk and then you can play your favorite video game or something like that. And when you hear your boss creeping in the office, you just manage to press the button and whoa, there you go. You had a nice code on your on your desk and catastrophe's avoided. And that's just as simple as that. There are these are crimes. Now, where can we find those creatures, those CDMS? Well, we can find them in a lot of places. We can find them on your desktops, such as the example I just showed you before. And another thing is that we can find them in your server wrecks. You see a typical server wreck holds like something, let's say eight, nine, 10 servers. Yeah. And in order to physically manage those servers, we must have some kind of KVM inside network to make to the server administrators life a bit easier. Right. So we do have cavium in server wrecks. And last but not least, we have CVS's in very, very secure environments. And the reason for that is that in those environments we usually have a lot of networks and those networks are a lot of times segregated or even air get from each other. Right. And then again comes the problem. The single user has to work on both of these networks. And in order to do that, you need to keep him on his desk. Right. This makes his life a lot easier. And if I want to
sum it up, then CPMs are pretty much everywhere. Everywhere. I mean, in every technologically rich environment you'll ever go to, you'll probably find a lot of these creatures laying around all over the place. Well, let's take a brief look at the KVM evolution along the years. Yeah, it all started off in the 1980s or 1990s with something that looks like this. Some of you might be familiar with this, right? It's commonly known as an A.B. switch, right. All it is, it's cavium. But all it is, is just a stupid analog box. Yeah. It just connects the electronics from the airports to the keyboard and mouse. When you switch, the same goes for the keyboard and that's it. A stupid analog box. And that stupid analog box actually worked really fine for a lot of years. I mean, really a lot, a lot of years. But then came one one invention, one small invention that changed the world of caves. And I'm I'm specifically talking about USB keyboards. You see, when you have USB keyboards in those caves are simply not enough because they will work. But when you switch ports, then the USB needs to be connected to the computer and the like has some kind of two or three seconds delay until the computer actually recognizes that USB. So those key VMS now the mother and keyboards need to needed to implement some kind of USB stick in order to support smooth transitioning between the ports. Right. And that's where we met those cavium. Those are modern cavium. They are really cool. This is what we see on the desks of a lot of guys today, and it supports a whole lot of inputs and a whole lot of outputs. And it's really, really cool. It also looks sexy. And then came the next evolution in caves and came those monsters. Those are called Matrix. They are absolutely monsters, they have thousands and thousands of ports support staff like a KVM over IP and God knows what they are usually implemented in some kind of huge enterprises, huge server rooms and stuff like that. And that's it. That's actually
the last evolution of cavium. Now we come to some kind of a conceptual problem, you see, because a lot of guys and when I say guys, I mean sys admin, administrator of security administrators, security researchers, a lot a lot of guys still consider today's VMS, those modern Keeves as those same old stupid boxes, same same old stupid analog boxes. Right. Well. Are these stupid boxes I mean, let's take a look at some of the features modern CDMS has. Look at this. They have on screen displays, they have configurable with menus. They have all kinds of stuff like this. Right? Well, obviously, those boxes are no longer stupid, right? Obviously, those boxes now run cold. Yeah, well, we were thinking to ourselves, OK, so if those caves now run cold, then what can we do with them? Right. And in order to answer that question, I have another question for you. What is the one common feature between all the features I've just showed you? What is the one common thing that OK and share all the features has? Well, the one common thing is that all these features actually require the KVM to be able to process keystrokes. You see, now, when you enter a keystroke, the cavium doesn't immediately send it to the computer. And it's the first inspect it and see, maybe this was a Web menu option. Maybe this was some kind of hotkey combo. Maybe it was something maybe I need to deal with that and not the actual computer was connected to it. And only if the answer to that is no is false, then it will pass the screen keystroke to the computer. Right? Well, you see, the thing is that all we need to do is to just alter the execution flow just a bit, you know, and find some kind of free memory space in there, taking a keystroke there, dump it later on when convenient to us and what we got. Yes, a kilogram a kilogram inside our cavium. I mean, think about it. How cool is that? I mean, we know software cloggers, right? One of the hosts this is not a software krca because there's no code running on on
the computer. The entire code is running inside the cavium. And this also is not a hardware clogger. Well, because there's no special hardware, nothing that I needed to come to the office and connect to your computer. You connected a perfectly legit cavium to your computer, and that's it. You've got a keep going in there that will be incredibly hard to detect, right? Well, we thought that this is a great resource subject and we started researching it. And you know that the research that the first thing we need to do is to get a cavium. So we went to the store next to our office and both of them took the box, went to the office and happily opened it and started unpacking it. First thing we find in there is manuals. It's cables, it's warrantees. And I said, now that city contains a few very interesting files. One of them is called a former upgradeability. Hmm. And the other one very conveniently named Fumero. Those. OK, we were thinking this is going to be a bit too easy. So we started looking at this being file and we actually find out that this thing is a really high entropy levels. So that practically means that it's either encrypted or compressed in some way that we can't really decompress. So we were thinking, OK, both me and your dad, the guy that made this research, we are both pretty experienced, 686 six guys. So all we need to do is to reverse engineer the film upgradeability. Yeah. And what we are expecting to see, uh, is, is that the fumito being fired will be loaded. Yeah. Then it will be like the compressed and open and maybe we can find it. However, this utility is a huge utility. It has thousands and thousands of functions. It's a C++ code full of vegetables, really, really a big mess. And we didn't really want to deal with it. But when we ran it in dynamically in a debugger, we saw the exact behavior that we expected. It actually took this file center it to some kind of decompression function and then stored the output in some kind of memory range in
there. So we went to this memory range. And what did we find there? No challenge, except, yeah, well, we met a blob and this blob looks something like this. Right. And this is its image. Representation looks nice. Let's see some of the properties of this bog, a blob. So, first of all, it's a 64 K blob. And that makes sense because eight bit architecture. Sixty four K looks OK. And then now this blob has really low entropy, which again confirms our suspicion that it's now decompressed. That's also good, but it has completely not even a single string in it. Nothing at all. Nothing. And that's not what we're expecting to see something, some kind of warning there. And having no strings at all is not so good for us. But we go on and we make some kind of frequency analysis of this and we try to match it to other features and other assembly languages and stuff like that. And, well, nothing even comes close. We don't know what this blob is. So the next thing we do is use our favorite tool in this case has been work. Yeah, well, for those of you who are not familiar with Bismack, it's kind of a tool that when you enter a binary blob in there, it will check it for signatures and assemblies and non funerals and stuff like that. But the thing is that brainwork in this example had zero results. I mean, I've never seen something like this, actually. Zero results, nothing at all, nothing completely empty. Now, we were sitting looking at ourselves, looking at this blob and saying, well, I mean, what can we do that we we kind of we kind of lost here. So that entire part of research was a complete failure. And now we were doing it ourselves again. You know, there's two options for us. No one would be to go back to the future upgradeability and reverse engineer the entire thing. It will it will be specific job. It will take us days, weeks, months, I don't know. But we don't really like it. We don't really feel like doing it. So the other thing we come up we come up with is maybe we ca
n be a bit creative about it, a bit innovative. And in order for you to understand what I mean when I say innovative, you must first understand how this fumer upgrade utility actually works, how this process works. Well, the thing is that you connect this kind of strange serial cable that you take from the from the box of the cavium. You connect to one side of it, to the other is to try to pull it off your computer and the other side goes into the cavium. You run the utility and everything is upgraded. The cavium is actually upgraded through the serial cable. Right. So we were saying, OK, maybe we can download some kind of generic serial sniffing software and sniff the serial protocol there. And then all we need to do is just to analyze, to understand the serial protocol itself. And hopefully now we will have the the framework going into the device through the serial protocol. Right. So that sounds also it so challenge accepted. We did just that. So we started sniffing the serial protocol and we got an output that looks something like this. Now let's analyze this together just very quickly. So first thing we see here that there are two types of messages. The red messages are from the cavium and the yellow messages are sent to the cavium over the serial cable. Right. Um, the first thing we notice is that each of these messages has some kind of fixed header to it. Right. The hex value of it is forty six. Fifty five, which is the ASCII representation of. A few. All right. So is anybody trying to tell us something here, if you. Well, yes, actually they are trying to tell us something and that something is fumero upgrade. Right? Yes, thank you. Thank you, sir. Feeling a bit amused about all this, we went on with the analysis and the next thing we noticed is there something that looks really suspiciously like an Opko here? I don't know if you can see, you probably can. It goes like a zero aswani to a tree at a tree. And almost all of this file is actually composed of the
tree messages. So what this tells us that the first part here is some kind of serial handshake going on. And the second part, the big part is the data. Right. And we are actually interested in the data part of it. So we're going to take a closer look at this now. And the thing about the data, the next thing we notice, this is some kind of sequence number in here. You see it actually go zero, one, two, three, four, five, six up until the end of the file, whenever those transmission, the number repeats itself. So it seriously looks like a sequence number. And then we have it. And the only thing missing now is something that we expect to see in every serial protocol around the world. And that's some kind of a correction. Right. And then we know this is that this last bite in all of the all of the messages is actually an accumulated source of all the bytes. If you if you're making all the bytes, you get these bytes. So this seriously looks like a checksum. And we decided this is our check, some value. And when kipping, there's nothing more we can find keeping expecting this. No more buttons, no more nothing. So we figured out that that's it. We got this thing pretty much analyzed. And all we need to do now in order to extract the Fumero data from the serial protocol is just to, first of all, get rid of the handshake part because it's really not interesting. And then take a look at the data part. Then again, get rid of all the serial related, uh, bytes and then put it all together. And if we take a look at this, then hopefully now we will have all the right. Guess who? It's the same blood. The exact same job all these did was just to take this blob and send it over to Syria, political into the device itself, not the device, is probably responsible of opening this. But we had no way of knowing this. And we can say that that is another great failure. Well, again, feeling a bit depressed about this. We said, well, hey, you know, this thing, this blob is pressed into the dev
ice and then it's probably handled. Right. So the next logical step, the only logical step would be to. Yes, to open up the device. This is how it looks like under the hood right now, our first impression of this. Well, that's like a lot of electronics in there. We are software guys, not hardware guys. What do we do with this? What can we do with this stuff? And now we're feeling really depressed. And then a few whiskey shots later, we say to ourselves, you know, obviously there's a lot of big chips in there. So maybe we can Google them up. We can try to figure out what are these chips. Then maybe it will give us some kind of clue of what this thing is doing. Right. So let's do this together. Now, first thing we know, this two really big chips in here. They have the vendor name engraved on them completely. No information about them in Google big black boxes. We think they're 86, just judging by the number of pins they have. But we actually have no clue what they do. And then we find another chip. Now, this chip, we do know what it is. It's a device now peeled for those of you who don't know it stands for programable logic device. Yeah, that's something like you design your own you are your own circuit, your own circuit, and then you bring it into the the chip, the chip and then the chip runs your circuit. Right. So we do know it's a building. We have no idea what it's running and we don't know how to look for it. So we left it alone for for a moment. And then we find something that we know it's RAM, it's memory. That's great. It's also connected to something called the Delarge. Again, something the alleged flipflop, flipflop, I remember from my university days. How is it all connected to the picture? I don't know yet. But anyway, that's a memory. Right? And the last chip here was actually the most interesting chip of them all. This chip is an eighty fifty two processor, right? It's an Intel based chip. It's the next version, the advanced for the commercial version o
f another chip called eighty fifty one. It runs assembly and disassembly is called eighty fifty one assembly. Right. Well, now we're suspecting of this chip to be the brains behind this device, but we actually don't know what's going on here yet. And this actually got us pretty lost for some time. And we tried figuring out how this all how this all put together what's going on here. And the question is, we do know the future upgrade comes in through this port. This is a serial port I was talking about. Right. And then where does it go to? I mean, it goes somewhere, but where it can go into the 852 chip. Right. But it can also go into those big black boxes. Right. And it can also go into another chips and it could be divided into chunks and each chunk goes into different chip. We don't know we don't know what to do. So what do we do? We don't know what to do. Well, we use Google and. When we use Google, we found this very, very interesting BCB in some kind of Russian KVM review site. I have no idea why or why anybody reviewing a given. We would need to look at the piece of it, but they had a pretty good picture of it. And you see, there's something really interesting about this one. This is like almost the exact same model as we have. The only thing is that our model, the one that we are researching, researching, has for ports. Right. And this one is eight ports, eight ports right now. Look at this. There's something really interesting about it. Those big black boxes I was mentioning before. Right now, there's four of them. Yeah. And those people, these are the ones I mentioned before. Again, two of them. So double the ports, double digits. Why is that funny? OK, double, triple, double digits. Um, the thing is that this is not double the thing, it is still single in here is the RAM and. Yeah, you guessed it, the 80 to. This is a single chip, so this now really, really smells like this thing is the brains behind this entire KVM. Right? And now we would like to know ho
w these 852 chip gets upgraded. It must get upgraded somehow. But how so? It turns out that each one of the you 1852 chips has an integrated you are reporting them right. You are stands for universal asynchronous received transmit some kind of generic Sevele protocol. Right. And the thing is, OK, we know it as a you are. But which pins which which of the chip pins are actually responsible for this upgrade. Well, we can or we can answer this question pretty easily by just looking at the specs. Right. So we open up the specs of this chip and we see this. And it clearly states that these chips here you see the Arrigo's and the expense are connected through Portree of the chip to the you outport. So these are our you are pins. Great. Now we only need to inspect what's going on in these pins in order to understand and to see the film were hopefully coming into this chip challenge accepted. So thirty to forty five China shipping these later. We can finally use logic and this thing here again, for those of you who were not familiar, this is a logic analyzer. OK, what it does, it just connects to the pins and you see the actual electronic signals going into these pins. Right. Have these nice clips, uh, in there. Uh, it actually comes with this great, great, uh, postcard saying thank you for your awesomeness. OK, so we did just that. We we plugged the pins into the uniques, into the Arrigo's and the exports. And this revealed the you are signals, right. It looks something like this, you see are antiques. And the third one. Again, why is this funny, our and the third one, in case you were wondering, is ground right in order for us to differentiate between zeros and ones and that's it. Using the awesome, awesome UI of logic analyzer we have now, we make the final approval process and we reveal the signals going into these pins, into the chip during the final upgrade. And we see stuff like this. You see we see some kind of pattern here. You see there's stuff going from the yard
and there's stuff going to the yard. Yeah. And if we zoom out of this picture for a second, then we see an obvious, obvious pattern. I mean, this stuff is going to the yard, you see, and this stuff is going from the yard. So it goes from the you are to the you are from the you are to the yard again. This seriously look at looks like a protocol. Right. So we take all the signals that we could gather from this UI and we just put them in the right order. And yeah, somebody is laughing what we find. Yeah. It's the same civil protocol, so. Well, thank you. Well, I mean, the thing with what's going on here is that the SEAL protocol is connected to the cavium and then the lines go directly into the 850 tooltip. Right. So, again, everything is probably decoded inside the chip itself. So now we need to, you know, to some kind of chemicals and to open the chip. And no, we don't want to deal with that. So this is now a great failure, right. Or is it I mean, yeah, it is a great failure, but it is something that we know now that we didn't know before, the thing that we know now is that this thing, this blob that we see must be actually translated somehow into eighty one assembly. Yeah. Now we know the destination language of this gibberish that we see. Right. So this gives us some kind of hint here and what we can try and do, as I said. Yeah. And what we can try and do is to try and break this code and break this obfuscation because obviously it's it's not encrypted. The entropy levels are low. So we are expecting to see an application. And maybe now since we know the destination language, maybe we can try and break it. So challenge accepted. Let's try to do that. Let's take another look at our blog. Not sure if you remember it. It looks something like this. Now, for those of you who has really, really good eyesight, you might have noticed that the end of this blog is actually composed of the same hex value in this case, 53, 53, 53. So when we see stuff like this, what we do, w
hat we do, yeah, we usually do an X or operation on that. Right. And what we expect is that somebody did an x ray operation. And the original thing was one of two things either and not just a lot a lot of knobs or a zero padding, just a lot of zeros. And luckily in our case, eighty, fifty one knob is zero. So we just need to sort this thing with 53 and that's it. We got this really nice blob that looks like this. Still no strings, no nothing. But you know what? Let's give it a try. That's right. Open it. Opening it in either in our dissembler and try to disassemble it as a 851 code and see what we get. Yes, we get a simpler code that that is perfect. We we are really happy now and we're going to our office and starting to, you know, reverse engineer this and try to understand what it's doing. And like just two or three minutes later, we meet up at the kitchen again and say to ourselves, say something here is not so not so good. And you see, let me show you an example. You see here the last two instructions. Move a R6, move a R6. Now, I'm not I'm not a big, uh, a big genius about eighty fifty one. But maybe they need to perform the same operation twice in order to make sure it works. Um, well, no, the answer is obviously no. So we have a feeling of what's going on here. So we made a little test. We took Excel, which is obviously an eighty six code. Right. And we tried to disassemble it as 851 assembly. And what we know, again, we got proper assembly. Oh, OK. So this starts to look a bit strange. So what we did in order to verify our assumption is take this picture of a cat and loaded into either as eighty fifty one assembly and what do you know, proper assembly. Yeah, there's functions, there's everything here and that's. Thank you. Now, this is the moment that we actually realized that if you really try hard enough, everything is 80, 50 one assembly. OK, OK, let's let's let's be serious again. Now back to our blog, back to back to step one or maybe square two, becau
se we decided to keep the operation because it looks like something good to do. But I think now that, again, those of you with good eyesight might have noticed that the last eight bites of this blob are actually different. Yeah, but what are they what are those bites? Are they a clue? Yeah. Is this some kind of clue left to us by the embedded developer? What can we do with them? Well, the first thing that comes to mind is a little correction. Yeah, they they are in the end of the file, so maybe they are some kind of correction. So we take these bites and try to check them for check some CCRC Adlerian. They have a lot of other little corrections and no, nothing even comes close. So it's probably not in our collection, at least not a known one. And then we understand that up till now we've only looked at one version of the femur. Right. And we can take a look maybe at the last eight bites of a lot of them were upgraded from a version because the vendor lets us just download, however, similar many versions that we want. So these are all the eight bytes from a lot of different versions, right? They are all different. And look at this. Something here just it looks strange, you see, because look at this. The A1 appears 17 times, right? This is not random. There's some some kind of data in here. We just need to understand what it is. But how how do we do this? So this is this was actually the Eureka moment for a project, what we decided to do is run those eight bytes just next to the Fumer version version. Right. So this is from the three point three point three, one, two and whatever. Right. And look at this. There's some kind of obvious pattern in here. You see the byte 99 appears three times in here and the number three appears three times in here. Right. And and the byte A1 appears twice here. And then the number four appears twice here, while also the number one appears twice. But we actually know it's four because it's actually consistent throughout the entire table.
Right. So we got some kind of mapping between bites and the number in the version. Right. Well, is there a pattern here? Right. What can we do? Maybe we, you know, list, you know, the digits that we see, one in the hex, we see eighty nine. This is our mapping and the binary values. Maybe this will give us some kind of clue. Right. Look at this. Look at the binary values. There's an obvious pattern here. This part here is fixed and this part here. Is not and not only that, it's not fixed, but it's some kind of counter, right? Look at this, one, two, three, four. By now he can't. Right. And then we're doing it ourselves accountable. Why is the counter what is it doing in the middle of the bytes here? It should be in the right hands. So let's shift it or rotate it to the right by three. And when we did this, this is what we got. And this is the X values of this binary value. And for those of you or ask, asking for is a bit lacking, then, yes, these are the same ASCII values as the digits. Right. So all we need to do is to take this blob and rotate its entire byte by three. By three. And what do we get? We get this right. This looks much better. This looks like strings. Now, we are so happy about it. But looking about this a bit more, the strings, they don't look exactly right. Look, look at this. Look at this example. This is like an alphanumeric string. Yeah. It's just in the wrong order. And and I mean, they take a look at this again, this is the same string that we saw before. There's some kind of shuffling going on here. And if you stare at this long enough, you understand that this shuffling is going on in a chunk of eight bytes. Let me explain this a bit better. These are the chunk of bytes. Right. And the bytes are actually not in the order, but only within the same chunk. Now, look at this. The Byte A is in the right, the A's in the right place. The eight are in the queue. Now, the the O and the W needs to be moved from the second position to the seventh posit
ion. And this goes on and on and on. And it's consistent throughout the entire blob. Right. So what we got ourselves is some kind of permutation table. And if we apply this permutation table on the entire blob, what will we get? Yes, assembly, proper assembly, this is our film room. Yes, thank you. Thank you. No, it's not it's not over yet. You know, usually when we do reverse engineering of this, so the first thing we do is load it up in a disassemble. And the funny thing is in hardware, the last thing that you do is open the door, open it in, disassemble. So it was really, uh, from here, it was really fun. And now this is 851 assembly. So all we need to do is to understand 851 so we can now actually design our own custom fit. Well, if we can understand this and all we need to do is just to understand 851. And for those of you who don't know, we prepared a short review of 851 assembly. The thing is that it has only twenty five twenty two hundred fifty five up codes in around for the instructions. Really a pretty, pretty easy assembly to learn. The thing is that functions in this assembly are not only functions, it jumps into the middle of functions and fundamental functions. A whole lot of spaghetti code we didn't really understand. And then there's only a single memory access register when whenever you want to access memory is stored in this register and then move the memory of the big, big mess and then registers for some reason keep changing in the middle of the of the code of the execution. That's because there's some kind of register banks. That's a nice idea. But anyway, we gave this one and a half stars out of five x eighty six is still much better in our opinion. Um, and that's it. Once we have this understood this, we can probably analyze this this code. And this is a screenshot from either from our dissembler and it presents the main function of this cavium. Now it's divided into a few interesting parts. One is aged passing. Now EGD stands for human inter
face device. Right. This is what we were looking for. This is where the actual keystrokes are being processed. And then this place here, uh, processes, uh, hotkeys like if you press some kind of hotkeys, which is the port and stuff like this, and this port here actually controls the letters of the keyboard, like the letters for some functionalities, it has to flash the letters and, you know, stuff like this. And then this part was the really interesting part. You see, this part is a keyboard emulation. So this is where we understand that this KVM is not simply imitating a keyboard. It is a keyboard. It is emulating a keyboard. Do you understand? I mean, this means that we can actually put some kind of a rubber ducky inside our cavium. It's an actual keyboard, right? This is amazing. We can type whatever keystrokes we want to into the machine. Right. So we prepared a little demo. And if you don't understand the implications, I will show it to you now. So we have two networks to air networks. One would be an Internet connected network and the other would be an air gap network. One hundred percent secure, as this article says. Now, a lot of people, a lot of engineers work days and nights in order to secure those environments and keep them totally separated from each other by doing a lot of interesting stuff. And they did it really nicely. But the thing is that at the end of the day, a user needs to work on both of his networks. Right. And if there is a user, there are computers and these are computers. There are videos and mice and keyboards. And the user is again frustrated. So he goes through his purchasing department and purchases a cavium. Right. And when he did that, then he doesn't need those two sets of keyboard. Video mouse only needs one. Now, his life is easy. Right? So what will happen if this cavium is malicious, if it contains our malicious fumer? Uh, we can discuss this. Cavium can wake up in the middle of the night. Right. Just in the middle of the night
. And start typing on the user password on the Internet connected network right now, some of you might be asking yourself where. Wait, wait. The computer is password protected. How does he know the password? And I ask you back, well, how do you enter your password to your keyboard? Yes. So the key already knows this. He types in the password and then it performs like a double digit or something and gets the malicious, uh, virus from the cloud, from the Internet into the Internet connected computer. Now, that's perfect persistency, right? Look at this. There's nothing you can do in order to prevent this attack. I mean, you can reformat your hard drive. You can switch your computer. And again, as long as the KVM is there every night, you will get infected again and again. Right. This is cool, but this is not. But this is not cool enough because we we want to get into the air gapped and network. So what we did is design a very special special malware, which what it does when it's ran on the computer, it actually replicates itself. And when it replicates itself, it starts typing itself into the into the computer. And when doing this, our agents, our agents get these keystrokes and passes this malware into the memory, uh, into the memory of the cavium. Then it very casually switches the ports and retype this malware into the other network. And so we got now to malware is two of the same tools in the in both of the networks and effectively bridging the gap between those networks. Those are not no longer erga networks right there, networks. So this is what we did. And now we have a I have a little demo for you. Hopefully it will work. I'm holding my fingers, I'll put it down for a second. Not everyone in. Uh uh. I'll keep using this. OK, so what you see now is the output of the computer, right? I have two computers. One is the ticker, the Internet connected one and the other one is the attack, the network computer. Right. And they are only connected to this cavium. I have
on the desk no other connections between them, only through a cavium right now. Look at this. This is the attacker computer. I just need to. Run my mouth. We're here. Let me just lock the screen. Let's see what will happen. He woke up. No, Hennes. Well, now the thing is that, well, you're laughing, but this is actually a really neat trick that we so we actually needed to type the binary into that computer. Right. And the way to do that is to use base64 and what we use, these stealth util, which is a different utility that comes with any Windows installation. And we just type the basic form of our malware into this. Yeah, we save it as a text file and then decode it. And then we got a binary, actual actual binary on the on the computer now. It's not a big file, but it will take a bit to work, so if anyone has any jokes. OK. It will finish soon. 20 more minutes. Come on, come on. OK. Looks like it's going to finish soon. I could have. But this is a life demo and give me some respect for the. That's it, we have our text file and now, yeah, and the certificate into encoded text. Go on, go on now, Circuital decoded into the code of doping, which is our malicious file, very malicious. You know, we run it. And yes. Thank you very much. Thank you very much. So we're to talk about not really a Gupte, as you thought, if you have a cavium connected to them and if I'm lucky enough, there's one more thing my malicious software knows how to do. Let's see if it works. Mm hmm. Back to our presentation. So I'm running out of time, so let's do it quickly. So what are the attack vectors of? Some of you might be asking yourselves, hey, hey, you need to have physical access to the cavium. And that's right. I need to have physical access to the cavium. Still with physical access. We have a few attack vectors that are really reliable. One of them would be, you know, just give me 30 seconds alone with your cavium and that's it. And the other one would be, let's attack the supply chain. Yea
h, the seller of the seller of the seller that tells you the cavium. We can just switch it and you get a malicious cavium right out of the box. That's nice. And that's been known to be done before. Now, however, there are many key VMS, not the one that we research that are being operated through IP. And if they are upgraded to IP, then theoretically we can exploit the same thing remotely. That would be really, really cool to do. And it is possible. And the thing is that CVS's are really not exploitable. I mean, just Googling on top of it, DLC, these are related to cavium that are upgraded, the Internet and the IP. So it is it is really possible just it was out of our scope of research to do. Now, what can you do to protect yourself from these kind of attacks? First of all, know your environment. That's the best suggestion I can give you. I mean, sometimes it's not necessary to connect really secure computer to a non-secure computer through cavium. And if it's not required, then please, please remember this and don't do this. But sometimes, of course, it's unavoidable and you need to do this. And if you do this, know that there are some other creatures called Security VMS. Now, those creatures look like this and they actually close all all of our of our tech servers. They don't let us do anything from what we show. The thing is that those devices cost like 100 times more than normal cables and actually know very, very few people who actually buy this stuff. Right. So if you do need to to connect something really, really important, then you might consider buying one of these. And the last thing is being innovative. And by being innovative, I mean, we sat down and we talked a bit about, you know, what we what can we do in order to protect against this? What we came up with this nice idea. It's not perfect, but it's nice. What we do is place we wrote a small agent that you can place on your computer and this agent actually logs keystrokes. It doesn't log the keystrokes
themselves, but the statistics and what it looks for is some some some deviation from the normal statistics. Right. The thing what we did here, this type a lot. A lot. A lot of keystrokes. That's that's a deviation. Right. So if we detect some kind of deviation, like not using backspaces or the intervals between the characters are relatively small, then something weird is going on. And all we need to do is just to pop a message box and this will fuck up the entire exploitation process. That's a nice idea. You might have better ones, but we did it with the help of our, uh, colleague to Rappoport store. And that's about it. Guys, that's my presentation. Thank you. Thank you very, very much for this very entertaining and fun presentation. So if you have any questions, come to the microphone, series one and there's one and ask your questions. You can also ask them via the Internet there. I think there are also questions on the Internet. So maybe we start here with you and the other ones who are like leaving this room. Please be quiet because there is still a question and answer session here. So please be quiet while leaving this room. Thank you. OK, your question. This doesn't work. I can give, though, is not know. So now I thank you very much for the talk, very great. My question is, how much time did you need to achieve this goal or how many days, weeks, or is that a no? It's a good question because we worked on it, like it on and off. So overall, it took us like I think six months. But it's not the straight job. You're just like with picks. OK, thank you. Question over here. I could think of just another attack surface, because if you even if your equipment doesn't update over the Internet, if it has USB four keyboard and mouse and not PSU, then maybe you could even flash a new firmware just by spotting some USB functionality like bad USB. Thank you. This is my next research. OK. A question from the Internet. Um, yeah, we got a few questions, one is, can you upgrade
the cavium, why the connected USB keyboard, like just typing in just a dongle or something like that? Not that I know of. And also another question, what are the black boxes and the sleights some people ask for that? I still don't know. Thank you. But but but they probably has something to do with the with the output's, right? I think they are, Veoh, um, chips related to video chips or something like this. Thank you. Over here again, um, you said you could, like, copy the codes that you got over the Internet, um, over and all night. Um, how long how long would it approximately take to type in the code? Uh, it depends on the timer of the cavium and how long how long is the interval between the keystrokes. So it varies between one type of cavium to the other. This cavium is pretty slow. And if you want to download the big, uh, executable, I'm guessing that something like thirty minutes. OK, but there are other caves might take five minutes or even less. OK, thanks. And over there, again, um, I don't know whether you have thought about implementing, um, bidirectional communication, for example, by flashing the keyboard LEDs. Uh, we thought about it and we even tried to do something, but we couldn't really make anything, it would be really cool if we could the. And another question from the Internet, um, two questions, um, the black boxes was as chips, the black box boxes was meant for the censorship of the images. I'm sorry, can you repeat the question I didn't answer, you had some images on the hex dump and the people were asking why was it sends it? That's the vendor name. OK, so another question. Is there any way to, uh, shut down the internal keyboard or as a coffee? You know, that's a feature of the. OK. Is it possible to emulate a virtual Ethernet device via the cavium so you could really make a bridge between those Agaba networks? Well, um, I saw something very similar, very similar to DEFCON this year. Uh, we couldn't do it. I would be really happy to try and d
o something like this, but we didn't try. OK, thanks. Are there any more questions? I can't see anybody, so thank you again very much, giving the one of the.